Ubiquiti UniFi (Preview) connector for Microsoft Sentinel
The Ubiquiti UniFi data connector provides the capability to ingest Ubiquiti UniFi firewall, dns, ssh, AP events into Microsoft Sentinel.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | Ubiquiti_CL |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
Top 10 Clients (Source IP)
UbiquitiAuditEvent
| summarize count() by SrcIpAddr
| top 10 by count_
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected UbiquitiAuditEvent which is deployed with the Microsoft Sentinel Solution.
Note
This data connector has been developed using Enterprise System Controller Release Version: 5.6.2 (Syslog)
- Install and onboard the agent for Linux or Windows
Install the agent on the Server to which the Ubiquiti logs are forwarder from Ubiquiti device (e.g.remote syslog server)
Logs from Ubiquiti Server deployed on Linux or Windows servers are collected by Linux or Windows agents.
- Configure the logs to be collected
Follow the configuration steps below to get Ubiquiti logs into Microsoft Sentinel. Refer to the Azure Monitor Documentation for more details on these steps.
Configure log forwarding on your Ubiquiti controller:
i. Go to Settings > System Setting > Controller Configuration > Remote Logging and enable the Syslog and Debugging (optional) logs (Refer to User Guide for detailed instructions).
Download config file Ubiquiti.conf.
Login to the server where you have installed Azure Log Analytics agent.
Copy Ubiquiti.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.
Edit Ubiquiti.conf as follows:
i. specify port which you have set your Ubiquiti device to forward logs to (line 4)
ii. replace workspace_id with real value of your Workspace ID (lines 14,15,16,19)
Save changes and restart the Azure Log Analytics agent for Linux service with the following command: sudo /opt/microsoft/omsagent/bin/service_control restart
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for