Vendor - Ubiquiti - Unifi¶
All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS.
- Login to NMS
- Navigate to settings
- Navigate to Site
- Enable Remote syslog server
- Enter hostname and port
- Update
vi /opt/sc4s/local/context/vendor_product_by_source.confupdate the host or ip mask forf_ubiquiti_unifi_fwto identify USG firewalls
Product - Unifi Switch and Access Points¶
Unifi devices are managed using the Network Management Controller
| Ref | Link |
|---|---|
| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ |
| Product Manual | https://https://help.ubnt.com/ |
Sourcetypes¶
| sourcetype | notes |
|---|---|
| ubnt | Used when no sub source type is required by add on |
| ubnt:fw | USG events |
| ubnt:threat | USG IDS events |
| ubnt:switch | Unifi Switches |
| ubnt:wireless | Access Point logs |
Sourcetype and Index Configuration¶
| key | sourcetype | index | notes |
|---|---|---|---|
| ubiquiti_unifi | ubnt | netops | none |
| ubiquiti_unifi_fw | ubnt:fw | netfw | none |
| ubiquiti_unifi_link | ubnt:link | netops | none |
| ubiquiti_unifi_sudo | ubnt:sudo | netops | none |
| ubiquiti_unifi_switch | ubnt:switch | netops | none |
| ubiquiti_unifi_threat | ubnt:threat | netids | none |
| ubiquiti_unifi_wireless | ubnt:wireless | netops | none |
Filter type¶
MSG Parse: This filter parses message content
Setup and Configuration¶
- Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
- Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
- Refer to the Splunk TA documentation for the specific customer format required for proxy configuration
- Select TCP or SSL transport option
- Ensure the format of the event is customized per Splunk documentation
Options¶
| Variable | default | description |
|---|---|---|
| SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_ARCHIVE_UBIQUITI_UNIFI | no | Enable archive to disk for this specific source |
| SC4S_DEST_UBIQUITI_UNIFI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification¶
An active proxy will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=zscalernss-* | stats count by host