icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Splunk Software License Agreement

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Ubiquiti add-on for Splunk
SHA256 checksum (ubiquiti-add-on-for-splunk_136.tgz) e4ca9684174e9f70c65c4ad41293f141cbe8f57f362b8204ec5221682550e4c5 SHA256 checksum (ubiquiti-add-on-for-splunk_134.tgz) 6d9422971ecfacfb7bbb90cde18526936613fbf0cf4cd2b3a05f40f526707860 SHA256 checksum (ubiquiti-add-on-for-splunk_12.tgz) c4272e40d9b0014ce268216e0ac67fd1dda496eb746ced8bf31399bcee6c60df SHA256 checksum (ubiquiti-add-on-for-splunk_1123.tgz) d2977a8a85a2028b77e03bf495a0e4e1425bf1f244ffdc8ca32ffe97caf0f0d1 SHA256 checksum (ubiquiti-add-on-for-splunk_1122.tgz) dcdc5d3a5d19585de7adda02acd9d5a27726ebce8eb0bc27e8f58e44c69c9004 SHA256 checksum (ubiquiti-add-on-for-splunk_1121.tgz) 152147506bf09ae54ed7e050f5c293f5ac0d8d14f5be1890dcb8f990d25cbfc3 SHA256 checksum (ubiquiti-add-on-for-splunk_1120.tgz) d409ac0043a57dafa05ee2ec7f25b0c762934e7b694bf56ea472221774b49418 SHA256 checksum (ubiquiti-add-on-for-splunk_1118.tgz) 5d309d65e0868f2365e7ec60a8994774a1cb62b4617039d513926799d77544ef SHA256 checksum (ubiquiti-add-on-for-splunk_1116.tgz) e5c7d97437c6d62eb528f16af09732ca2300fcd95352b445aaa12be5fc569de8 SHA256 checksum (ubiquiti-add-on-for-splunk_1115.tgz) 1196dae307e728b0be8132a1047ae5f8ffb50a46b7ca0c86ff6d1b1cb6a04052 SHA256 checksum (ubiquiti-add-on-for-splunk_1114.tgz) 15c447658efff315f6bb84601c07675f0a9b37c66c6c09c73fb98727a361a233 SHA256 checksum (ubiquiti-add-on-for-splunk_109.tgz) 445df0e455c9bc1d81af93642f9de390dcbfb80330f13dd53acbb38c7d58f0f3
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Ubiquiti add-on for Splunk

Splunk Cloud
Overview
Details
The TA for Ubiquiti was developed on an environment with CloudKey, USG, USG-Pro and Pro AP. It contains field extractions for the Firewall, DHCP and beta IPS facilities. There are other source-types in this add-on which I have not been able to create the field extractions for, since they are cryptic. I am in contact with Ubiquiti's support to find out more information. Should you have this information please feel free to reach out.

To make this TA work fully CIM compliant follow the instructions on routing the different Sourcetypes to their individual indexes.

If you would like to contribute I've opened the repo: https://github.com/fwijnholds/TA-ubiquiti

More info here:
https://github.com/fwijnholds/ta-ubiquiti-support/wiki/Ubiquiti-Support

Installing and configuring Ubiquiti add-on for Splunk the TLDR version.

To get this TA working in your home environment. Just create a UDP input and make sure the sourcetype is called ubnt. The TA will do the rest oob. If you do want to do some more advanced stuff keep reading:

Installing and configuring Ubiquiti add-on for Splunk with ES

To use this TA with Enterprise Security some configuration is required. Datamodel acceleration at scale requires from the deployment that data is assigned to indexes by it's cardinality. As Sourcetype is assigned by input in Splunk there are 2 ways achieving this split. One is using transforms.conf in conjuction with a props.conf, the other is by having an intermediate like a syslog server do the splitting into files. A UF can assign sourcetype input.

Method 1:

If you want to use this add-on on a single instance, with full CIM compatability follow these steps:

Download transforms.conf-single and rename to transforms.conf.
https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/transforms.conf-single.conf

This file holds the configuration which rewrites the sourcetype based on a patern match, and routes the traffic to the correct index.

Download props.conf-single and rename to props.conf. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/props.conf-single

This file holds the configuration which rewrites the sourcetype based on a patern match, and routes the traffic to the correct index. Place transforms.conf in the ta-ubiquiti/local directory. Place props.conf in the ta-ubiquiti/local directory.

