Hello,
I have a Unifi home setup with various switches, APs, and most recently a new UCG Max (I migrated from pfSense but that is a topic for another post). I also send all my logs to my Graylog server that I run in Docker Compose. Well, I recently upgraded my UCG Max to 4.1.13 and Network to 9.0.108 and migrated to Zones firewall rules. Following that transition the amount of logs I see sent to my Graylog server has increase several levels of magnitude. The load even crashed my Graylog server for a few days before I noticed it.
The total count of messages has gone from about 30k per day to upwards of 6 million (see graph). It looks like the UCG is sending logs for everything passing through the firewall. I don’t see an obvious way to control the verbosity of these messages. Has anyone else seen the same or do you know how to adjust what the firewall is logging?
Have you looked at what the new messages are? Do you have “Debug” turned in on the UniFI log export settings?
Hi Tom,
Debug is not enabled and the logs seem to be capturing every single firewall match.
Sample logs (trying to crop too many details):
However, I just noticed that one of the checked boxes for logs is “Firewall Default Policy”. I am going to uncheck that and see if that is the problem.
I’ll report back.
I hope that it is not an “all or nothing” and that there is a way to fine tune what firewall messages I want logged and which ones I do not.
Unchecking the “Firewall Default Policy” box from the syslog configuration seems to have done the trick. I need to see if there is a way to further tune firewall logs.
Here are the results of that change:
Where did you see the setting for Firewall Default Policy?
You have to click on the Edit button under Activity Monitoring and scroll down to the bottom. It is the last choice in the list.
Thanks. I don’t see this yet as I haven’t upgraded to the Zone Based firewall rules.
