Skip to content

Unifi logs V0.5 #1395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Unifi logs V0.5 #1395

wants to merge 6 commits into from

Conversation

PintjesB
Copy link
Contributor

@PintjesB PintjesB commented Jun 16, 2025
edited
Loading

Initial push of Unifi parser + scenario. Please let me know what needs to change.

@LePresidente
Copy link
Contributor

Only suggestion i can see is to rename this to unifi-iptables-logs since i think the CEF parsing would be a separate parser just for readability.

Also to set the metatags to match the iptables-log parser, or as close as possible.

@PintjesB
Copy link
Contributor Author

PintjesB commented Jun 27, 2025
edited
Loading

Naming can be whatever Crowdsec's team finds best, I don't mind.

Also to set the metatags to match the iptables-log parser, or as close as possible.

I'm not sure however what you mean with this...

@LePresidente
Copy link
Contributor

LePresidente commented Jun 27, 2025
edited
Loading

I mean do the parser in such a way that when people do there own scenarios, the information is available for example like the following, this will mean any existing iptable rules done by crowdsec example (https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/iptables-scan-multi_ports) should also work since the log_type is the same, and the variables match the iptable-logs parser

name: PintjesB/unifi-iptable-logs
filter: "evt.Line.Labels.type == 'unifi'"
description: "Parse Unifi firewall logs"
onsuccess: next_stage
nodes:
  - grok:
      pattern: '^\[WAN_%{DATA:dst_zone}-%{DATA:action}-%{INT:rule_id}\] %{GREEDYDATA:remainder}'
      apply_on: message

statics:
  - parsed: unused #this is never used setting to random var
    expression: ParseKV(evt.Parsed.message, evt.Unmarshaled, "iptables")
  - meta: service
    expression: Lower(evt.Unmarshaled.iptables.PROTO)
  - meta: dst_zone
    expression: "evt.Parsed.dst_zone"
  - meta: action
    expression: "evt.Parsed.action"
  - meta: rule_id
    expression: "evt.Parsed.rule_id"
  - meta: fw_descr
    expression: "evt.Unmarshaled.iptables.DESCR"
  - meta: log_type
    expression: 'evt.Meta.service in ["tcp", "udp"] && evt.Meta.action in ["D", "R"] ? "iptables_drop" : ""'
  - meta: source_ip
    expression: "evt.Unmarshaled.iptables.SRC"
## For backporting reason all previous variables will be reparsed out to the parsed object
  - parsed: dst_port
    expression: evt.Unmarshaled.iptables.DPT
  - parsed: int_eth
    expression: evt.Unmarshaled.iptables.IN
  - parsed: src_ip
    expression: evt.Unmarshaled.iptables.SRC
  - parsed: dst_ip
    expression: evt.Unmarshaled.iptables.DST
  - parsed: length
    expression: evt.Unmarshaled.iptables.LEN
  - parsed: proto
    expression: evt.Unmarshaled.iptables.PROTO
  - parsed: src_port
    expression: evt.Unmarshaled.iptables.SPT
    ```

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PintjesB @LePresidente