Partajați prin

[Deprecated] Ubiquiti UniFi connector for Microsoft Sentinel

  • Articol

Important

Log collection from many appliances and devices is now supported by the Common Event Format (CEF) via AMA, Syslog via AMA, or Custom Logs via AMA data connector in Microsoft Sentinel. For more information, see Find your Microsoft Sentinel data connector.

The Ubiquiti UniFi data connector provides the capability to ingest Ubiquiti UniFi firewall, dns, ssh, AP events into Microsoft Sentinel.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) Ubiquiti_CL
Data collection rules support Not currently supported
Supported by Microsoft Corporation

Query samples

Top 10 Clients (Source IP)

UbiquitiAuditEvent

| summarize count() by SrcIpAddr

| top 10 by count_

Vendor installation instructions

Note

This data connector depends on a parser based on a Kusto Function to work as expected UbiquitiAuditEvent which is deployed with the Microsoft Sentinel Solution.

Note

This data connector has been developed using Enterprise System Controller Release Version: 5.6.2 (Syslog)

  1. Install and onboard the agent for Linux or Windows

Install the agent on the Server to which the Ubiquiti logs are forwarder from Ubiquiti device (e.g.remote syslog server)

Logs from Ubiquiti Server deployed on Linux or Windows servers are collected by Linux or Windows agents.

  1. Configure the logs to be collected

Follow the configuration steps below to get Ubiquiti logs into Microsoft Sentinel. Refer to the Azure Monitor Documentation for more details on these steps.

  1. Configure log forwarding on your Ubiquiti controller:

    i. Go to Settings > System Setting > Controller Configuration > Remote Logging and enable the Syslog and Debugging (optional) logs (Refer to User Guide for detailed instructions).

  2. Download config file Ubiquiti.conf.

  3. Login to the server where you have installed Azure Log Analytics agent.

  4. Copy Ubiquiti.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.

  5. Edit Ubiquiti.conf as follows:

    i. specify port which you have set your Ubiquiti device to forward logs to (line 4)

    ii. replace workspace_id with real value of your Workspace ID (lines 14,15,16,19)

  6. Save changes and restart the Azure Log Analytics agent for Linux service with the following command: sudo /opt/microsoft/omsagent/bin/service_control restart

Next steps

For more information, go to the related solution in the Azure Marketplace.