feat: add UniFi Syslog (CEF) adapter#264
Open
ecapuano wants to merge 1 commit intorefractionPOINT:masterfrom
Open
feat: add UniFi Syslog (CEF) adapter#264ecapuano wants to merge 1 commit intorefractionPOINT:masterfrom
ecapuano wants to merge 1 commit intorefractionPOINT:masterfrom
Conversation
Syslog listener that parses UniFi CEF events into structured JSON. CEF lines are parsed into header fields + extension key=value pairs and shipped as JsonPayload. Non-CEF syslog is parsed into structured BSD syslog fields (timestamp, hostname, process, pid, message) with automatic JSON detection for embedded payloads. Supports TCP, UDP, TLS, and mutual TLS.
amrik-lc
approved these changes
Feb 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
unifi_syslogadapter that listens for syslog traffic (TCP/UDP/TLS) and parses UniFi CEF (Common Event Format) events into structured JSONdevice_vendor,device_product,device_event_class_id,name,severity, etc.) plus parsed extension key=value pairs, shipped asJsonPayloadtimestamp,hostname,process,pid,message) with automatic JSON detection for embedded payloads (e.g., coredns ad-block logs)UNIFI-prefixed CEF extension keys, syslog priority headerssyslogadapter pattern exactly (TCP/UDP/TLS/mutual TLS,StreamTokenizerfor TCP framing)Context
UniFi controllers (v9.3.43+) support SIEM log export in CEF format via syslog. The existing
syslogadapter ships raw text (TextPayload), which doesn't leverage CEF's structured format. This dedicated adapter parses CEF into structured JSON, enabling richer detection rules and queries in LimaCharlie.Test plan
go build ./containers/generalcompilesgo vet ./unifi_syslog/...cleango test ./...— all tests pass (18 new tests for CEF + syslog parsing)