cscli parsers install crowdsecurity/unifi-cefThis parser specifically handles CEF logs from Ubiquiti UniFi Network devices, filtering by vendor and product to ensure it only processes relevant logs.
The parser extracts Unifi-specific CEF extension fields that contain valuable metadata about network events, device information, and security alerts from UniFi devices.
It uses comprehensive grok patterns that parse the entire CEF extension message in the expected field order, ensuring compatibility with the Go grok implementation.
The parser uses a single configuration with two grok patterns, each optimized for different types of Unifi CEF events with pattern-specific statics:
UNIFI_ADMIN_PATTERN): Handles administrative actions like logins and system accessUNIFI_SECURITY_PATTERN): Handles security alerts and intrusion preventionPattern matches logs like:
1UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=192.168.1.100 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=...
Admin pattern extracts and sets:
admin_user - Admin user who performed the actionaccess_method - How access was performed (web, API, etc.)timestamp - UTC timestamp of the eventPattern matches logs like:
1proto=TCP src=10.0.0.100 spt=54587 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked.
Security pattern extracts and sets:
device_name, device_model, device_mac, device_ip - Device informationprotocol, source_port, destination_ip, destination_port - Network detailsrisk_level, ips_signature, ips_signature_id, ips_session_id - Threat informationThe parser automatically filters for logs where:
cef_device_vendor equals "Ubiquiti"cef_device_product equals "UniFi Network"This ensures the parser only processes actual Unifi CEF logs and doesn't interfere with other CEF sources.
The parser extracts the following Unifi-specific fields into metadata:
device_name - Name of the Unifi devicedevice_model - Model of the device (e.g., UX7, USG)device_mac - MAC address of the devicedevice_version - Firmware versionhost - Hostname of the devicesource_ip - Source IP addressprotocol - Network protocol (TCP, UDP, etc.)source_port - Source portdestination_port - Destination portcategory - Event category (System, Security, etc.)subcategory - Event subcategoryrisk_level - Risk level (high, medium, low)event_severity - CEF severity leveladmin_user - Admin user who performed actionaccess_method - How access was performed (web, API, etc.)ips_signature - IPS signature that triggeredips_signature_id - IPS signature IDips_session_id - IPS session identifierThis parser should be used after the cef-logs parser in the s00-raw stage. It will automatically filter and enrich Unifi CEF logs with structured metadata for use in scenarios and correlation rules.
1onsuccess: next_stage2filter: "evt.Parsed.cef_device_vendor == 'Ubiquiti' && evt.Parsed.cef_device_product == 'UniFi Network' && ParseKVLax(evt.Parsed.message, evt.Unmarshaled, 'unifi') == nil"3name: crowdsecurity/unifi-cef4description: "Parse Unifi CEF logs"5statics:6 - meta: service7 value: unifi8 - meta: vendor9 expression: evt.Parsed.cef_device_vendor10 - meta: product11 expression: evt.Parsed.cef_device_product12 - meta: device_version13 expression: evt.Parsed.cef_device_version14 - meta: event_severity15 expression: evt.Parsed.cef_severity16 - meta: event_signature_id17 expression: evt.Parsed.cef_signature_id18 - meta: source_ip19 expression: evt.Unmarshaled.unifi.src20 - meta: protocol21 expression: evt.Unmarshaled.unifi.proto22 - meta: source_port23 expression: evt.Unmarshaled.unifi.spt24 - meta: destination_ip25 expression: evt.Unmarshaled.unifi.dst26 - meta: destination_port27 expression: evt.Unmarshaled.unifi.dpt28 - meta: action29 expression: evt.Unmarshaled.unifi.act30 - meta: application31 expression: evt.Unmarshaled.unifi.app32 - meta: category33 expression: evt.Unmarshaled.unifi.UNIFIcategory34 - meta: subcategory35 expression: evt.Unmarshaled.unifi.UNIFIsubCategory36 - meta: host37 expression: evt.Unmarshaled.unifi.UNIFIhost38 - meta: risk_level39 expression: evt.Unmarshaled.unifi.UNIFIrisk40 - meta: policy_name41 expression: evt.Unmarshaled.unifi.UNIFIpolicyName42 - meta: policy_type43 expression: evt.Unmarshaled.unifi.UNIFIpolicyType44 - meta: direction45 expression: evt.Unmarshaled.unifi.UNIFIdirection46 - meta: device_interface47 expression: evt.Unmarshaled.unifi.deviceInboundInterface48 - meta: device_mac49 expression: evt.Unmarshaled.unifi.UNIFIdeviceMac50 - meta: device_name51 expression: evt.Unmarshaled.unifi.UNIFIdeviceName52 - meta: device_model53 expression: evt.Unmarshaled.unifi.UNIFIdeviceModel54 - meta: device_ip55 expression: evt.Unmarshaled.unifi.UNIFIdeviceIp56 - meta: device_firmware_version57 expression: evt.Unmarshaled.unifi.UNIFIdeviceVersion58 - meta: source_zone59 expression: evt.Unmarshaled.unifi.UNIFIsrcZone60 - meta: source_region61 expression: evt.Unmarshaled.unifi.UNIFIsrcRegion62 - meta: destination_client_alias63 expression: evt.Unmarshaled.unifi.UNIFIdstClientAlias64 - meta: destination_client_mac65 expression: evt.Unmarshaled.unifi.UNIFIdstClientMac66 - meta: destination_zone67 expression: evt.Unmarshaled.unifi.UNIFIdstZone68 - meta: admin_user69 expression: evt.Unmarshaled.unifi.UNIFIadmin70 - meta: access_method71 expression: evt.Unmarshaled.unifi.UNIFIaccessMethod72 - meta: ips_signature73 expression: evt.Unmarshaled.unifi.UNIFIipsSignature74 - meta: ips_signature_id75 expression: evt.Unmarshaled.unifi.UNIFIipsSignatureId76 - meta: ips_session_id77 expression: evt.Unmarshaled.unifi.UNIFIipsSessionId78 - meta: message79 expression: evt.Unmarshaled.unifi.msg80 - target: evt.StrTime81 expression: evt.Unmarshaled.unifi.UNIFIutcTime82