UniFi Log Insight v1.2.0

IPv6 support across the full log processing pipeline — from syslog ingestion through parsing, enrichment, database storage, and the web UI.

Docker Image

docker pull ghcr.io/jmasarweh/unifi-log-insight:latest

Available for linux/amd64 and linux/arm64.

What's New

IPv6 Syslog Support

• Dual-stack UDP listener — the syslog receiver now accepts both IPv4 and IPv6 packets on port 514 using an AF_INET6 socket with explicit IPV6_V6ONLY=0
• Firewall parser — SRC= and DST= regex patterns broadened from [0-9.]+ to [0-9a-fA-F:.]+ to match IPv6 addresses (including IPv4-mapped ::ffff:x.x.x.x format)
• DNS parser — query[...] from and forwarded ... to patterns updated for IPv6 client/server addresses

IPv6 Enrichment

• is_public_ip() refactored — replaced manual private-network list with Python's ip.is_global, which correctly handles IPv6 ULA (fc00::/7), link-local (fe80::/10), loopback (::1), multicast (ff00::/8), and all IPv4 reserved ranges
• GeoIP / ASN / rDNS / AbuseIPDB — all enrichment pipelines already used ipaddress.ip_address() internally, so IPv6 addresses flow through enrichment without changes
• Backfill daemon — orphan IP discovery and threat score patching work for both address families via PostgreSQL's native INET type

IPv6 in Setup Wizard & UI

• WAN candidate detection — SQL queries now exclude IPv6 private ranges (fc00::/7, fe80::/10, ::1/128) alongside IPv4 RFC1918 when identifying WAN IPs
• Network segment discovery — includes IPv6 ULA and link-local as "local" IPs for interface mapping
• isPrivateIP() (frontend) — detects IPv6 loopback, ULA, link-local, and multicast addresses so the UI correctly identifies public vs private IPv6 IPs
• isLocalIP() (wizard) — "Local" badge now appears for IPv6 private sample IPs in the interface labelling step

Other Changes

• CI workflow — latest tag now applied on all version tag pushes (removed is_default_branch gate)
• README — broadened "UniFi Dream Router" to "UniFi Router" since the app works with any UniFi gateway

Breaking Changes

None. IPv6 support is additive — existing IPv4-only installations continue to work identically.

Known Limitations

• IPv6 firewall logs require router support — your UniFi gateway must have IPv6 firewall rules configured and syslog enabled for IPv6 traffic to appear. Most home networks are IPv4-only or dual-stack with IPv6 firewall rules disabled by default.
• AbuseIPDB IPv6 coverage — AbuseIPDB has significantly fewer reports for IPv6 addresses compared to IPv4. Threat scores for IPv6 IPs may be less informative.
• GeoIP IPv6 accuracy — MaxMind GeoLite2 has lower geolocation accuracy for IPv6 prefixes, especially for mobile and tunnel endpoints. Country-level data is generally reliable; city-level may be missing.
• DHCP remains IPv4-only — DHCPv6 uses a different protocol and message format than DHCPv4. The parser regexes were broadened defensively but DHCPv6 logs from UniFi gateways (if any) are not actively parsed.
• API server binds IPv4 only — the web UI / REST API listens on 0.0.0.0:8000 (IPv4) inside the container. This is intentional: Docker's port mapping handles external IPv6 access at the host level. The syslog receiver is the only component that requires direct IPv6 socket support.
• UI column widths — IPv6 addresses (~39 characters) are longer than IPv4 (~15 characters). The log table truncates with ellipsis and shows the full address on hover. If your network is predominantly IPv6, the Source/Destination columns may show truncated addresses.

Upgrade from v1.1.0

# Pre-built image:
docker compose pull && docker compose up -d

# From source:
git pull && docker compose up -d --build

No data loss, no configuration changes needed. Existing IPv4 logs are unaffected. New IPv6 firewall/DNS logs will be parsed and enriched automatically once the updated container is running.