This guide explains how to configure a Ubiquity Networks Unifi Enterprise WiFi Access Point to send logs to Graylog and how to configure Graylog to parse these into nicely structured messages.
message must match regular expression ^\(?"?.+,(.+?),.+"?\)? (.+?): (.+)$
Here are the rules:
rule "parse Ubiquity access point logs"
when
has_field("message")
then
let m = regex("^\\(?\"?.+,(.+?),.+\"?\\)? (.+?): (.+)$", to_string($message.message));
let bssid = m["0"];
let subsystem = m["1"];
let clean_message = m["2"];
// Build a better source name
set_field("source", concat("ap-", to_string(bssid)));
// Set additional fields.
set_field("type", "ubiquity-ap");
set_field("bssid", bssid);
set_field("subsystem", subsystem);
// Set a better message field without the prefix clutter.
set_field("message", clean_message);
end
rule "parse any MAC address out of message field"
when
has_field("message")
then
let m = regex("([0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2})", to_string($message.message));
// It's NULL if there was no match and will simply not be set internally by Graylog.
set_field("mac_address", m["0"]);
end
Connect this pipeline to your Ubiquity Access Point logs stream and you are done on the Graylog side.
In Graylog, start a
In your Unifi Web Interface, go to "Settings" and enable remote syslog logging. Use the port that your Syslog UDP input in Graylog is using: