I love this. I used graylog two months ago to troubleshoot some 2.4ghz wap issues with some various types of U6 APs. It was an invaluable tool in the process.
Love Graylog. Been using it for years! It's also very handy at ingesting netflow data and applying geolocation information to public IP addresses in any logs.
Very cool wish I'd known about this syslog forward option earlier. I had a recent Unifi problem that I thought was an issue with a laptop. Periodically it would get 100% packet loss over wifi, it was still connected but nothing would go through then it would be fine for a few hours, frustrating for WFH. I logged into Unifi for something unrelated months later and noticed these Radar Detect log messages. I had no idea this was a thing, that 5Ghz wifi and Radar are on the same band and if your AP detects it it has to quiesce for a period, for Unifi this is 10 minutes. I live nowhere near an airport but the military had begun exercises in the area recently.
Other devices on that side of the house were connected on 2.4Ghz and continued to work so thought it had to be the laptop at issue and never suspected the AP until I saw the log messages.
on a similar subject, could you do a video on how to setup and configure a Pfsense firewall connected to the UDM Pro with the Pfsense as primary router / firewall on the WAN and behind (on LAN Side) the UDM PRO connected to the Pfsense via its WAN connection? Lot of contradictory papers on the net about this cascading configuration.
Nice video!! I want to learn more about Graylog. Is it possible to have a distributed graylog servers? Or local sysllgs that then can consolidate into Graylog? Also a tutorial to setup Graylog with Mikrotik devices (not just PFsense)
Hi Tom, great video. Love your channel. I was wondering how you decipher the Unifi syslog? I have a small home setup with logs going to Graylog. I get a lot of error level syslog from Unifi. Google searches usually don't work. Do you know of any documentation on Unifi syslog?
Hi Tom, @LAWRENCESYSTEMS I mean making sense of the syslog. Just a few examples I have looked for but cannot really find decent info: [wifi1] FWLOG: [23027944] WLAN_DEBUG_DBGID_PEER [wifi1] FWLOG: [23027943] WAL_DBGID_SECURITY_UCAST_KEY_SET HSM: scan: transition IDLE => SUSPENDING_TRAFFIC [wifi1] FWLOG: [21514438] WAL_DBGID_TX_BA_SETUP
@@jrdegruijt They are just general debug notices generated by the UniFi code which is not fully open source but you can hunt around and find it in the original code it was based on which I think was OpenWRT
Do you use the Unifi controller API in supporting customers? If so how do you use it? Ive had success using the Unifi API to pull data that is then imported into Graylog. It seems the api provides some unique information that is not available from the built in syslog. Specifically the ability to pull the “last seen” or “time connected” status from the Unifi controller for all devices. The goal achieved was if a new device shows up on a specific Unifi network that you can have Graylog alert immediately a MAC address appeared that has not been seen before or was seen in the last 5 minutes for the first time. The problem solved by this was having the ability to alert admins a new device has appeared in certain secured networks as soon as a Unifi switch sees it, just in case they were unaware something was being added.
Tom, I want to do some POC testing of Graylog and have tried spinning up a cloud instance (Vultr), but I could not get the instance to a usable state. Do you know of any other hosting cloud vendors where they offer a "1-click" setup process?
Graylog has more features built around inputs, alerts and processing streams. I think it offers easier setup an management of Elastic Stack, but if you are familiar with doing that all on your own, then just use Elastic Stack.
Can greylog tell me about packets my udm is blocking? I have a network that can't reach a certain IP for some reason that I've been trying to figure out
The traffic spike is from the amused non-americans offering advice on how to correctly pronounce 'console'. Hint: it's not 'council'. Otherwise, now I feel compelled to check out graylog, ty for the vids.
What if somehow Unifi had the ability to capture all of your corporate Wifi in some unknown section of their databases that then floods it out randomly to what you think are harmless sites.
I love this. I used graylog two months ago to troubleshoot some 2.4ghz wap issues with some various types of U6 APs. It was an invaluable tool in the process.
Love Graylog. Been using it for years! It's also very handy at ingesting netflow data and applying geolocation information to public IP addresses in any logs.
Very cool wish I'd known about this syslog forward option earlier. I had a recent Unifi problem that I thought was an issue with a laptop. Periodically it would get 100% packet loss over wifi, it was still connected but nothing would go through then it would be fine for a few hours, frustrating for WFH. I logged into Unifi for something unrelated months later and noticed these Radar Detect log messages. I had no idea this was a thing, that 5Ghz wifi and Radar are on the same band and if your AP detects it it has to quiesce for a period, for Unifi this is 10 minutes. I live nowhere near an airport but the military had begun exercises in the area recently.
Other devices on that side of the house were connected on 2.4Ghz and continued to work so thought it had to be the laptop at issue and never suspected the AP until I saw the log messages.
Thanks for sharing
More graylog 😊😊
I don’t use Unifi but had to watch anyways because you make it seem so easy. Cheers!
Thanks and the logging part can apply to any system.
