UniFi Network Integration

Ingest syslog events, IDS/IPS alerts, firewall logs, and client activity from your UniFi Network controller.

Overview

The UniFi Network integration supports two collection methods: Syslog forwarding (real-time) and API polling (enriched data). We recommend using both for the most complete visibility.

Supported Event Types

  • Firewall events — Allow/deny decisions, NAT translations, port forwarding hits
  • IDS/IPS alerts — Suricata-based intrusion detection with full signature details
  • Client events — Connect, disconnect, roam, authorization failures
  • Device events — AP adoption, firmware updates, configuration changes
  • DPI statistics — Application-layer traffic classification Pro
  • Threat management — Blocked threat connections, honeypot hits Pro

Syslog Configuration

In your UniFi Network Controller, navigate to Settings → System → Remote Syslog.

Syslog Settings 

Host: ingest.sentinelnerd.com
    Port: 514
    Facility: Local0
    Log Level: Information (or Debug for verbose logging)

Note

Syslog uses UDP by default. For encrypted transport, use port 6514 with TLS. TLS syslog requires the Pro plan or above.

Syslog Event Parsing

Sentinel Nerd automatically parses UniFi syslog formats including:

  • Standard syslog (RFC 3164 / RFC 5424)
  • UniFi Security Gateway (USG) kernel firewall logs
  • UniFi Dream Machine (UDM) IDS/IPS JSON events
  • Access point association/disassociation messages

API Integration

The API integration polls your controller for richer, structured event data. Create a read-only local account on your controller, then add the credentials in Sentinel Nerd.

API Configuration 

Controller URL: https://192.168.1.1
    Username: sentinelnerd-reader
    Password: ********
    Site: default
    Polling Interval: 30s
    Verify SSL: true

Warning

Never use your main admin account. Create a dedicated read-only local account for Sentinel Nerd. Cloud Key and UDM controllers use different API paths which are auto-detected.

Firewall Event Correlation

Firewall events are automatically enriched with:

  • GeoIP data — Country, city, ASN for external IPs
  • Threat intelligence — AbuseIPDB score, VirusTotal reputation
  • Client identity — Hostname, MAC vendor, network assignment
  • Rule context — Which firewall rule triggered the event

IDS/IPS Alert Handling

UniFi IDS/IPS events (powered by Suricata) are parsed with full signature detail:

Example IDS Event 
{
  "type": "ids_alert",
  "signature_id": 2024897,
  "signature": "ET SCAN Potential SSH Scan",
  "category": "Attempted Information Leak",
  "severity": "high",
  "src_ip": "203.0.113.42",
  "dst_ip": "192.168.1.100",
  "src_port": 54321,
  "dst_port": 22,
  "protocol": "TCP"
}

Built-in Detection Rules

The following rules are enabled by default for UniFi Network events:

Rule Severity Description
net.brute_forceHigh5+ failed logins from same IP in 5 min
net.port_scanMedium20+ unique ports from one source in 60s
net.new_deviceLowPreviously unseen MAC address on network
net.ids_criticalCriticalIDS/IPS alert with severity 1
net.wan_failoverHighWAN link failure and failover event

See Detection Rules for writing custom rules targeting network events.