Custom Unifi parser
Hi all,
I'm trying to write a s00 Unifi parser but running into some roadblocks. I have setup a test env. (which was a hassle btw.)
Using the help of AI I'm trying to get a basic understanding of how these parsers are written.
Example log:
35 Replies
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type
/unresolve
Ā© Created By WhyAydan for CrowdSec ā¤ļø
The output:
Sadly AFAIK I'm unable to find an example of these parser.assert files...
Resolving Custom Unifi parser
This has now been resolved. If you think this is a mistake please run
/unresolve
This update is available using cscli? (sorry for the beginner question)
Not yet, I have submitted a PR to the Hub's repo. Once that is approved it should be available for everyone to add.
Thanks a lot for the fix and clarification !
Like I have mentioned tho on the github thread: if you have the following:
- Unifi IDS/IPS logs
- Unifi WAN rule hit logs
- Unifi login attempt logs
Please send them to me for further testing and expanding what is being parsed.
thought i'll come chat here, so this currently will never work
unifi-logs in S00 will never fire since syslogs-logs fires non-syslogs-logs first
@Loz do you see any issues with me updating this line to include unifi in the filter
From what I've seen the parser loads alphabetically and the unifi-logs parser is never reached as this non sys logs returns true
https://github.com/crowdsecurity/hub/blob/0af7ad090edc801526a777892da27f9b1fb1c730/parsers/s00-raw/crowdsecurity/syslog-logs.yaml#L35
GitHub
hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml at 0af7ad090edc8...
Main repository for crowdsec scenarios/parsers. Contribute to crowdsecurity/hub development by creating an account on GitHub.
The type in the acquis is also unifi, so shouldn't that bypass this?
Will get back to your github feedback tomorrow btw š
Yea i got it all working my side using your grok filter, also got the cef stuff into the existing crowdsec unifi-logs if needed. You need to use rsyslog though unifi-logs never fires if crowdsec is using the builtin internal syslog server
I'm in talks with Unifi about their logging, depending on their answers I will create whatever parser is needed for both CEF and normal
Update, just received an email:
Bump @Loz
Would be nice to have some feedback on this as well... https://github.com/crowdsecurity/hub/pull/1395
GitHub
Unifi logs V0.5 by PintjesB Ā· Pull Request #1395 Ā· crowdsecurity/hub
Initial push of Unifi parser + scenario. Please let me know what needs to change.
bump
Hey š I have seen this and I will review it but the first thing this is a
s01
parser which means its going to get really messy when you try to support multiple logs from unifi but thank you for contacting unifi and managing a communication with them.
I will see if I can look into it today, but most likely need to switch to s00
GitHub
enhance: Attempt s00 unifi by LaurenceJJones Ā· Pull Request #1408 ...
s00 unifi to handle the firewall logs, formats to iptables parsers and uses the iptables sceanrio
Since unifi not longer does the old logs I have removed them and only uses the newest syslog logs.
...
I will track back through the thread now to see applicaton logs like ssh
Awesome, I'll be on vacay for 3 weeks but if anything else is needed I can have a look after.
Have an awesome vacation! and ill keep doing updates and ill get the team to review as we heading into holidays so we got some extra bandwidth
Also note, communication with Unifi stated that:
- IDS/IPS logs will be implemented in RAW format to syslog soon
- Failed auth logs are not forwarded to syslog
However, I have noticed people who selfhosted the controller do get auth logs
Think they claimed it would be implemented starting from 9.3.30 however I do not see the logs appearing yet...
as in the gui panel logs?
Logs like these (in RAW format):
Should be sent to syslog as of 9.3.30, however I can't seem to find them
I have messaged Unifi support
so from timestamp onwards? cause I guess
unifi-firewall.log.8.gz
is not included?I'm not following, what do you mean?
cause the CEF that the other users have shown was just
I guess
2025-06-09T18:37:21-04:00 UniFi CEF:
is the raw prefix and unifi-firewall.log.8.gz
is the file they grabbed it from?ohhh yeah yeah
correct
Can anyone else confirm they can see IDS/IPS logs in 9.3.33 (EA)? @TravelerVFX
I'm on vacay rn, can check in about 2 weeks
Sorry, I'm still on version 9.2.87
9.3.43 seems to have included the
revamped
logging system. Seems like they're still pushing hard for CEF format though...
But it's progress nevertheless
Hi, @iiamloz is there anything we/I can help you with for this?i am fighting with the tests atm
Anything I can help with?
I am on 9.3.45 and still not seeing ips/ids events on my UDM-SE, hence not able to send them to rsyslog/crowdsec. Very frustrating
Did you enable them in settings?
I enabled all options in Console and Network . I am seeing events (eg logon, changing settings? but nothing from the firewall.
Mhm, I just got back from vacay. Will look into it tomorrow and contact Unifi if needed
I thought I was able to find them