UniFi System Logs & SIEM Integration
UniFi provides a robust, structured activity logging system that gives you full visibility into your network’s health, performance, and security. These logs capture key events—such as connectivity status, client behavior, admin actions, configuration changes, and security alerts—allowing you to monitor and troubleshoot your deployment with precision.
System logs can be used to trigger alarms and notifications (push, email, or webhook) and can be exported in Common Event Format (CEF) for integration with external monitoring or SIEM platforms.
For visibility into detailed traffic-level activity, see Traffic Flows in UniFi Network
For a full overview of UniFi's Network and Cyber Security capabilities, see here.
For a full overview of UniFi’s Traffic and Policy Management capabilities, see here.
Accessing and Using Logs
To view activity logs, click the Logs icon in the left-hand sidebar of your UniFi dashboard.
Clicking any log entry reveals additional metadata and diagnostic context. You can use the filter bar at the top to refine logs by various dimensions including Severity, Time Range, Category, Type, and specific Event.
The search field also supports flexible queries, including filters by MAC address, IP, device name, admin username, and more.
Alarm Manager
Alarm Manager allows you to create custom alerts and automations based on log activity. This includes Push Notifications, Email Notifications, and Webhook Notifications (both GET and POST requests) to enable real-time awareness of critical issues, and integration with third-party systems for automation or alerting.
For full setup instructions, see UniFi Alarm Manager Notifications and Automations.
Log Categories and Types
The following table summarizes how UniFi organizes system logs:
| Category | Types | Example Events |
| Monitoring | Guest Hotspot, WiFi, Wired, Status | Client Connected, Client Disconnected, WiFi Client Roaming |
| Internet | Outage & Failover, Performance | WAN Failover, High Latency Detected, Packet Loss Detected |
| Power | PoE, Redundancy | Insufficient PoE Output, PoE Availability Exceeded, AP Underpowered |
| Security | Firewall, Honeypot, Intrusion Prevention | Threat Detected and Blocked, Honeypot Triggered, Blocked by Firewall |
| System | Admin Activity, Devices, Network, VPN, WiFi, Wired | Admin Made Config Changes, Device Adopted, Device Offline |
UniFi Log Export
UniFi makes it easy to export system logs to external SIEMs or syslog servers for long-term auditing, monitoring, and retention. This is especially useful for organizations with compliance requirements or centralized observability platforms.
To configure log export:
- Go to Settings > Control Plane > Integrations > Activity Logging.
- Select SIEM Server as the destination.
- Choose the log categories you wish to export (e.g., security, system, client activity).
- Enter the IP Address and Port used by your SIEM or external syslog server.
Logs are all exported using the Common Event Format (CEF).
Common Event Format (CEF)
Common Event Format (CEF) is an industry-standard logging structure that ensures compatibility with most modern SIEM and monitoring platforms. This standardization allows external platforms to reliably parse, categorize, and analyze UniFi events alongside logs from other systems—enhancing searchability, correlation, alerting, and long-term analytics across distributed environments.
Header Information
CEF uses the following format that contains a prefix, a header, and an extension:
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
[Extension] is a placeholder for including additional, relevant information. See UniFi CEF Keys for a more comprehensive list.
CEF Output Examples
Admin Accessed UniFi Network
CEF:0|Ubiquiti|UniFi Network|9.3.33|544|Admin Accessed UniFi Network|1|UNIFIcategory=System UNIFIsubCategory=Admin UNIFIhost=Office UDM Pro UNIFIaccessMethod=web UNIFIadmin=Craig src=105.5.138.59 msg=Craig accessed UniFi Network using the web. Source IP: 105.5.138.59
WiFi Client Disconnected
CEF:0|Ubiquiti|UniFi Network|9.3.33|401|WiFi Client Disconnected|2|UNIFIcategory=Monitoring UNIFIsubCategory=WiFi UNIFIhost=Office UDM Pro UNIFIlastConnectedToDeviceName=Lobby AP UNIFIlastConnectedToDeviceIp=192.168.100.5 UNIFIlastConnectedToDeviceMac=d8:b3:70:fb:fc:dd UNIFIlastConnectedToDeviceModel=U7-Pro UNIFIlastConnectedToDeviceVersion=8.0.9 UNIFIclientAlias=Apple Watch 0d:87 UNIFIclientHostname=Craig Watch UNIFIclientIp=192.168.10.178 UNIFIclientMac=0a:be:db:c8:0d:81 UNIFIwifiChannel=153 UNIFIwifiChannelWidth=20 UNIFIwifiName=Employee WiFi UNIFIwifiBand=na UNIFIwifiAirtimeUtilization=14 UNIFIwifiInterference=9 UNIFIlastConnectedToWiFiRssi=-77 UNIFIduration=6m 22s UNIFIusageDown=11.78 KB UNIFIusageUp=4.46 KB UNIFInetworkName=Employee Network UNIFInetworkSubnet=192.168.10.0/24 UNIFInetworkVlan=10 msg=Apple Watch 0d:87 disconnected from Employee WiFi. Time Connected: 6m 22s. Data Used: 4.46 KB (up) / 11.78 KB (down). Last Connected To: Lobby AP at -77 dBm.
