unifi-cef Log Parser

This parser specifically handles CEF logs from Ubiquiti UniFi Network devices, filtering by vendor and product to ensure it only processes relevant logs.

The parser extracts Unifi-specific CEF extension fields that contain valuable metadata about network events, device information, and security alerts from UniFi devices.

It uses comprehensive grok patterns that parse the entire CEF extension message in the expected field order, ensuring compatibility with the Go grok implementation.

The parser uses a single configuration with two grok patterns, each optimized for different types of Unifi CEF events with pattern-specific statics:

Admin/System Pattern (UNIFI_ADMIN_PATTERN): Handles administrative actions like logins and system access
Security/Threat Pattern (UNIFI_SECURITY_PATTERN): Handles security alerts and intrusion prevention

Pattern matches logs like:

UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Unifi Dream Machine UNIFIaccessMethod=web UNIFIadmin=Secure Admin src=192.168.1.100 UNIFIutcTime=2025-09-04T08:32:58.445Z msg=...

Admin pattern extracts and sets:

admin_user - Admin user who performed the action
access_method - How access was performed (web, API, etc.)
timestamp - UTC timestamp of the event
Common fields: vendor, product, category, subcategory, host, severity, etc.

Pattern matches logs like:

proto=TCP src=10.0.0.100 spt=54587 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Express 7 UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Express 7 UNIFIdeviceModel=UX7 UNIFIdeviceIp=192.168.0.1 UNIFIdeviceVersion=4.3.9 UNIFIrisk=medium UNIFIipsSessionId=54725290909450 UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 UNIFIutcTime=2025-08-30T17:53:21.915Z msg=A network intrusion attempt has been detected and blocked.

Security pattern extracts and sets:

device_name, device_model, device_mac, device_ip - Device information
protocol, source_port, destination_ip, destination_port - Network details
risk_level, ips_signature, ips_signature_id, ips_session_id - Threat information
Common fields: vendor, product, category, subcategory, host, severity, etc.

The parser automatically filters for logs where:

cef_device_vendor equals "Ubiquiti"
cef_device_product equals "UniFi Network"

This ensures the parser only processes actual Unifi CEF logs and doesn't interfere with other CEF sources.

The parser extracts the following Unifi-specific fields into metadata:

device_name - Name of the Unifi device
device_model - Model of the device (e.g., UX7, USG)
device_mac - MAC address of the device
device_version - Firmware version
host - Hostname of the device

source_ip - Source IP address
protocol - Network protocol (TCP, UDP, etc.)
source_port - Source port
destination_port - Destination port

category - Event category (System, Security, etc.)
subcategory - Event subcategory
risk_level - Risk level (high, medium, low)
event_severity - CEF severity level
admin_user - Admin user who performed action
access_method - How access was performed (web, API, etc.)

ips_signature - IPS signature that triggered
ips_signature_id - IPS signature ID
ips_session_id - IPS session identifier

This parser should be used after the cef-logs parser in the s00-raw stage. It will automatically filter and enrich Unifi CEF logs with structured metadata for use in scenarios and correlation rules.

1onsuccess: next_stage

2filter: "evt.Parsed.cef_device_vendor == 'Ubiquiti' && evt.Parsed.cef_device_product == 'UniFi Network'"

3name: crowdsecurity/unifi-cef

4description: "Parse Unifi CEF logs"

5pattern_syntax:

6 UNIFI_ADMIN_PATTERN: 'UNIFIcategory=(%{DATA:unifi_category}) UNIFIsubCategory=(%{DATA:unifi_subcategory}) UNIFIhost=(%{DATA:unifi_host}) UNIFIaccessMethod=(%{DATA:unifi_access_method}) UNIFIadmin=(%{DATA:unifi_admin}) src=(%{IP:src_ip}) UNIFIutcTime=(%{DATA:unifi_utc_time}) msg=(%{DATA:msg})'

