Announcements

Sentinel Nerd 2.5 is a significant expansion of what the product covers. Until now we’ve focused on security events — IDS alerts, firewall drops, auth failures. Network operators have always wanted more: what traffic actually flowed?, why did that AP keep dropping clients?, what happened right before that switch port went down? This release adds that visibility without requiring a second tool.

What’s New

Traffic Analytics — NetFlow v5 / v9 / IPFIX

A new collector on UDP 2055 ingests flow records from any UniFi gateway (UDM, USG) and aggregates them by 5-tuple over 60-second tumbling windows. The new Flows page shows:

• Top talkers — by source, destination, or source-destination pair, sortable by bytes or packets
• Protocol breakdown — bytes across TCP/UDP/ICMP/GRE/etc.
• Sortable flow table — every aggregated flow with source, destination, protocol, bytes, packets, exporter, and version

Templated parsing (v9 and IPFIX) uses a per-exporter template cache so records from multiple gateways are decoded independently.

SNMP Trap Receiver

A hand-rolled ASN.1/BER decoder handles SNMPv1 and SNMPv2c traps (including INFORM requests). Well-known OIDs — linkUp, linkDown, coldStart, warmStart, authenticationFailure, egpNeighborLoss — map to named events with appropriate severities. Enterprise-specific OIDs are passed through as-is with all varbinds preserved in the raw event.

Default listening port is UDP 1162 (unprivileged; configurable).

Network Events View

A new dedicated page, separate from the existing Events page, shows operational events: the things you need when a network is acting up, not when it’s under attack. New sub-parsers cover:

• Link state — up/down, port flaps, PoE enable/disable/overload
• AP radio — DFS radar detection, channel switches, CAC phases
• WAN / VPN — pppd, dhcpcd, OpenVPN, strongSwan tunnel state
• Controller lifecycle — device adopt, provision, upgrade, reboot, config apply

Filter by device, by tag (link / wireless / wan / controller / dfs), and by time range.

Structured UniFi Syslog Parsing

Previous releases used generic keyword matching for non-CEF syslog. 2.5 ships dedicated parsers that extract structured fields:

Format	Fields extracted
iptables firewall	rule name, action, 5-tuple, MACs, interfaces, TCP flags
Suricata IDS	signature ID, classification, priority, 5-tuple
hostapd	STA MAC, radio interface, auth/assoc state
dnsmasq DHCP	DHCP op, IP, MAC, hostname, interface
Linux auth	SSH Accepted/Failed, PAM sessions

Device Inventory

Auto-derived from events — no configuration. The new /api/devices endpoint returns every device that’s emitted an event in the last N days, with name, MAC, type, site, last-seen timestamp, and event count. The Network Events page uses this for a device drop-down filter.

Multi-Tenant Admin Center

For MSPs: run isolated Sentinel instances per client from a single host. Creating a client instance now automatically:

1. Generates a DNS-safe subdomain slug from the client name
2. Creates a <slug>.yourdomain.com A record via GoDaddy API
3. Writes the nginx host→port map and reloads nginx
4. Serves HTTPS via the wildcard cert — no per-instance cert work
5. Seeds the new instance with every super-admin user

Super-admins get single sign-on across every tenant: set your password once in the admin center, log into any client’s instance with the same credentials. New super-admins propagate to existing instances automatically; demotions/deletions are cleaned up the same way.

Upgrade Notes

• A new event_class field (security / network / system / audit) is added to the event schema. Old events default to unknown and still display under the “All” filter.
• New ES index template: flows-*. Daily partitioning, same pattern as events.
• New configuration sections: [netflow], [snmp_trap], [host_syslog]. All disabled by default.
• Docker image now exposes UDP 1162 (SNMP) and UDP 2055 (NetFlow).
• Admin center users with role super_admin are auto-synced to every instance’s user index on upgrade (idempotent).

Thank You

As always, thanks for the feature requests, bug reports, and PCAPs that shaped this release.

We’re excited to announce the release of Sentinel Nerd 2.0, our biggest update yet!

What’s New

AI-Powered Analysis

Leverage GPT-4 to automatically analyze security events and get actionable recommendations. No more deciphering cryptic log messages.

Enhanced Detection Engine

Our YAML-based rule engine now supports complex aggregation, multi-condition logic, and cross-source correlation.

Improved UniFi Protect Integration

Full support for smart detection events, camera health monitoring, and recording alerts.

New Active Response Actions

Automatically respond to threats with client blocking, VLAN quarantine, and credential disabling.

Upgrade Notes

If you’re on version 1.x, your data will be automatically migrated. No action required.

Thank You

Thanks to our community for all the feedback that made this release possible. Keep it coming!