The information in this guide is very old and likely no longer applicable to current versions of Graylog. Please take that into account when reading the following content.
This guide explains how to configure a Ubiquity Networks Unifi Enterprise WiFi Access Point to send logs to Graylog and how to configure Graylog to parse these into nicely structured messages.
- Start a Syslog UDP input and remember the port you let it listen on. You'll need it later when you are pointing your access points to Graylog.
- Create a stream and call it Ubiquity Access Point logs
- Add one stream rule:
message must match regular expression ^\(?"?.+,(.+?),.+"?\)? (.+?): (.+)$ - Create a pipeline with one stage and two steps:
- Parse the actual log message into fields and clean it up
- Search for any mac address in the message and add it as another field
Here are the rules:
rule "parse Ubiquity access point logs"
when
has_field("message")
then
let m = regex("^\\(?\"?.+,(.+?),.+\"?\\)? (.+?): (.+)$", to_string($message.message));
let bssid = m["0"];
let subsystem = m["1"];
let clean_message = m["2"];
// Build a better source name
set_field("source", concat("ap-", to_string(bssid)));
// Set additional fields.
set_field("type", "ubiquity-ap");
set_field("bssid", bssid);
set_field("subsystem", subsystem);
// Set a better message field without the prefix clutter.
set_field("message", clean_message);
end
rule "parse any MAC address out of message field"
when
has_field("message")
then
let m = regex("([0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2})", to_string($message.message));
// It's NULL if there was no match and will simply not be set internally by Graylog.
set_field("mac_address", m["0"]);
end
Connect this pipeline to your Ubiquity Access Point logs stream and you are done on the Graylog side.
In Graylog, start a
In your Unifi Web Interface, go to "Settings" and enable remote syslog logging. Use the port that your Syslog UDP input in Graylog is using:
