📅 UniFi Logs and the Missing Time Zone: Why It Matters

TL;DR: UniFi's syslog output still uses an outdated timestamp format that lacks time zone information. That's a problem for SIEMs and log management systems where correlation and accurate timelines matter. Modern formats like the one defined in RFC 5424 include time zone data—UniFi should adopt this.

The logs from UniFi devices have historically been somewhat underwhelming—especially when it comes to integration with SIEMs and log management systems. But with version 8.5.6 of the UniFi Network Application, released in October 2024, there was a welcome change:

"Export all or specific System Logs shown on the Network Application to SIEM Servers (remote Syslog) such as Splunk, Microsoft Sentinel, IBM QRadar, and others."
Release notes for UniFi Network Application 8.5.6

I was genuinely excited to see this. At last, logs from UniFi devices were getting some SIEM love!

🕓 Time Stamps: The Basics

Logs are chronological records of system activity. Each event typically includes a timestamp, so you know when it happened and in what order. Seems simple enough—until you introduce time zones.

Different devices may be in different parts of the world, generating events in local time. Add in daylight savings/summer time and things get even messier. This is why good logs use time zone-aware timestamps.

🚨 The Problem

UniFi's logs don't include any time zone information in their timestamps.

That might not sound like a big deal, but if you're sending these logs to a SIEM or log management system, it can cause problems. Take CrowdStrike's Next-Gen SIEM as an example: it assumes timestamps are in UTC if there's no time zone specified. But if time zone info is present, it uses it.

This matters for:

  • Accurate timeline reconstruction
  • Correlation across multiple systems
  • Detecting time-based anomalies
  • Avoiding confusion during daylight savings transitions

📜 A Tale of Two Timestamps

Here's what a modern, time zone-aware timestamp looks like—from a TrueNAS server:

2025-08-04T20:59:45+01:00

And here's what we get from a UniFi Dream Machine Pro (running UniFi Network Application firmware 9.3.45):

Aug  4 21:04:25

That's it. No year, no offset, no timezone. Just... local time.

✏️ Dear Ubiquiti...

Please adopt a modern, standards-based timestamp format, such as the one defined in RFC 5424, which includes time zone info. It will make your logs far more useful in SIEM environments and eliminate unnecessary confusion.

You've taken a big step forward with SIEM logging support—this is the next logical improvement.

Comments

Post a Comment

Popular posts from this blog

🕰️ Inconsistent Time Zones in UniFi Logs

Image
TL;DR: UniFi logs from different processes don't use a consistent time zone. CEF events are timestamped in UTC, while other logs use the local device time (which may include daylight savings). This inconsistency causes confusion and breaks correlation in SIEMs and log management systems. Ubiquiti should standardise on UTC for all events. Looking at the logs from my UniFi Dream Machine Pro, it's clear that many different processes are responsible for providing all the awesome functionality it offers. In my previous post, I pointed out that, in this day and age, timestamps should include time zone information . But at the very least, you'd expect that all processes on the same device use the same time zone, right? Nope. Take a look at this screenshot from my log management system: First, you see an ingesttimestamp —the time when the log management system received the event. Then you see the raw event as sent by the UniFi Dream Machine. Look at the highlighte...
Read more

Missing Fields in Teleport VPN Logs: Why the Remote IP Matters

TL;DR: UniFi Teleport VPN logs (in CEF format) are missing the client's remote IP address—the WireGuard endpoint—which is critical for threat detection, auditing, and correlation in SIEM tools. Although this IP is available in other events, it isn't included in the CEF event. Adding a field like UNIFIvpnClientRemoteIp would significantly improve log completeness and security monitoring value. When a Teleport VPN connection is made through a UniFi device, three IP addresses are involved: The remote IP of the Teleport client (the WireGuard endpoint) The WAN IP of the UniFi device The internal IP assigned to the Teleport client The CEF log that's generated captures a good deal of useful information, including the internal client IP, VPN type, and WAN interface. But one important piece is missing: the remote IP address of the Teleport client. Here's an example CEF event for a VPN connection: CEF:0|Ubiquiti|UniFi Network|9.3.45|522|Teleport Clie...
Read more