The CloudKey controller from Ubiquity runs a mongoDB and stores all the Deep Packet inspection information in it. The app really needs to be written to pull this data out to get the "good stuff". The syslog data from Ubiquity is pretty dry and cryptic.
In theory that sounds like THE thing to do. However; opening the instance for network access is not an option as it does not offer any authentication. If you have any ideas in this direction I am all ears. The BETA IPS logs are horrible by design.
Thank for the comments, in the end for my Ubiquiti Unifi USG I just switched to vanilla syslog and it seems to be getting me what I need (I think - still learning the ways of Splunk!).
The sourcetype below will get you the field extracts / aliases that will populate most of the dashboards (events, in-bound out-bound etc.) The dashboards that will not populate by default will be the bandwidth ones since it does not collect that data from the router source type.
Let me know if you run into any issues getting the fields to properly extract / alias.
It looks like this follows the same pattern as the asus sourcetype. You might need to make some minor tweaks, but for now set the source type to asus instead of syslog and see if it populates the dashboards.
[asus] FIELDALIAS-dst = DST as dest_ip FIELDALIAS-dpt = DPT as dest_port FIELDALIAS-proto = PROTO as protocol FIELDALIAS-SPT = SPT as src_port FIELDALIAS-SRC = SRC as src_ip EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= ) EVAL-direction = if(match(OUT,"eth*"), "out", "in") pulldown_type = 1 LOOKUP-action_lookup = action_lookup action OUTPUT action2 LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
There are definitely some tweaks that will be necessary. I ran through some of the overview dashboards, with the following results:
I didn't try the device specific/experimental/etc...
Can you post some sample outputs from the routers to this question? If they have some kind of documentation which describes the fields, that would be helpful too. Once we have that, then we can easily apply some field extractions and link it to the CIM compliant naming convention.