Configuring Ubiquiti UniFi Gateways (USG vs UDM)

Overview

Ubiquiti UniFi gateways (USG and UDM series) can integrate with external SIEM or syslog servers by forwarding firewall and security logs in syslog or CEF (Common Event Format). This article explains support for UniFi Security Gateway (USG) and UniFi Dream Machine (UDM, including UDM Pro), CEF capabilities, and integration paths.

Support summary

  • USG: Supported, but legacy status: Ubiquiti has declared USG as end-of-life (EOL) and no longer manufactures it. Controller version 8.6.x will be the last to support configuration changes for USG. USG forwards logs as plain syslog. CEF export is provided by the UniFi Network Application (controller side) via Settings > Control Plane > Integrations > Activity Logging, not natively by the gateway.

  • UDM Series: Supported with caveats. UDM forwards logs as plain syslog; CEF is available only through the UniFi Network Application SIEM integration (v9.3.43 or later). Direct syslog from UDM is not in CEF format.

NOTE  Some UniFi OS admin events are malformed CEF; RocketCyber can ingest these without strict normalization.

CEF support timeline (controller-level)

  • Before v8.5.1: No CEF support.

  • v8.5.1: Initial CEF export for IDS/IPS and firewall logs.

  • v9.3.43: Full system log export in CEF format via SIEM integration.

  • v9.4.x: Timestamp fixes for CEF logs (added UNIFIutcTime field).

IMPORTANT  This timeline applies to the UniFi Network Application (controller), not the hardware itself. UDM hardware never outputs CEF natively; CEF is only available through the controller’s SIEM integration.

Integration requirements

  • Admin access to UniFi Network application.

  • RocketCyber agent installed with Firewall Analyzer app enabled.

  • UDP port 514 open between gateway/controller and RocketCyber agent.

  • Accurate date/time settings on UniFi controller and gateway.

Integration steps

NOTE  UniFi uses the term “SIEM Server” in its UI to mean any external syslog destination. When you see “SIEM Server” in UniFi settings, interpret it as “external syslog collector.”

Integration Path A: Control Plane CEF Export + Gateway Syslog

Use UniFi Network Application settings to forward logs in CEF format:

1. Control Plane Logging (CEF)

  1. Open the UniFi Network Application.

  2. Go to Settings > Control Plane.

  3. Navigate to the Integrations tab.

  4. In the Activity Logging (Syslog) section, enable the SIEM Server option.

  5. Set the Server Address and Port to the IP address and listening port of your external syslog server (Server Address = RocketCyber agent IP; Port = 514/UDP).

  6. Under Categories, select Edit and enable the desired log categories. The Device and Client categories typically generate the most volume.

  7. Select Apply Changes to save the configuration.

2. CyberSecure Traffic Logging

  1. Open the UniFi Network Application.

  2. Navigate to Settings > CyberSecure

  3. Navigate to the Traffic Logging tab.

  4. In the Activity Logging (Syslog) section, select the Enable SIEM Server option.

  5. Set the Server Address and Port to your external syslog server's details (RocketCyber agent IP; Port = 514/UDP. For Log Format, select CEF (preferred).

  6. Under Categories, select Edit and enable relevant security-focused log categories:

    • Security Detections (firewall, IDS/IPS events)

    • Admin Activity

    • Critical

    • Devices

    • Triggers

    • VPN

    • Firewall Default Policy

  7. For Logging Levels, make sure that Auto is selected.

  8. Select Apply Changes.

Enabling Firewall Rule logging

  1. Go to Settings > Internet Security > Firewall.

  2. For each rule you want to monitor:

    • Edit the rule > Advanced > Enable Logging.

  3. Apply changes.

Gateway Device Syslog

Navigate to:

  • Settings > System > Remote Logging

  • Enable Remote Syslog.

  • Set Server Address = RocketCyber agent IP; Port = 514/UDP.

Why both sections matter

  • Control Plane Logging: Sends non-security logs such as administrative actions, device status (adoption, reboots), and client connectivity. These are essential for general network visibility.

  • CyberSecure Traffic Logging: Sends security-focused logs including firewall events, IDS/IPS alerts, and traffic flow data. These logs are critical for threat detection and SOC monitoring. By enabling syslog forwarding in both sections, you ensure RocketCyber receives complete network and security telemetry.

Integration Path B: Forwarder-based normalization

Use this if:

  • Client requires strict CEF for all events.

  • UDM is forwarding raw syslog (not using UniFi SIEM integration).

Topology: UDM > Syslog Forwarder (Rsyslog) > RocketCyber Agent (Firewall Analyzer)

Steps:

  • Configure UDM to send syslog to the forwarder.

  • Use Rsyslog to convert logs to CEF.

  • Forward normalized logs to RocketCyber agent.