Unifi Firewall Logging with syslog

unifi Nov 29, 2017

How to Enable syslogging of Unifi Firewall.

It's fairly easy to enable syslog in Unifi Controller, however to log blocked or dropped traffic at the firewall needs a few extra steps. By default anything blocked by the firewall isnt logged.

Unifi config.json.

The Unifi USG comes with pre-defined firewall rules. We need to edit these rules which can be done on the USG using command line and then also needs a json file to persist after a reboot or re-provision. We also need to create some new rules and enable syslog server.

First we need to find a syslog server. For this example I will use kiwi syslog which is free.

enter image description here

Download here

Install to an easy to find location and run the console, we will come back to configure it later.

Login to your Unifi controller and go to settings and enable remote logging and enter the IP of where the kiwi syslog server is and normally the default port is 514.

enter image description here

Now go to Routing and Firewall and select firewall.

We need to create 2 new rules, both identical, 1 in WAN_LOCAL and the other in WAN_IN

New Rule

Name - LAST - default drop and log
Enabled - ON
After pre-defined rules
Drop
All
Advanced - Enable Logging
Tick New, Established, Relate, Invalid
Dont match on ipsec
Leave rest default
enter image description here

So we should have something like this

enter image description here
enter image description here

Next we need to change the pre-defined firewall rules on the USG.

SSH onto your USG and login

configure
set firewall name WAN_LOCAL rule 3002 log enable
set firewall name WAN_IN rule 3002 log enable
commit
save

Next we need to configure Kiwi to capture the logs.

More to come soon

The next part is optional. The syslog logs in kiwi contain alot of information but this doesnt really mean much to us. I recommend using something like sumologic to collect parse and visualize the data.

Below is a screenshot of my dashboard. It displays the number of blocked connections by their geo-location. A list of top 10 blocked IPs, the total number of blocked requests over 24 hours and finally a graph of the number of blocked connections in 30 min increments. These numbers come from the firewall rule [WAN_LOCAL-4000-D].

enter image description here

Head over to the next Guide "Syslog to SumoLogic" to setup the visualization of the logs.

Tags

Peter Evans

Recommended for you