How to export UniFi logs to Splunk or Graylog for SIEM integration

Logging is key for security and troubleshooting. UniFi logs contain valuable data, device outages, configuration changes, client connections, and firewall events, that can help detect issues, spot intrusions, and prove compliance. By streaming these logs into centralized tools like Splunk or Graylog, you gain search power, alerts, dashboards, and long-term retention.

In this guide, I’ll walk you through exporting logs from UniFi (OS or Console), parsing them, and shipping them into your SIEM setup. We’ll cover formats, tools, and best practices, all without overcomplicating things.

Let’s dive in  !!

Before we dive in, please don’t self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It’s fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted. )

why send UniFi logs to a SIEM?

UniFi stores logs locally on the gateway or server, but they’re hard to analyze in bulk or under time pressure. A SIEM gives you:

  • Full-text search across events
  • Alerting on suspicious behavior
  • Dashboards and visualizations
  • Retention and compliance features
  • Multi-source correlation (with firewall, server, AD logs)

Exporting those logs turns UniFi from an appliance into a centralized data source in your security architecture.

what logs are available?

UniFi provides several useful log sources:

  1. system.log – controller events (start, upgrade, backup, errors)
  2. server.log – API calls, adoption requests, UI actions
  3. mongodb logs – saves config events and edits
  4. access point logs – client associations, disconnections
  5. gateway logs (UDM/UDM‑Pro) – DHCP, DNS, firewall, IDS/IPS

Logs live under /var/log/unifi/ on UniFi OS and in /usr/lib/unifi/logs/ on Cloud Key or controller software instances.

Step 1: choose your log transport method

You have three main options:

  • Syslog forwarding – built-in on UniFi OS devices, sends logs to remote host
  • File harvesting – use filebeat to read and ship logs from controller host
  • Docker or script collectors – for self-hosted controllers packaged in Docker

Each works differently depending on your setup.

Step 2: Syslog forwarding (UDM/OS devices only)

If you're on Dream Machine, UDM‑Pro, or Cloud Gateway OS:

  1. Go to Settings → Logging
  2. Enable “Remote Syslog” and enter your SIEM IP and port (usually UDP 514)
  3. Selected log levels: info, warning, or debug
  4. Save and watch logs appear in Splunk or Graylog

Syslog is simple, but UDP delivery lacks guaranteed reliability. In high-security environments, prefer TCP or file delivery.

Step 3: File harvesting with Filebeat

If you're on a Cloud Key, self-hosted UniFi server, or want more control:

  1. Install Filebeat on the machine hosting UniFi
  2. Configure it to watch your UniFi log folder
  3. Add or update filebeat.yml:
yaml
filebeat.inputs:
- type: log
  paths:
    - /var/lib/unifi/logs/*.log
  fields:
    source: unifi
  language: en
filebeat.outputs:
  splunk:
    protocol: http
    host: splunk.example.com:8088
    token: YOUR_HEC_TOKEN
    index: unifi-logs

For Graylog, replace Splunk output with a Graylog Beats or Syslog input.

  1. Start Filebeat and verify logs show up in your SIEM dashboard.

Keep logrotate in mind, Filebeat handles rotated logs automatically.

Step 4: Docker‑based export

If your UniFi controller runs in Docker:

  1. Mount the logs directory to the host, e.g.:
yaml
volumes:
  - unifi_logs:/unifi/logs
  1. Deploy a sidecar log shipper container (Filebeat or Logstash) pointing at the same volume.
  2. Ensure the container config matches your SIEM output settings.

This isolates logging and avoids logging drops or host conflicts.

Step 5: parsing and indexing your logs

Raw logs look like:

2025-06-20 12:34:56,789 DEBUG controller.api - Received adoption request from 192.168.1.10

Use your SIEM’s parsing rules to extract fields:

  • Timestamp
  • Log level
  • Component (controller, system, gateway)
  • Message text
  • Client IP or host

Splunk field extractions or Graylog grok patterns work well. Common grok filters:

%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{DATA:component} - %{GREEDYDATA:message}

Categorize firewall events, controller actions, and client associations for easier querying later.

Step 6: build dashboards and alerts

Use the parsed fields to create useful insights:

  • Adoption events – know when a new AP or gateway joins
  • Gateway restarts or upgrades – track BYO downtime
  • IDS/IPS events – alert on suspicious traffic drops
  • Client disconnect patterns – spot unstable Wi‑Fi zones
  • Controller errors – monitor exceptions in server logs

Dashboards can include:

  • Daily event counts by type
  • Top clients generating firewall or IDS alerts
  • Distinct device restarts per week

Automated alerts help catch issues before users report them.

Step 7: secure your logging

Make sure your transport is safe:

  • Use Splunk’s HTTP Event Collector over TLS
  • For syslog, choose UDP only for low-critical logs or use TCP with TLS where supported
  • Harden your SIEM access: authentication, ACLs, and token controls
  • Segregate logs per site or client, especially in MSP contexts

Log security is just as important as access security, it’s valuable intel that needs protection.

Step 8: managing retention and scale

UniFi logs can grow fast:

  • Gateways generate lots of firewall entries
  • Controllers log frequently

Depending on your needs:

  • Keep logs for 90 days by default
  • Archive older logs to cold storage (S3, file server, tape)
  • Use SIEM thinning strategies, keep full logs short-term, metadata long-term

Match retention to compliance requirements and storage budgets.

Step 9: MSPs and multi-client deployment

If you manage multiple clients:

  • Tag logs per site or customer in Filebeat config
  • Use separate indexes or streams in Splunk/Graylog
  • Build reports per client: firewall events, adoption history, uptime
  • Centralize hosting via UniHosted to standardize log shipping across all clients

Clients can get their dashboards without hosting burden or data pipeline upkeep.

Step 10: troubleshoot common issues

Logs not showing?

  • Check Filebeat logs for parse errors or path mismatches
  • Confirm Docker mount paths if using container
  • Check syslog forwarding by tailing logs on SIEM side

Timestamp mismatches?

  • Adjust timezone settings in Filebeat or SIEM indexer to match controller logs

High log volume?

  • Use throttling or drop low-value messages
  • Graylog and Splunk can filter by severity level in your config
  • Reassess what log types you forward

step 11: advanced enrichments

Once logs flow, you can enrich them with metadata:

  • Map client MACs to user names
  • Add site, VLAN, or environment tags
  • Correlate events, firewall drop followed by controller reboot means issue likely at device
  • Visualize real-time dashboard for anomalies

These enhancements make your logs more actionable.

step 12: long-term strategy

To mature your log management:

  1. Standardize log format and parsing rules across deployments
  2. Automate Filebeat config deployment via Ansible, Puppet, or UniHosted
  3. Monitor Filebeat health to avoid silent failures
  4. Tune logging levels in UniFi, turn off excessive debug logs post troubleshooting
  5. Test disaster recovery by restoring indexes and logs from archives

final thoughts

Shipping UniFi logs to Splunk or Graylog gives you a unified view of your network. You get powerful search capability, smarter alerts, and stronger reporting. While setup takes a few steps, syslog, filebeat, parsing, dashboards, the value in visibility and security is worth it.

If you're managing networks for clients, consider UniHosted for controller hosting with built-in logging and SIEM integration. You get best practices baked in, remote visibility, and side‑stepped self‑hosting issues, all without lifting a finger for infrastructure.