Parsing Ubiquiti Firewall Logs
Nathan Clarke
I've recently re-rolled SecOnion on my home network for the first time since the early days. Security Onion is much improved now and I'm a bit better at managing/adjusting it. Still, this one has stumped me a bit.
My Ubiquiti devices are all logging nicely into SecOnion and I can query ELSA for entries from all the Ubiq devices. Specifically I have set my Ubiquiti Secure Gateway (USG) firewall to block a few things (DNS, bad website IPs etc) and I can see the deny events coming in. See attached.
What I would like to do is parse these logs on the fields contained in the event, and then alert in Sguil on any deny events (the deny events appear to be grouped by rule set name in the firewall rule sets on the unifi controller, see other attached).
So I'm looking for guidance to parse these logs, set up alerts. Then I'd like to share this knowledge for other Ubiquiti/SecOnion users :)
-Nath
Wes
Nathan,
Have you considered simply scheduling an ELSA query to alert on this via email?
https://github.com/mcholste/elsa/wiki/Documentation#ScheduledQueries
Thanks,
Wes
Nathan Clarke
I will if I can't set thresholds and alert in SGUIL.
As for parsing, with a bit of wide reading and trial and error I created a pattern file for Ubiquiti USG firewall logs and they're now parsing nicely into ELSA and I've created dashboards for them. The pattern file is located here: https://github.com/GeekNathan/Ubiquiti
I enjoyed working through that (mostly ;), and I'm now thinking of writing patterns for more of the security relevant logs coming off the USG, my Access Points, and perhaps my Switches.
Regards
Nath
Nathan Clarke
I'm now working on parsing more UBNT logs, but this next one has stumped me a bit. Here is my post on the ELSA google group. https://groups.google.com/forum/#!topic/enterprise-log-search-and-archive/tN4F6bN2vdU
Regards
Nath