I created a custom decoder and a custom rule to generate alerts when receiving UniFi logs via syslog.
When I use the wazuh-logtest binary to test these with a UniFi log, the custom rule is triggered and an alert is generated.
But in real, nothing happens...
Here are my decoder and rule :
<decoder name="unifi">
<prematch type="pcre2">UAP-</prematch>
</decoder>
<rule id="100013" level="5">
<decoded\_as>unifi</decoded\_as>
<description>UniFi wifi log</description>
</rule>
Here is how I configured my Wazuh manager to listen for Syslog :
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>my LAN IP range</allowed-ips>
</remote>
For now they are really simple, as I just want to trigger the rule and have an alert generated with any message received from the UniFi controller. I want to be sure that the log matches with my decoder. No need to extract any information for now.
FYI, here's what an UniFi log looks like (listened with a Syslog server) :
May 28 17:36:23 wap001 78455819c06f,UAP-AC-InWall-6.0.18+13660: kernel: [ 205.373214] ol_ath_vap_set_param: Now supported MGMT RATE is 6000(kbps) and rate code: 0x3
As I said, it triggers the rule and creates an alert when I try it with /var/ossec/bin/wazuh-logtest, but not in real use.
I already configured the same stuff for Synology logs and it works great. But for Unifi it doesn't.
I am using Wazuh v4.2.5 and UniFi controller v7.1.65
My Wazuh and Unifi servers are both Debian VMs. The Wazuh agent is not installed on the Unifi controller, I only want to use Syslog for now.
Many thanks for your help !
First asked on Reddit
