From 0578736596672a35ef3e5da425186b6654c6813c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 28 Feb 2024 19:04:30 -0600 Subject: [PATCH] unifi: Scrape logs from UniFi and device syslog The UniFi controller can act as a syslog server, receiving log messages from managed devices and writing them to files in the `logs/remote` directory under the application data directory. We can scrape these logs, in addition to the logs created by the UniFi server itself, with Promtail to get more information about what's happening on the network. --- group_vars/unifi/main.yml | 66 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/group_vars/unifi/main.yml b/group_vars/unifi/main.yml index ef0aeda..e4535b2 100644 --- a/group_vars/unifi/main.yml +++ b/group_vars/unifi/main.yml @@ -8,3 +8,69 @@ unifi_exporter_password: !vault | 64346335623433306663386364353461636663613434363663383564343039653861336162616235 3464633736656437360a376666656632326562656233393064326430633936666162303562373461 31643637623835323064623932323331386136663732626665666639663136666437 + +promtail_dac_read_search: true +promtail_scrape_configs: +- '{{ promtail_default_scrape.journal }}' +- job_name: unifi-server + static_configs: + - labels: + __path__: /var/lib/unifi/logs/server.log + job: unifi + - labels: + __path__: /var/lib/unifi/logs/migration.log + job: unifi + pipeline_stages: + - regex: + expression: ^\[(?P\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})\] (?P.*) + - timestamp: + source: timestamp + format: 2006-01-02 15:04:05,000 + - output: + source: message +- job_name: unifi-mongod + static_configs: + - labels: + __path__: /var/lib/unifi/logs/mongod.log + job: unifi + pipeline_stages: + - regex: + expression: ^(?P\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}[\+-]\d{4}) (?P.*) + - timestamp: + source: timestamp + format: 2006-01-02T15:04:05.000-0700 +- job_name: unifi-remote + static_configs: + - labels: + __path__: /var/lib/unifi/logs/remote/*.log + job: unifi-remote + pipeline_stages: + # Extract the device IP address from the log file name + - regex: + expression: ^(.*/)?(?P[0-9a-f:.]+)_[^/]+$ + source: filename + # Extract the timestamp ans syslog priority value from the log message + - regex: + expression: >- + ^(?P\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) <(?P\d+)>\S+ \S+ \S+ (?P.*) + # Parse the timestamp + - timestamp: + source: timestamp + format: 2006-01-02 15:04:05,000 + # Compute the syslog facility from the priority: F = floor(P / 8) + - template: + source: facility + template: >- + {% raw %}{{ div .priority 8 }}{% endraw %} + # Compute the syslog severity from the priority: S = P - F * 8 + - template: + source: severity + template: >- + {% raw %}{{ sub .priority (.facility | mul 8) }}{% endraw %} + # Save the extracted values as labels + - labels: + facility: + severity: + device_ip: + - output: + source: message