Stream not getting messages from UniFi machines

Graylog Tech Challenges
1

1. Describe your incident:

I cannot get any messages from my UniFi equipment into a separated stream. I did try a lot of stream rules. The messages appear in the All messages stream. Besides the access points with their pretty long name containing the MAC and FW version, I do have a router (USG, named “RouterBM”). Creating a stream rule for the source “RouterBM” doesn’t work either. (The screenshot below shows an AP).

2. Describe your environment:

  • OS Information:
    Linux 5.10.0-10-amd64

  • Package Version:
    Graylog 4.2.4+b643d2b
    mongo:4.2
    elasticsearch-oss:7.10.2
    docker 20.10.12
    Debian 11 (virtualized with Proxmox)
    Portainer 2.11.0

  • Service logs, configurations, and environment variables: see docker-compose below.

3. What steps have you already taken to try and solve the problem?

  • recreated streams
  • paused and startet the stream
  • tried contains and exact match
  • Evaluated other fileds. Sadly only source is usable, e.g. gl2_remote_ip is not suitable, bc of routing into docker.

4. How can the community help?
Pls see attached screenshot. For all rules I did try, the result while creating them was green. But the stream is empty.

I did create other streams for my Debian servers, they are working as expected.

:arrow_right: What needs to be done, that all messages from my various UniFi devices get into a separated stream?

docker-compose.yml

version: '3.9'
services:
  mongo:
    container_name: graylog_mongo
    image: mongo:4.2
    restart: unless-stopped
    networks:
      - mongo
    expose:
      - '27017/tcp'
    volumes:
      - 'mongo_data:/data/db'
      - 'mongo_config:/data/configdb'
  elasticsearch:
    container_name: graylog_elasticsearch
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    restart: unless-stopped
    environment:
      - node.name=graylog-server
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m"
    mem_limit: 1g
    expose:
      - '9200/tcp'
    networks:
      - elasticsearch
      - graylog
    volumes:
      - 'es_data:/usr/share/elasticsearch/data'
  graylog:
    container_name: graylog_docker
    image: graylog/graylog:4.2
    restart: unless-stopped
    environment:
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.0.139:9000/
      - GRAYLOG_PASSWORD_SECRET=<censored>
      - GRAYLOG_ROOT_PASSWORD_SHA2=<censored>
      - GRAYLOG_ELASTICSEARCH_VERSION=7
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    networks:
      - mongo
      - elasticsearch
      - graylog
      - service.domain.eu
    ports:
      # Graylog web interface and REST API
      - 9005:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
    depends_on:
      - mongo
      - elasticsearch
    volumes:
      - 'graylog:/usr/share/graylog/data'
      - 'geoipupdate_data:/usr/share/GeoIP:ro'
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.graylog.rule=Host(`logger.service.domain.eu`)"
      - "traefik.http.routers.graylog.entrypoints=websecure"
      - "traefik.http.routers.graylog.tls.certresolver=leresolver"
      - "traefik.http.services.graylog.loadbalancer.server.port=9000"
      - "traefik.docker.network=service.domain.eu"
  geoipupdate:
    container_name: graylog_geoipupdate
    image: maxmindinc/geoipupdate:v4
    restart: unless-stopped
    environment:
      - 'GEOIPUPDATE_EDITION_IDS=GeoLite2-ASN GeoLite2-City GeoLite2-Country'
      - GEOIPUPDATE_FREQUENCY=72
      - GEOIPUPDATE_ACCOUNT_ID=<censored>
      - GEOIPUPDATE_LICENSE_KEY=<censored>
    networks:
      - graylog
    depends_on:
      - graylog
    volumes:
      - 'geoipupdate_data:/usr/share/GeoIP'

networks:
  mongo:
  elasticsearch:
  graylog:
  service.domain.eu:
    external: true

volumes:
  mongo_config:
    driver: local
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog:
    driver: local
  geoipupdate_data:
    driver: local

Screenshot of rule of Stream “UniFi”

image
image1585×1013 104 KB

2

Hello,

First I like to say I’m not that good with Docker but this seams more like a configuration problem.

After looking over what you done this is strange that it wont route to that stream. You have mentioned using the exact name for the rule with CONTAIN and/or Match Exactly? Also you have other streams that are working, correct?

I’m not sure why this would prevent a message going into a stream.

Judge from the screenshot have you tried testing the message received from all message stream against your stream in questioned? I’m just curious if it would show true state.

Example:

image
image605×541 33.2 KB

All else fails you can use a pipeline.

Rule "Route to stream"
when
    contains (to_string($message.source), "UAP-AC-Lite")
then
    route_to_stream(id:"5d8acba383d72e04cba96317");
end

If your going to test out Pipelines make sure your Message Processors Configuration is set with Message Filter Chain before Pipeline Processor

EDIT:
I found this.

1 Like
3

thx for your reply!

It went the same way as mentioned on issue #3301 on github: The next day, the stream was filled.

1 Like
4

Oh nice, glad your issue is resolved and thanks for posting your resolution to this issue :slight_smile:

1 Like
5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.