github jmasarweh/UniFi-Insights-Plus v1.0.0
v1.0.0 — Initial Release
on GitHub

latest releases: v3.7.0, v3.6.3, v3.6.2...
3 months ago

UniFi Log Insight v1.0.0

Real-time log analysis for UniFi routers and gateways. Receives syslog over UDP, parses firewall/DHCP/Wi-Fi/system events, enriches with threat intelligence, and serves a live React dashboard — all in a single Docker container.

Highlights

  • Syslog parsing — Firewall (iptables), DHCP, Wi-Fi, DNS (when enabled), and system logs
  • IP enrichment — MaxMind GeoIP/ASN, AbuseIPDB threat scoring (23 decoded attack categories, usage type, Tor detection, report counts), reverse DNS
  • Three-tier threat cache — In-memory → PostgreSQL → API, with 4-day TTL and daily blacklist pre-seeding (top 10K IPs)
  • Live UI — Auto-refreshing log stream with expandable detail rows, filters (type, time, action, direction, IP, rule, text search), and CSV export
  • Dashboard — Traffic breakdown, logs-per-hour chart, top blocked countries/IPs, top threat IPs with full enrichment context, top DNS queries
  • Service name mapping — IANA port-to-service resolution (e.g. port 443 → "https", port 587 → "submission")
  • Smart direction detection — Inbound/outbound/inter-VLAN/local classification with automatic WAN IP learning
  • Backfill daemon — Patches historical logs with missing threat scores and service names
  • MaxMind auto-update — Scheduled GeoLite2 refresh with hot-reload (no restart needed)
  • Batch insert resilience — Row-by-row fallback on batch failures, IP validation at parse time
  • 60-day retention for firewall/DHCP/Wi-Fi/system, 10-day for DNS

Requirements

  • Docker and Docker Compose
  • UniFi gateway with remote syslog support
  • MaxMind GeoLite2 account (free, optional but recommended)
  • AbuseIPDB API key (free tier, optional)

Known Limitations

  • WAN interface is hardcoded as ppp0 — If your setup uses a different WAN interface (eth3, eth4, eth8, etc.), you must manually edit receiver/parsers.py before building. See Configure Network Interfaces in the README.
  • VLAN labels are hardcoded — Update INTERFACE_MAP in parsers.py and INTERFACE_NAMES in ui/src/utils.js to match your network. A setup wizard to automate this is planned for v1.1.0.
  • DNS logging requires additional UniFi configuration that may not persist across firmware updates. See README for alternatives (Pi-hole, AdGuard Home).

Getting Started

git clone https://github.com/jmasarweh/unifi-log-insight.git
cd unifi-log-insight
# Create .env with POSTGRES_PASSWORD (see README)
# Edit receiver/parsers.py with your WAN interface if not ppp0
docker compose up -d --build
# Configure UniFi syslog to point at <docker-host-ip>:514
# Open http://<docker-host-ip>:8090

What's Next (v1.1.0)

  • First-run setup wizard for WAN interface detection and VLAN labelling
  • Dynamic interface filtering in the UI
  • Configuration stored in PostgreSQL (persists across rebuilds)
  • Reconfiguration without container restart
Check out latest releases or
releases around jmasarweh/UniFi-Insights-Plus v1.0.0

Don't miss a new UniFi-Insights-Plus release

NewReleases is sending notifications on new releases.

Get notifications