CEF Keys
These are the structured CEF keys currently supported in UniFi system log exports. Each field appears in the exported payloads and can be used for filtering, alerting, or correlation in your external SIEM or syslog platform.
List of CEF Keys
- cnt
- deviceOutboundInterface
- msg
- reason
- src
- suser
- UNIFI2GHzChannel
- UNIFI5GHzChannel
- UNIFI6GHzChannel
- UNIFIWiFiRssi
- UNIFIaccessMethod
- UNIFIadmin
- UNIFIattemptedConnectionMethod
- UNIFIattemptedConnectionSource
- UNIFIauthMethod
- UNIFIbackupPowerDevice
- UNIFIbssid
- UNIFIcellularCarrier
- UNIFIcellularLimit
- UNIFIcellularSim
- UNIFIcellularUsage
- UNIFIcertExpiryDate
- UNIFIcertName
- UNIFIclientAlias
- UNIFIclientHostname
- UNIFIclientIP
- UNIFIclientIp
- UNIFIclientMac
- UNIFIconflictIp
- UNIFIconflictList
- UNIFIconnectedToDeviceIp
- UNIFIconnectedToDeviceMac
- UNIFIconnectedToDeviceModel
- UNIFIconnectedToDeviceName
- UNIFIconnectedToDevicePort
- UNIFIconnectedToDeviceVersion
- UNIFIcopiedFromDeviceMAC
- UNIFIcopiedFromDeviceName
- UNIFIcta
- UNIFIcurrentChannel
- UNIFIcurrentRootBridgeDeviceIp
- UNIFIcurrentRootBridgeDeviceMac
- UNIFIcurrentRootBridgeDeviceModel
- UNIFIcurrentRootBridgeDeviceName
- UNIFIcurrentRootBridgeDeviceVersion
- UNIFIdetectedByApAndSignalStrength
- UNIFIdetectedByQty
- UNIFIdeviceIp
- UNIFIdeviceLagPorts
- UNIFIdeviceList
- UNIFIdeviceMac
- UNIFIdeviceModel
- UNIFIdeviceName
- UNIFIdevicePort
- UNIFIdevicePortList
- UNIFIdevicePowerAvailability
- UNIFIdevicePowerRequirement
- UNIFIdevicePowerUsage
- UNIFIdevicePriorVersion
- UNIFIdeviceRequiredPower
- UNIFIdeviceSuppliedPower
- UNIFIdeviceUpdateUrl
- UNIFIdeviceUpdateVersion
- UNIFIdnsServerIp
- UNIFIfailoverCellularCarrier
- UNIFIfailoverCellularLimit
- UNIFIfailoverCellularSim
- UNIFIfailoverCellularUsage
- UNIFIfailoverWanId
- UNIFIfailoverWanIp
- UNIFIfailoverWanIsp
- UNIFIfailoverWanName
- UNIFIfailoverWanPort
- UNIFIfailoverWanSubnet
- UNIFIfanId
- UNIFIhost
- UNIFIlastConnectedToDeviceIp
- UNIFIlastConnectedToDeviceMac
- UNIFIlastConnectedToDeviceModel
- UNIFIlastConnectedToDeviceName
- UNIFIlastConnectedToDevicePort
- UNIFIlastConnectedToDeviceVersion
- UNIFIlastConnectedToWiFiBand
- UNIFIlastConnectedToWiFiChannel
- UNIFIlastConnectedToWiFiChannelWidth
- UNIFIlastConnectedToWiFiRssi
- UNIFIlastSuccessfulConfiguration
- UNIFImclagBottomSwitchIp
- UNIFImclagBottomSwitchMac
- UNIFImclagBottomSwitchModel
- UNIFImclagBottomSwitchName
- UNIFImclagBottomSwitchPorts
- UNIFImclagBottomSwitchVersion
- UNIFImclagGroup