Configuring Ubiquiti UniFi Gateways (USG vs UDM)

Overview

Ubiquiti UniFi gateways (USG and UDM series) can forward firewall and security logs to external syslog collectors or SIEM platforms. This article explains the supported logging capabilities of UniFi Security Gateway (USG) and UniFi Dream Machine (UDM, including UDM Pro), clarifies UniFi’s CEF export options, and describes supported integration paths for RocketCyber.

IMPORTANT  The RocketCyber Firewall Log Analyzer does not support CEF-formatted logs. When integrating Ubiquiti gateways with the Firewall Log Analyzer app, you must use plain syslog. CEF is supported only for SIEM ingestion, not for Firewall Log Analyzer.

Support summary

UniFi Security Gateway (USG)

  • Supported (legacy): Ubiquiti has declared USG end-of-life (EOL) and no longer manufactures it.

  • UniFi Network Application 8.6.x is the last version that supports configuration changes for USG.

  • USG forwards logs as plain syslog only.

  • CEF export is not provided by the gateway. Any CEF output is generated by the UniFi Network Application (controller), not the device itself.

UniFi Dream Machine (UDM / UDM Pro)

  • Supported with limitations

  • UDM forwards logs as plain syslog

  • The UDM hardware does not natively output CEF

  • CEF is available only through the UniFi Network Application’s SIEM integration (controller-side, v9.3.43 or later)

  • Direct syslog from UDM is not in CEF format

NOTE  Some UniFi OS administrative events may be exported as malformed CEF. These are relevant only for SIEM ingestion and do not apply to Firewall Log Analyzer.

CEF support timeline (controller-level)

This timeline applies only to the UniFi Network Application (controller), not to USG or UDM hardware.

  • Before v8.5.1: No CEF support.

  • v8.5.1: Initial CEF export for IDS/IPS and firewall logs.

  • v9.3.43: Full system log export in CEF format via SIEM integration.

  • v9.4.x: Timestamp improvements (UNIFIutcTime field)

IMPORTANT  These CEF capabilities apply to SIEM integrations only. CEF is not supported by the RocketCyber Firewall Log Analyzer.

Integration requirements (Firewall Log Analyzer)

  • Admin access to UniFi Network application

  • RocketCyber agent installed with Firewall Analyzer app enabled

  • UDP port 514 open between gateway/controller and RocketCyber agent

  • Accurate date/time settings on UniFi controller and gateway

  • RocketCyber agent assigned as a Syslog Server for the correct organization

Integration steps

Firewall Log Analyzer – supported path (plain syslog)

NOTE  UniFi uses the term “SIEM Server” in its UI to mean any external syslog destination. This setting configures syslog forwarding only; it does not determine how RocketCyber processes the logs.

Step 1: Enable Control Plane logging (plain syslog)

  1. Open the UniFi Network Application.

  2. Go to Settings > Control Plane.

  3. Navigate to the Integrations tab.

  4. In the Activity Logging (Syslog) section, enable the SIEM Server option.

  5. Set:

    • Server Address = RocketCyber agent IP

    • Port = 514 / UDP

  6. Under Categories, select Edit and enable the desired log categories. The Device and Client categories typically generate the most volume.

  7. Select Apply Changes to save the configuration.

    NOTE  Do not select CEF. Firewall Log Analyzer requires plain syslog.

Step 2: Enable CyberSecure traffic logging (plain syslog)

  1. Navigate to Settings > CyberSecure

  2. Navigate to the Traffic Logging tab.

  3. In the Activity Logging (Syslog) section, select the Enable SIEM Server option.

  4. Set:

    • Server Address = RocketCyber agent IP

    • Port = 514 / UDP

    • Log Format = Syslog (not CEF)

  5. Under Categories, select Edit and enable relevant security-focused log categories:

    • Security Detections (firewall, IDS/IPS events)

    • Admin Activity

    • Critical

    • Devices

    • Triggers

    • VPN

    • Firewall Default Policy

  6. For Logging Levels, make sure that Auto is selected.

  7. Select Apply Changes.

Step 3: Enable Firewall Rule logging

  1. Go to Settings > Internet Security > Firewall.

  2. Edit each firewall rule you want to monitor

  3. Under Advanced, enable Logging.

  4. Apply changes.

Step 4: Enable gateway Device Syslog

1. Navigate to Settings > System > Remote Logging

2. Enable Remote Syslog

3. Set Server Address = RocketCyber agent IP; Port = 514/UDP.

Why both sections matter

  • Control Plane Logging: Captures administrative activity, device status, adoption events, and connectivity changes.

  • CyberSecure Traffic Logging: Captures firewall activity, IDS/IPS alerts, and security-relevant traffic events.

Both are required to provide complete firewall visibility in the Firewall Log Analyzer app.

SIEM integration (CEF – not Firewall Log Analyzer)

If your organization requires CEF-formatted logs, use UniFi’s SIEM integration only for SIEM ingestion.

  • CEF output from the UniFi Network Application is not supported by Firewall Log Analyzer

  • Forwarding CEF logs to Firewall Log Analyzer may result in no detected events

  • Use CEF only when integrating with a SIEM pipeline designed to parse CEF

Troubleshooting: No firewall events detected

If UniFi logs are being sent but no firewall events appear in Firewall Log Analyzer:

  • Confirm CEF is disabled and plain syslog is used

  • Verify firewall rules have logging enabled

  • Confirm the RocketCyber agent is assigned as a Syslog Server for the correct organization

  • In multi‑organization environments, ensure each organization has its own syslog mapping

This configuration reflects the supported and reliable integration path for Ubiquiti UniFi gateways with RocketCyber Firewall Log Analyzer. Unsupported formats or alternative paths may result in missing or incomplete firewall events.