Using Graylog and pfsense to Troubleshoot a UniFi Syslog Issue

Поделиться
HTML-код
  • Опубликовано: 29 окт 2024
  • НаукаНаука

Комментарии • 50

  • @plrpilot
    @plrpilot 3 года назад +8

    I love this. I used graylog two months ago to troubleshoot some 2.4ghz wap issues with some various types of U6 APs. It was an invaluable tool in the process.

  • @jasonwarnes
    @jasonwarnes 3 года назад +3

    Love Graylog. Been using it for years! It's also very handy at ingesting netflow data and applying geolocation information to public IP addresses in any logs.

  • @ziaride
    @ziaride 3 года назад +7

    Very cool wish I'd known about this syslog forward option earlier. I had a recent Unifi problem that I thought was an issue with a laptop. Periodically it would get 100% packet loss over wifi, it was still connected but nothing would go through then it would be fine for a few hours, frustrating for WFH. I logged into Unifi for something unrelated months later and noticed these Radar Detect log messages. I had no idea this was a thing, that 5Ghz wifi and Radar are on the same band and if your AP detects it it has to quiesce for a period, for Unifi this is 10 minutes. I live nowhere near an airport but the military had begun exercises in the area recently.

    • @ziaride
      @ziaride 3 года назад +1

      Other devices on that side of the house were connected on 2.4Ghz and continued to work so thought it had to be the laptop at issue and never suspected the AP until I saw the log messages.

    • @andyrandy0815
      @andyrandy0815 3 года назад +1

      Thanks for sharing

  • @Morno007
    @Morno007 3 года назад +14

    More graylog 😊😊

  • @Kattakam
    @Kattakam 3 года назад +3

    I don’t use Unifi but had to watch anyways because you make it seem so easy. Cheers!

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад

      Thanks and the logging part can apply to any system.

  • @MrFred97430
    @MrFred97430 3 года назад

    Thank you for another great video. I'd love to see a video showing graylog and xcp-ng. And more how to create the digest rules filters.

  • @ericrsa2348
    @ericrsa2348 2 года назад

    on a similar subject, could you do a video on how to setup and configure a Pfsense firewall connected to the UDM Pro with the Pfsense as primary router / firewall on the WAN and behind (on LAN Side) the UDM PRO connected to the Pfsense via its WAN connection? Lot of contradictory papers on the net about this cascading configuration.

  • @kirksteinklauber260
    @kirksteinklauber260 3 года назад +1

    Nice video!! I want to learn more about Graylog. Is it possible to have a distributed graylog servers? Or local sysllgs that then can consolidate into Graylog? Also a tutorial to setup Graylog with Mikrotik devices (not just PFsense)

  • @ajmalbakhshiamirpoor1343
    @ajmalbakhshiamirpoor1343 3 года назад +1

    A video on Graylog with Elk & grafana custom dashboard would be great

  • @jrdegruijt
    @jrdegruijt 9 месяцев назад

    Hi Tom, great video. Love your channel.
    I was wondering how you decipher the Unifi syslog? I have a small home setup with logs going to Graylog. I get a lot of error level syslog from Unifi. Google searches usually don't work. Do you know of any documentation on Unifi syslog?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  9 месяцев назад

      Not sure what you mean by decipher

    • @jrdegruijt
      @jrdegruijt 9 месяцев назад

      Hi Tom,
      @LAWRENCESYSTEMS I mean making sense of the syslog. Just a few examples I have looked for but cannot really find decent info:
      [wifi1] FWLOG: [23027944] WLAN_DEBUG_DBGID_PEER
      [wifi1] FWLOG: [23027943] WAL_DBGID_SECURITY_UCAST_KEY_SET
      HSM: scan: transition IDLE => SUSPENDING_TRAFFIC
      [wifi1] FWLOG: [21514438] WAL_DBGID_TX_BA_SETUP

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  9 месяцев назад +1

      @@jrdegruijt They are just general debug notices generated by the UniFi code which is not fully open source but you can hunt around and find it in the original code it was based on which I think was OpenWRT

  • @Dan-ml5em
    @Dan-ml5em 3 года назад +1

    Do you use the Unifi controller API in supporting customers? If so how do you use it?
    Ive had success using the Unifi API to pull data that is then imported into Graylog. It seems the api provides some unique information that is not available from the built in syslog. Specifically the ability to pull the “last seen” or “time connected” status from the Unifi controller for all devices.
    The goal achieved was if a new device shows up on a specific Unifi network that you can have Graylog alert immediately a MAC address appeared that has not been seen before or was seen in the last 5 minutes for the first time.
    The problem solved by this was having the ability to alert admins a new device has appeared in certain secured networks as soon as a Unifi switch sees it, just in case they were unaware something was being added.