Download and install the org_all_indexes.spl
https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/org_all_indexes.spl

note: This contains a standard set of indexes, the Splunk best practice for CIM you will note that it separates OS logs from Network logs and Security logs from Application logs. The idea here is to separate them for performance reasons, but also for isolation purposes-you may want to expose the application or system logs to people who shouldn't view security logs. Putting them in separate indexes prevents that.

Restart splunk

In the UI navigate to Settings -> Data Inputs
Add a new input for UDP
Enter the port which you would like to receive the data on
Select any ubqt sourcetype ie ubqt:fw, change settings to your liking with the exception of indexes. Or manually create inputs.conf

[udp://8514]
connection_host = ip
sourcetype = ubnt
index=ubqt

Method 2:

For deployment with a syslog server the recomendation is to use a Universal forwarder on your rsyslog or syslog-ng server. Have the syslog server write a file per sourcetype and have the UF assign the sourcetype to the specific logs. More information will follow.

Check the latest updates: https://github.com/fwijnholds/ta-ubiquiti-support

Release Notes

Version 1.3.6
May 9, 2022

Added support for jQuery 3.5 and fixed a couple of Field Extraction issues for more CIM compliance.
Version 1.3.4
Sept. 18, 2020

This release adds support for the Dream Machine. With special thanks to Michael Nobles!
The firewall and DHCP logs have a different format coming from the Dream machine. This release fixes that.

This release also has support for the new dnsmasq logs that have appeared after the 6.0 firmware release.
Version 1.2
April 30, 2019

Added support for field extractions for connecting and reconnecting clients with the help of Nathan T.
Added support for Edge switches with the help of John W.
Fixed some issues with extractions.
Version 1.1.23
April 11, 2019

Added sourcetype and extractions for linkspeed checks.
Version 1.1.22
April 11, 2019

Fixed FW rule extraction.
Sourcetype renamed from everything ubqt to ubnt.
Version 1.1.21
Nov. 27, 2018

Bug fixes in source type matches..
Version 1.1.20
Nov. 27, 2018
Version 1.1.18
Nov. 1, 2018
Version 1.1.16
Nov. 1, 2018

In the latest firmware releases of cloud controller and USG the MAC= field now contains src and dest mac. You might want to check your deployment before updating.

Update mac field extractions
Renamed fw_rule to rule as this is CIM compliant.
TA is now set to visible

Version 1.1.15
Enabled the transforms for IPS.

VERSION: 1.1.14
Found major issues with the transforms concerning source-types and index during a clean install, These should be fixed in this release.

VERSION: 1.1.13

Sourcetype fixing
Added support for the BETA IPS functionality
Normalized mac address reporting for hostapd
Improved hostapd extractions
Improved hostapd sourcetyping and added field extractions.

Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
Version 1.1.15
Oct. 17, 2018

Enabled the transforms for IPS.

VERSION: 10.1.14
Found major issues with the transforms concerning source-types and index during a clean install, These should be fixed in this release.

VERSION: 10.1.13

Sourcetype fixing
Added support for the BETA IPS functionality
Normalized mac address reporting for hostapd
Improved hostapd extractions
Improved hostapd sourcetyping and added field extractions.

VERSION: 1.1.12
Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com

Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
Version 1.1.14
Oct. 17, 2018

Found major issues with the transforms concerning source-types and index during a clean install, These should be fixed in this release.

VERSION: 10.1.13

Sourcetype fixing
Added support for the BETA IPS functionality
Normalized mac address reporting for hostapd
Improved hostapd extractions
Improved hostapd sourcetyping and added field extractions.

VERSION: 1.1.12
Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com

Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
Version 1.0.9
July 30, 2018

This is the first release of the TA for Ubiquiti. It was developed for an environment with CloudKey, USG and Pro AP. This release supports field extractions for the Firewall and DHCP facilities. It requires 3 indexes; UBQT, netdhcp and netfw. The net* indexes are there for CIM compliance
6,903
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Filip Wijnholds
Contributors
Michael Nobles
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate
Compatibility
This version of the app (1.3.4) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
This version of the app (1.2) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
This version of the app (1.1.23) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
This version of the app (1.1.22) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
This version of the app (1.1.21) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
This version of the app (1.1.20) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
This version of the app (1.1.18) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
This version of the app (1.1.16) is not available for Splunk Cloud. However, version 1.3.6 of this app is available for Splunk Cloud.
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud
Splunk Versions: 8.1, 8.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.0, 7.1, 7.2, 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.0, 7.1, 7.2, 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0, 7.2 Platform: Platform Independent CIM Versions: 4.x
Licensing
Splunk Software License Agreement
Category & Contents
Categories: IT Operations, Security, Fraud & Compliance
App Type: Add-on
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2022 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.