Thank you for another great video. I'd love to see a video showing graylog and xcp-ng. And more how to create the digest rules filters.
on a similar subject, could you do a video on how to setup and configure a Pfsense firewall connected to the UDM Pro with the Pfsense as primary router / firewall on the WAN and behind (on LAN Side) the UDM PRO connected to the Pfsense via its WAN connection? Lot of contradictory papers on the net about this cascading configuration.
Nice video!! I want to learn more about Graylog. Is it possible to have a distributed graylog servers? Or local sysllgs that then can consolidate into Graylog? Also a tutorial to setup Graylog with Mikrotik devices (not just PFsense)
A video on Graylog with Elk & grafana custom dashboard would be great
Not likely any time soon as I don't use Elk and Grafana
@@LAWRENCESYSTEMS thanks for replying anyway
Hi Tom, great video. Love your channel.
I was wondering how you decipher the Unifi syslog? I have a small home setup with logs going to Graylog. I get a lot of error level syslog from Unifi. Google searches usually don't work. Do you know of any documentation on Unifi syslog?
Not sure what you mean by decipher
Hi Tom,
@LAWRENCESYSTEMS I mean making sense of the syslog. Just a few examples I have looked for but cannot really find decent info:
[wifi1] FWLOG: [23027944] WLAN_DEBUG_DBGID_PEER
[wifi1] FWLOG: [23027943] WAL_DBGID_SECURITY_UCAST_KEY_SET
HSM: scan: transition IDLE => SUSPENDING_TRAFFIC
[wifi1] FWLOG: [21514438] WAL_DBGID_TX_BA_SETUP
@@jrdegruijt They are just general debug notices generated by the UniFi code which is not fully open source but you can hunt around and find it in the original code it was based on which I think was OpenWRT
Do you use the Unifi controller API in supporting customers? If so how do you use it?
Ive had success using the Unifi API to pull data that is then imported into Graylog. It seems the api provides some unique information that is not available from the built in syslog. Specifically the ability to pull the “last seen” or “time connected” status from the Unifi controller for all devices.
The goal achieved was if a new device shows up on a specific Unifi network that you can have Graylog alert immediately a MAC address appeared that has not been seen before or was seen in the last 5 minutes for the first time.
The problem solved by this was having the ability to alert admins a new device has appeared in certain secured networks as soon as a Unifi switch sees it, just in case they were unaware something was being added.
We don't use the API, just the syslog
More greylog. Not sure what but this is very useful
Graylog into ELK / Graphana etc to make a custom dashboard would be cool
Not likely any time soon as I don't use Elk and Grafana
Your videos are amazing, a question, Are there specific Groks for unifi? or where Can i download it?
www.reddit.com/r/Ubiquiti/comments/ljex1d/graylog_unifi_extractors/
@@LAWRENCESYSTEMS thanks!
Tom, I want to do some POC testing of Graylog and have tried spinning up a cloud instance (Vultr), but I could not get the instance to a usable state. Do you know of any other hosting cloud vendors where they offer a "1-click" setup process?
Never looked for one, so no
Damn this looks so much easier to use than loki... It sure looks like the verbosity log level of syslogging changed for there to be that much data
Routing and firewall->firewall->settings->default action logging, also each firewall rule has its own logging toggle in it
Bizarre problem. So annoying when it won't reproduce. Intermittent issues are always the ones that make ya think.
yup, makes it much harder to troubleshoot.
So why would I use Greylog over Elastic Stack since Greylog seems like a feature limited Elastic Stack?
Graylog has more features built around inputs, alerts and processing streams. I think it offers easier setup an management of Elastic Stack, but if you are familiar with doing that all on your own, then just use Elastic Stack.
How does one setup per SSID VLAN on UniFi 6.4.54? Only UniFi APs, no switches, using Cisco for that and know how to do trunking from there.
When creating the SSID put in the VLAN and make sure the Cisco has those VLANs available on the ports the AP is connected to.
How to send log Firewall Unifi USG-Pro4 to Graylog
Can greylog tell me about packets my udm is blocking? I have a network that can't reach a certain IP for some reason that I've been trying to figure out
I am not sure whet the UDM can send via syslog.
Graylog for gray beard. 👍👍👍
Tom can you share how you parse the Unifi logs in Graylog?
Yes please and parsing unifi firewall log to find blocks out.
I am collecting them but I have not made a regex extractor for them yet.
When I SNMP poll any UNIFI AP its error counters are through the roof!
The traffic spike is from the amused non-americans offering advice on how to correctly pronounce 'console'. Hint: it's not 'council'.
Otherwise, now I feel compelled to check out graylog, ty for the vids.
thanks and some words are hard for me to say.
When you do not own your code, decisions or solution….
It shows!
Not sure the purpose of your repeatedly vague comments, but thanks as it helps let the RUclips algorithm know that this content is engaging. 😀
First
What if somehow Unifi had the ability to capture all of your corporate Wifi in some unknown section of their databases that then floods it out randomly to what you think are harmless sites.