  • @kc0eks
    @kc0eks 3 года назад

    More greylog. Not sure what but this is very useful

  • @zadekeys2194
    @zadekeys2194 3 года назад

    Graylog into ELK / Graphana etc to make a custom dashboard would be cool

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад +1

      Not likely any time soon as I don't use Elk and Grafana

  • @carloschavez1749
    @carloschavez1749 2 года назад

    Your videos are amazing, a question, Are there specific Groks for unifi? or where Can i download it?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  2 года назад

      www.reddit.com/r/Ubiquiti/comments/ljex1d/graylog_unifi_extractors/

    • @carloschavez1749
      @carloschavez1749 2 года назад +1

      @@LAWRENCESYSTEMS thanks!

  • @jj358mhz
    @jj358mhz 3 года назад

    Tom, I want to do some POC testing of Graylog and have tried spinning up a cloud instance (Vultr), but I could not get the instance to a usable state. Do you know of any other hosting cloud vendors where they offer a "1-click" setup process?

  • @tablatronix
    @tablatronix 3 года назад +1

    Damn this looks so much easier to use than loki... It sure looks like the verbosity log level of syslogging changed for there to be that much data

    • @tablatronix
      @tablatronix 3 года назад

      Routing and firewall->firewall->settings->default action logging, also each firewall rule has its own logging toggle in it

  • @kc0eks
    @kc0eks 3 года назад +1

    Bizarre problem. So annoying when it won't reproduce. Intermittent issues are always the ones that make ya think.

  • @FireBean8504
    @FireBean8504 3 года назад

    So why would I use Greylog over Elastic Stack since Greylog seems like a feature limited Elastic Stack?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад +1

      Graylog has more features built around inputs, alerts and processing streams. I think it offers easier setup an management of Elastic Stack, but if you are familiar with doing that all on your own, then just use Elastic Stack.

  • @rolling_marbles
    @rolling_marbles 3 года назад

    How does one setup per SSID VLAN on UniFi 6.4.54? Only UniFi APs, no switches, using Cisco for that and know how to do trunking from there.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад

      When creating the SSID put in the VLAN and make sure the Cisco has those VLANs available on the ports the AP is connected to.

  • @NS-ve9yd
    @NS-ve9yd 3 года назад

    How to send log Firewall Unifi USG-Pro4 to Graylog

  • @Richardsumilang
    @Richardsumilang Год назад

    Can greylog tell me about packets my udm is blocking? I have a network that can't reach a certain IP for some reason that I've been trying to figure out

  • @janisvaskevics93
    @janisvaskevics93 3 года назад

    Graylog for gray beard. 👍👍👍

  • @AlbertoRamirez-hz5vl
    @AlbertoRamirez-hz5vl 3 года назад +1

    Tom can you share how you parse the Unifi logs in Graylog?

    • @MisterV..
      @MisterV.. 3 года назад +1

      Yes please and parsing unifi firewall log to find blocks out.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад

      I am collecting them but I have not made a regex extractor for them yet.

  • @RonaldBartels
    @RonaldBartels 3 года назад

    When I SNMP poll any UNIFI AP its error counters are through the roof!

  • @nobiggeridiot
    @nobiggeridiot 3 года назад +1

    The traffic spike is from the amused non-americans offering advice on how to correctly pronounce 'console'. Hint: it's not 'council'.
    Otherwise, now I feel compelled to check out graylog, ty for the vids.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад

      thanks and some words are hard for me to say.

  • @pepeshopping
    @pepeshopping 3 года назад

    When you do not own your code, decisions or solution….
    It shows!

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад +1

      Not sure the purpose of your repeatedly vague comments, but thanks as it helps let the RUclips algorithm know that this content is engaging. 😀

  • @TechySpeaking
    @TechySpeaking 3 года назад +1

    First

  • @darrenshoobert
    @darrenshoobert 3 года назад

    What if somehow Unifi had the ability to capture all of your corporate Wifi in some unknown section of their databases that then floods it out randomly to what you think are harmless sites.