Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubiquiti Solution Doesn't Use Custom Logs via AMA #11423

Closed
doodlemania2 opened this issue Nov 12, 2024 · 19 comments
Closed

Ubiquiti Solution Doesn't Use Custom Logs via AMA #11423

doodlemania2 opened this issue Nov 12, 2024 · 19 comments
Assignees
@v-sudkharat @v-visodadasi
Labels
AMA_Connector

Comments

@doodlemania2
Copy link
Member

Describe the bug
The solution says Custom Log via AMA is required, however, so I set that up. However, the solution itself still wants to use the now deprecated connector when running reports or queries.

To Reproduce
Steps to reproduce the behavior:

  1. Install AMA, configure log ingestion from Unifi's SNMP trap on premise. Logs flowing into Sentinel's Log Analytics Ubiquiti_CL
  2. Install solution
  3. Do not configure the deprecated connector
  4. No results are being found

Expected behavior
Results in Hunting, Logs, etc produce
@v-sudkharat
Copy link
Contributor

Hi @doodlemania2, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@v-sudkharat
Copy link
Contributor

@doodlemania2, Could you please let us know which solution version you are using?
And please also know what error you're facing while configuring the rule or running the Parser. Thanks!

@doodlemania2
Copy link
Member Author

Hi there, here's the version info:
Image
which creates two connectors - the deprecated one and the AMA one:
Image
I set up the AMA log and logs are flowing:
Image
but the workbooks and other components are (at least appear) to still be looking for data from the deprecated connector:
Image -- isn't configured because deprecated
Image

@v-sudkharat
Copy link
Contributor

v-sudkharat commented Nov 22, 2024
edited
Loading

@doodlemania2, Thanks for the sharing detailed info. we will check into the issue and get back to you.
And could you please share the Ubiquiti_CL logs with us in below mail id -
[email protected]

Thanks!

@v-sudkharat
Copy link
Contributor

@doodlemania2, waiting for logs to investigate. Thanks!

@doodlemania2
Copy link
Member Author

Sent you email offline

@v-sudkharat
Copy link
Contributor

@doodlemania2, Received.
You can send the Ubiquiti_CL in csv format by setting the last 24 hr durations.

@doodlemania2
Copy link
Member Author

Sent you the log offline.

@v-sudkharat
Copy link
Contributor

@doodlemania2, Thanks!

@v-sudkharat
Copy link
Contributor

@doodlemania2, After running the below parser is it give the result? -
Image

for us with your shared data it does not parse -
Image

@doodlemania2
Copy link
Member Author

When I run the parser, I get no results as the solution doesn't seem to be connected to my Ubiquiti_CL table somehow.

@v-sudkharat
Copy link
Contributor

@doodlemania2,
Actually, the solution contents (Connector,Workbook,rules) are Parser dependent, so the message which you received into the table - Ubiquiti_CL is not in an expected format.
And due to that the contents are not showing any results.
We found the sample data in our repo in which the message format has been mentioned -
"Message": "<30>Mar 9 14:51:17 U7PG2,18e8296c3188,v10.10.10.1075: logread[1491]: Logread connected to 10.10.10.10:22022"

https://raw.githubusercontent.com/Azure/Azure-Sentinel/refs/heads/master/Sample%20Data/Custom/UbiquitiAuditEvent.json

When we use the above data for testing, the solution content shows the results -
Image

Image

So, could you please check in source itself and the source configuration to get correct format in message. Thanks!

@doodlemania2
Copy link
Member Author

I'm afraid I don't know what you're asking.

I set up the custom log connector because the ubiquiti one is deprecated. Are you saying that I should be using the deprecated connector instead?

@v-sudkharat
Copy link
Contributor

@doodlemania2, No, the configuration you did are correct one. No need to use the old, deprecated connector.
So, the data received in a Message column is in a different format and due to that the workbook not showing any results, the expected message format should be like -
"Message": "<30>Mar 9 14:51:17 U7PG2,18e8296c3188,v10.10.10.1075: logread[1491]: Logread connected to 10.10.10.10:22022"
This message format came from source itself, which is Ubiquiti side, so can you check is there any log format option are available? or which needs to be enabled, to get the correct message log.

Thanks!

@doodlemania2
Copy link
Member Author

Oh I see, thank you. I'm not given any options in Ubiquiti to configure:
Image

and on the Azure side, not doing any transformations:
Image

output:
Image

@doodlemania2
Copy link
Member Author

Okay, I think I have it working now - I am getting logs inside the parser:
Image

Does this look right?

@v-sudkharat
Copy link
Contributor

v-sudkharat commented Dec 6, 2024
edited
Loading

@doodlemania2, Great.
Now you can check for the rest of the solution content, it should work as data has been parsed.
And Note that, the contents will only show the results when the content query logic match with received data.
Please let us know if any issues are there. Many thanks!

@v-sudkharat
Copy link
Contributor

@doodlemania2, is there anything for us? if your issue has been resolved, can we close this from GitHub?

@doodlemania2
Copy link
Member Author

Looks good - thank you for the great help!

@v-sudkharat v-sudkharat mentioned this issue Feb 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-visodadasi v-visodadasi

Labels
AMA_Connector
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@doodlemania2 @v-dvedak @v-sudkharat @v-visodadasi