🕰️ Yet Another Inconsistency in UniFi Logs: CEF and Time Zones

TL;DR: UniFi devices generate CEF events with inconsistent timestamp formats depending on where you enable activity logging.
- CEF events from "UniFi Network" use UTC timestamps.
- CEF events from "UniFi OS" use local time (without time zone info).
- Non-CEF events also use local time.
If you're parsing logs or building integrations, this inconsistency matters. Dear Ubiquiti: pick one.

In my previous post, I wrote that CEF event timestamps from UniFi devices use the UTC time zone. After digging deeper, I need to clarify that statement. And in doing so, I'm documenting yet another inconsistency in how UniFi logs work.

But first, let's take a quick look at what a CEF event is supposed to look like—and while we're at it, a brief CEF history lesson.

The Common Event Format (CEF) was created by ArcSight, one of the early SIEM vendors. ArcSight was later acquired by HP, and eventually ended up at Micro Focus. You can find the official CEF documentation here:
Micro Focus CEF documentation

From that documentation, a standard CEF event looks like this:
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

Here's a partial example of a real CEF event from a UniFi device:
Aug 05 15:35:08 pandora CEF:0|Ubiquiti|UniFi Network|9.3.45|201|Threat Detected and Blocked|7|proto=TCP src=81.181.129.172…

(You'll need that structure to follow along with which fields I'm referencing.)

Two ways to enable Activity Logging

There are two places in the UniFi UI where you can enable Activity Logging:

  • Settings (gear icon) → CyberSecure → Traffic Logging Integrations → Activity Logging (SIEM Server)
  • Settings (gear icon) → Control Plane → Integrations → Activity Logging (SIEM Server)

Here's the difference:

✔️ CyberSecure → Activity Logging

  • Enables various events
  • Some (not all) are in CEF format
  • In these CEF events, the Device Product field is UniFi Network
  • These events use UTC timestamps

✔️ Control Plane → Activity Logging

  • Enables a different set of CEF events
  • In these, the Device Product field is UniFi OS
  • These events use the local time zone for timestamps

Side note: I haven't seen the "UniFi OS" CEF events show up in the UI under the "Logs" page. The only way to access them appears to be via external syslog—so you'll need to send them to a syslog server, SIEM, or log management tool.

Summary for log parsers and integrators:

  • 🟠 Non-CEF events → Use local time zone
  • 🟠 CEF events from "UniFi OS" → Use local time zone
  • 🟢 CEF events from "UniFi Network" → Use UTC

Dear Ubiquiti,

Please pick one. I'd strongly prefer all event timestamps to use UTC. But regardless of which you choose—be consistent.

And if you do decide to use local time, include the time zone in the timestamp format. It's 2025, after all.

Comments

Post a Comment

Popular posts from this blog

🕰️ Inconsistent Time Zones in UniFi Logs

Image
TL;DR: UniFi logs from different processes don't use a consistent time zone. CEF events are timestamped in UTC, while other logs use the local device time (which may include daylight savings). This inconsistency causes confusion and breaks correlation in SIEMs and log management systems. Ubiquiti should standardise on UTC for all events. Looking at the logs from my UniFi Dream Machine Pro, it's clear that many different processes are responsible for providing all the awesome functionality it offers. In my previous post, I pointed out that, in this day and age, timestamps should include time zone information . But at the very least, you'd expect that all processes on the same device use the same time zone, right? Nope. Take a look at this screenshot from my log management system: First, you see an ingesttimestamp —the time when the log management system received the event. Then you see the raw event as sent by the UniFi Dream Machine. Look at the highlighte...
Read more

📅 UniFi Logs and the Missing Time Zone: Why It Matters

TL;DR: UniFi's syslog output still uses an outdated timestamp format that lacks time zone information. That's a problem for SIEMs and log management systems where correlation and accurate timelines matter. Modern formats like the one defined in RFC 5424 include time zone data—UniFi should adopt this. The logs from UniFi devices have historically been somewhat underwhelming—especially when it comes to integration with SIEMs and log management systems. But with version 8.5.6 of the UniFi Network Application, released in October 2024 , there was a welcome change: "Export all or specific System Logs shown on the Network Application to SIEM Servers (remote Syslog) such as Splunk, Microsoft Sentinel, IBM QRadar, and others." — Release notes for UniFi Network Application 8.5.6 I was genuinely excited to see this. At last, logs from UniFi devices were getting some SIEM love! 🕓 Time Stamps: The Basics Logs are chronological records of system activity. Ea...
Read more

Missing Fields in Teleport VPN Logs: Why the Remote IP Matters

TL;DR: UniFi Teleport VPN logs (in CEF format) are missing the client's remote IP address—the WireGuard endpoint—which is critical for threat detection, auditing, and correlation in SIEM tools. Although this IP is available in other events, it isn't included in the CEF event. Adding a field like UNIFIvpnClientRemoteIp would significantly improve log completeness and security monitoring value. When a Teleport VPN connection is made through a UniFi device, three IP addresses are involved: The remote IP of the Teleport client (the WireGuard endpoint) The WAN IP of the UniFi device The internal IP assigned to the Teleport client The CEF log that's generated captures a good deal of useful information, including the internal client IP, VPN type, and WAN interface. But one important piece is missing: the remote IP address of the Teleport client. Here's an example CEF event for a VPN connection: CEF:0|Ubiquiti|UniFi Network|9.3.45|522|Teleport Clie...
Read more