7 UNIFI_SECURITY_PATTERN: 'proto=(%{WORD:protocol}) src=(%{IP:src_ip}) spt=(%{INT:src_port}) dst=(%{IP:dst_ip}) dpt=(%{INT:dst_port}) UNIFIcategory=(%{DATA:unifi_category}) UNIFIsubCategory=(%{DATA:unifi_subcategory}) UNIFIhost=(%{DATA:unifi_host}) UNIFIdeviceMac=(%{DATA:unifi_device_mac}) UNIFIdeviceName=(%{DATA:unifi_device_name}) UNIFIdeviceModel=(%{DATA:unifi_device_model}) UNIFIdeviceIp=(%{IP:unifi_device_ip}) UNIFIdeviceVersion=(%{DATA:unifi_device_version}) UNIFIrisk=(%{DATA:unifi_risk}) UNIFIipsSessionId=(%{DATA:unifi_ips_session_id}) UNIFIipsSignature=(%{DATA:unifi_ips_signature}) UNIFIipsSignatureId=(%{DATA:unifi_ips_signature_id}) UNIFIutcTime=(%{DATA:unifi_utc_time}) msg=(%{DATA:msg})'

8nodes:

9 - grok:

10 pattern: '%{UNIFI_ADMIN_PATTERN}'

11 apply_on: message

12 statics:

13 - meta: service

14 value: unifi

15 - meta: vendor

16 expression: evt.Parsed.cef_device_vendor

17 - meta: product

18 expression: evt.Parsed.cef_device_product

19 - meta: device_version

20 expression: evt.Parsed.cef_device_version

21 - meta: source_ip

22 expression: evt.Parsed.src_ip

23 - meta: admin_user

24 expression: evt.Parsed.unifi_admin

25 - meta: category

26 expression: evt.Parsed.unifi_category

27 - meta: subcategory

28 expression: evt.Parsed.unifi_subcategory

29 - meta: access_method

30 expression: evt.Parsed.unifi_access_method

31 - meta: host

32 expression: evt.Parsed.unifi_host

33 - meta: event_severity

34 expression: evt.Parsed.cef_severity

35 - meta: event_signature_id

36 expression: evt.Parsed.cef_signature_id

37 - meta: message

38 expression: evt.Parsed.msg

39 - target: evt.StrTime

40 expression: evt.Parsed.unifi_utc_time

41 - grok:

42 pattern: '%{UNIFI_SECURITY_PATTERN}'

43 apply_on: message

44 statics:

45 - meta: service

46 value: unifi

47 - meta: vendor

48 expression: evt.Parsed.cef_device_vendor

49 - meta: product

50 expression: evt.Parsed.cef_device_product

51 - meta: device_version

52 expression: evt.Parsed.cef_device_version

53 - meta: source_ip

54 expression: evt.Parsed.src_ip

55 - meta: device_name

56 expression: evt.Parsed.unifi_device_name

57 - meta: device_model

58 expression: evt.Parsed.unifi_device_model

59 - meta: device_mac

60 expression: evt.Parsed.unifi_device_mac

61 - meta: device_ip

62 expression: evt.Parsed.unifi_device_ip

63 - meta: category

64 expression: evt.Parsed.unifi_category

65 - meta: subcategory

66 expression: evt.Parsed.unifi_subcategory

67 - meta: host

68 expression: evt.Parsed.unifi_host

69 - meta: risk_level

70 expression: evt.Parsed.unifi_risk

71 - meta: ips_signature

72 expression: evt.Parsed.unifi_ips_signature

73 - meta: ips_signature_id

74 expression: evt.Parsed.unifi_ips_signature_id

75 - meta: ips_session_id

76 expression: evt.Parsed.unifi_ips_session_id

77 - meta: event_severity

78 expression: evt.Parsed.cef_severity

79 - meta: event_signature_id

80 expression: evt.Parsed.cef_signature_id

81 - meta: protocol

82 expression: evt.Parsed.protocol

83 - meta: source_port

84 expression: evt.Parsed.src_port

85 - meta: destination_ip

86 expression: evt.Parsed.dst_ip

87 - meta: destination_port

88 expression: evt.Parsed.dst_port

89 - meta: message

90 expression: evt.Parsed.msg

91 - target: evt.StrTime

92 expression: evt.Parsed.unifi_utc_time

Hub configuration

« unifi-cef »
v0.1 by crowdsecurity
Log parser

Hub configuration

« unifi-cef »v0.1 by crowdsecurityLog parser

« unifi-cef »
v0.1 by crowdsecurity
Log parser