Configure Ubiquiti UniFi to send logs to Arctic Wolf

You can configure the Ubiquiti UniFi platform to send logs to Arctic Wolf®.

Note: This integration was tested against UniFi Network Application version 9.4 and lower.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Correctly configured date, time, and timezone on the UniFi controller
  • Access to a device in the same network as the UniFi controller
  • Administrator access to the UniFi controller web interface

Configure the syslog settings

  1. Sign in to the UniFi controller web interface.

    Your UniFi controller web interface URL is the IP address of your controller, similar to https://192.168.1.1/.

  2. Click Settings > CyberSecure.
  3. Click the Traffic Logging tab.
  4. For Activity Logging (Syslog), select SIEM Server.
    Note: Do not select Debug Logs or Netconsole.
  5. For Contents:
    1. Click Edit.
    2. Make sure that only these logs are selected:
      • Admin Activity
      • Critical
      • Devices
      • Security Detections
      • Triggers
      • VPN
      • Firewall Default Policy
    3. Click Save.
  6. In the Server Address field, enter the IP address for the Arctic Wolf Sensor, Virtual Sensor (vSensor), or Virtual Log Collector (vLC).
  7. In the Port field, enter 514.
  8. For Logging Levels, make sure that Auto is selected.
  9. Click Apply changes.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.