Unifi Ubiquity USG IPS Suricata Filebeat Logging

Dallas_Toth · April 27, 2020, 4:06am

So with some help from multiple sources. On Elastic 7.6.2 and Unifi Controller 5.12.66

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

https://pastebin.com/xASkU5dm
Here is how you install Filebeat on the USG with the Suricata module and what you need to edit in the suricata*.yaml files in order to send your events/alerts to ES.

Unifi has been dragging their feet on getting the logs outside these devices.
Items left to do here is see if the suricata*.yaml files get overwritten and find a way to get Filebeat to run as a service. You couldn't just install filebeat as you see in the youtube because you recompile it for mips64

Dallas_Toth · May 14, 2020, 3:47pm

FYI the firmware updates will wipe out all your changes on the USG and you will need to re input the surcata*.yaml changes as well as redeploy the filebeat mips service.

warkolm · May 14, 2020, 10:49pm

Yeah that's a real PITA for things like USGs. When I set this up a while back, I did find a blog/post/something to script a reinstall process, but I can't find it now sorry

system · June 11, 2020, 10:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.