cscli parsers install crowdsecurity/unifi-logsThis is a parser for syslog logs received from an Unifi device.
Those logs are sligthly non-conformant to the syslog standard, hence the need for a custom parser.
As crowdsec does not run easily directly on an UDM, you'll likely want to setup syslog export on your UDM, and use the following acquisition config:
source: syslog
listen_addr: 0.0.0.0
listen_port: 4242
labels:
type: unifi1filter: "evt.Line.Labels.type == 'unifi'"2onsuccess: next_stage3pattern_syntax:4 ACTION: (D|R|A)5 ZONE: (LAN|WAN|LOCAL|VPN|DMZ)6 IFACE_OR_EMPTY: (?:[a-zA-Z]+[0-9]*|)7 UNIFI_HOSTNAME: '(?:%{DATA:hostname},%{DATA:mac_address},%{DATA:firmware_version}|%{DATA:hostname})'8 UNIFI_FIREWALL_PREFIX: '(?:\[WAN_%{ZONE:dst_zone}-%{ACTION:action}-%{INT:rule_id}\] ?)?'9 SYSLOGBASE_UNIFI: '(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{UNIFI_HOSTNAME}(?: %{UNIFI_HOSTNAME})? %{UNIFI_FIREWALL_PREFIX}(?:%{SYSLOGPROG}:|)'10 SYSLOGLINE_UNIFI: '%{SYSLOGBASE_UNIFI} %{GREEDYDATA:message}'11name: crowdsecurity/unifi-logs12nodes:13 - grok:14 pattern: "^%{SYSLOGLINE_UNIFI}"15 apply_on: Line.Raw16statics:17 - parsed: program18 expression: "evt.Parsed.program != '' ? evt.Parsed.program : evt.Parsed.action != '' ? 'kernel' : ''"19 - meta: machine20 expression: evt.Parsed.hostname21 - parsed: "logsource"22 value: "syslog"23 - target: evt.StrTime24 expression: evt.Parsed.timestamp25 - target: evt.StrTime26 expression: evt.Parsed.timestamp860127 - meta: datasource_path28 expression: evt.Line.Src29 - meta: datasource_type30 expression: evt.Line.Module31 - meta: action32 expression: 'evt.Parsed.action == "" ? "" : evt.Parsed.action == "A" ? "accept" : (evt.Parsed.action == "D" ? "drop" : (evt.Parsed.action == "R" ? "reject" : "unknown"))'33 - meta: log_type34 expression: 'evt.Meta.action not in ["accept", "unknown"] ? "iptables_drop" : "iptables_event"'