Network Events

When an AP is dropping clients or a switch port keeps flapping, you don't want to wade through IDS alerts to find the signal. The Network Events page surfaces operational events on their own page.

What's a "Network Event"?

Every event Sentinel ingests gets an event_class field, automatically derived from its category:

security   IDS alerts, firewall denies, auth failures on exposed services
network    Link state, AP radio, DHCP, WAN/VPN tunnels, controller lifecycle
audit      Admin logins, config changes, backups, user actions
system     Kernel messages, systemd, unclassified infrastructure
unknown    Generic fallback — pre-upgrade events or truly unclassifiable

The Events page shows class=security by default. The Network Events page shows class=network.

What's Parsed

Sentinel ships with structured parsers for the syslog formats UniFi devices emit. Each produces fully populated events with the structured fields pre-extracted (no grep-the-message needed):

iptables Firewall

  • Rule name, action (Accept/Drop/Reject)
  • 5-tuple (src/dst IP+port, protocol)
  • Source + destination MAC, input/output interface
  • TCP flags, packet length, TTL

Suricata IDS

  • Signature ID + revision, rule name, classification
  • Priority → severity mapping (1 → Critical, 2 → High, 3 → Medium, 4+ → Low)
  • Full 5-tuple

hostapd Wireless

  • Radio interface (ath0, wifi1ap4, etc.)
  • Station MAC, association state (authenticated, associated, disassociated, deauthenticated)
  • Automatically tagged wireless

dnsmasq DHCP

  • DHCP op (DISCOVER, OFFER, ACK, NAK, RELEASE)
  • Assigned IP, client MAC, hostname, interface

Link / Port State

  • Port up/down, speed, duplex
  • PoE enabled/disabled/overload/fault/shortage
  • Severity escalates: overload/fault → High, disabled/denied → Low

AP Radio

  • DFS radar detection (DFS-RADAR-DETECTED) with frequency
  • Channel switches
  • CAC (Channel Availability Check) start / complete / abort

WAN / VPN

  • pppd connect/terminate/authenticate
  • dhcpcd lease ACK/NAK
  • OpenVPN, strongSwan (IPSec) tunnel state transitions

Controller Lifecycle

  • Device adoption, provisioning, upgrade, reboot
  • Configuration apply
  • Device MAC extracted when present

Admin / Auth

  • SSH Accepted / Failed with username + source IP
  • PAM sessions (opened, closed, auth success, auth failure)
  • Generic login/logout events
  • Tagged audit class — shows up in the Audit filter

Device Drill-Down

Every event Sentinel parses carries a device_ip. The Network Events page has a device dropdown populated from the Devices API, letting you filter to "everything from AP-kitchen" in one click. Use the tag chips (link, wireless, wan, controller, dfs, poe) to narrow further.

Sending debug-level logs

Debug-level logs flow through the same syslog port (1514). On UniFi devices, set Remote Syslog → level = Debug. Expect 100–1000× normal volume; use for troubleshooting, off again afterward.

Self-Monitoring

If the SIEM host itself runs UniFi controller software or other services you want to monitor, enable the host syslog collector:

config/local.toml 
[host_syslog]
enabled = true

This tails journalctl on the host and routes every line through the same parser stack. Events are tagged host-log.