Unifi Router¶
About¶
The UniFi Cloud Gateway is a high-performance Unified Threat Management (UTM) solution designed to provide "defense-in-depth" for modern networks. Unlike traditional routers, it integrates an entire suite of security tools into a single operating system (UniFi OS), eliminating the need for multiple standalone devices.
Product Details¶
Vendor URL: Unifi Router
Product Type: UTM
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: Syslog + JSON, Syslog + KV, Syslog + CEF, Syslog
Expected Normalization Rate: 100%
Data Label: UNIFI_ROUTER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| UNIFIcategory | security_result.category_details |
| UNIFIhost | observer.hostname |
| UNIFIsubCategory | about.labels |
| UNIFIconnectedToDeviceName | additional.fields |
| UNIFIconnectedToDeviceIp | observer.ip |
| UNIFIconnectedToDeviceMac | observer.mac |
| UNIFIconnectedToDeviceModel | additional.fields |
| UNIFIconnectedToDeviceVersion | additional.fields |
| UNIFIlastConnectedToDeviceName | additional.fields |
| UNIFIlastConnectedToDeviceIp | intermediary.ip |
| UNIFIlastConnectedToDeviceMac | intermediary.ip |
| UNIFIlastConnectedToDeviceModel | additional.fields |
| UNIFIlastConnectedToDeviceVersion | additional.fields |
| UNIFIclientHostname | principal.hostname |
| UNIFIclientIp | principal.ip |
| UNIFIclientMac | principal.mac |
| UNIFIwifiName | security_result.detection_fields |
| msg | security_result.summary |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| generic | GENERIC_EVENT |
| KERNEL | NETWORK_CONNECTION |
Log Sample¶
Dec 03 16:59:50 EXAMPLE-HOST CEF:0|Ubiquiti|UniFi Network|9.5.21|402|WiFi Client Roamed|1|UNIFIcategory=Monitoring UNIFIsubCategory=WiFi UNIFIhost=EXAMPLE-HOST UNIFIconnectedToDeviceName=AP-DUMMY-01 UNIFIconnectedToDeviceIp=192.0.2.11 UNIFIconnectedToDeviceMac=00:11:22:33:44:55 UNIFIconnectedToDeviceModel=UAP-AC-HD UNIFIconnectedToDeviceVersion=6.7.35 UNIFIlastConnectedToDeviceName=AP-DUMMY-02 UNIFIlastConnectedToDeviceIp=192.0.2.12 UNIFIlastConnectedToDeviceMac=00:11:22:33:44:66 UNIFIlastConnectedToDeviceModel=UAP-AC-HD UNIFIlastConnectedToDeviceVersion=6.7.35 UNIFIclientAlias=CLIENT-ALIAS 11:22 UNIFIclientHostname=client-host UNIFIclientIp=10.0.0.23 UNIFIclientMac=aa:bb:cc:dd:ee:ff UNIFIwifiChannel=48 UNIFIwifiChannelWidth=40 UNIFIwifiName=GUEST_WIFI UNIFIwifiBand=5G UNIFIWiFiRssi=-80 UNIFIlastConnectedToWiFiChannel=48 UNIFIlastConnectedToWiFiChannelWidth=40 UNIFIlastConnectedToWiFiBand=5G UNIFIlastConnectedToWiFiRssi=-61 UNIFIutcTime=2025-12-03T15:59:50.136Z msg=CLIENT-ALIAS 11:22 roamed from AP-DUMMY-02 to AP-DUMMY-01. Connection Info: Ch. 48 (5 GHz, 40 MHz), -80 dBm. Roaming Decision: -61 dBm to -80 dBm.
Sample Parsing¶
metadata.event_type = "GENERIC_EVENT"
metadata.event_timestamp = "1764781190"
metadata.product_name = "UNIFI ROUTER"
metadata.vendor_name = "Ubiquiti"
metadata.product_version = "9.5.21"
security_result.severity = "LOW"
security_result.description = "WiFi Client Roamed
security_result.summary = "CLIENT-ALIAS 11:22 roamed from AP-DUMMY-02 to AP-DUMMY-01. Connection Info: Ch. 48 (5 GHz, 40 MHz), -80 dBm. Roaming Decision: -61 dBm to -80 dBm."
security_result.detection_fields["UNIFI WiFi Name"] = "GUEST_WIFI"
principal.hostname = "client-host"
principal.ip = "10.0.0.23"
principal.mac = "aa:bb:cc:dd:ee:ff"
observer.hostname = "EXAMPLE-HOST"
observer.ip = "192.0.2.11"
observer.mac = "00:11:22:33:44:55"
additional.fields["UNIFI Device Name"] = "AP-DUMMY-01"
additional.fields["UNIFI connected Device Model"] = "UAP-AC-HD"
additional.fields["UNIFI connected Device Version"] = "6.7.35"
intermediary.ip = "192.0.2.12"
intermediary.mac = "00:11:22:33:44:66 "
additional.fields["UNIFIlastConnected Device Name"] = "AP-DUMMY-02"
additional.fields["UNIFIlastConnected Device Model"] = "UAP-AC-HD"
additional.fields["UNIFIlastConnected Device version"] = "6.7.35"