-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unifi OS 3 aren't being parsed #940
Comments
so the error is happening within syslog acquisition itself It not even hitting the parsers at all..... so what format is it if its not Can you post some example lines? |
@LaurenceJJones I'm not sure what to look for, so let me know if you are missing some specific logs. I didn't remove the MAC address from the last log line, that's how it was sent.
|
Can you capture the raw syslog packet? The issue at the moment is the |
Hey @LaurenceJJones, SYSLOG on CrowdSec Node: https://drive.proton.me/urls/SCXVG17A2R#0wuY9TIDGhzc Lemme know if you need it in a dif format. |
@WhyAydan Thank you for providing these, I didn't have the time to run a packet capture. |
Tbh, no idea if thats what Laurence needs but who knows lol |
Hmmm it seems to be RFC compliant on my end and within @WhyAydan pcap also
Still would like a pcap from @GNU-Plus-Windows-User just incase it something we are not seeing I will do some more testing |
Hey, if it helps I also get the same error that @GNU-Plus-Windows-User gets from crowdsec |
Okay, then I try to see if I can reply the packet the syslog endpoint. |
Also if you get chance can you put the acquisition into |
|
Any update on this issue? |
would love to help to get this up and running given the new SIEM type logging also available in the new network release |
Describe the bug
Unifi OS 3 and newer logs are not being parsed correctly, resulting in detection scenarios such as port scanning not working correctly.
To Reproduce
cscli collections install crowdsecurity/unifi
and reload crowdsectime="03-11-2023 04:48:35" level=error msg="could not parse message: version must be 1" client=0.0.0.0 type=syslog
cscli metrics
and see no logs are being parsedExpected behavior
Logs should be parsed
Screenshots
N/A
Additional context
This issue was originally reported within the CrowdSec Discord
The text was updated successfully, but these errors were encountered: