Unifi Log Insight
Real-time log analysis for UniFi Routers β syslog receiver, PostgreSQL storage, IP enrichment (GeoIP, AbuseIPDB, rDNS), and React UI with live streaming, filters, and dashboard.
Installation
npx unifi-log-insightAsk AI about Unifi Log Insight
Powered by Claude Β· Grounded in docs
I know everything about Unifi Log Insight. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
UniFi Insights Plus 
Real-time log analysis for UniFi routers and gateways - captures syslog over UDP, parses firewall, DHCP, Wi-Fi, and system events, enriches them with GeoIP, ASN, threat intelligence, and reverse DNS, then serves everything through a live Dashboard.
Single Docker container. No external dependencies. Zero data collection.
For full documentation, visit insightsplus.dev/docs
Features Β· Prerequisites Β· Screenshots
β¨ Features
| Feature | Description |
|---|---|
| Live Log Stream | Auto-refreshing table with expandable details, copy-to-clipboard, and intelligent pause/resume |
| Flow View | Interactive Sankey flow graph and Zone Matrix showing how traffic moves between sources, services, and destinations. Click any node to cross-filter, drill into a host slide panel for per-IP breakdowns, and save/load custom views |
| Threat Map | Interactive world map showing where threats and blocked outbound traffic originate. Switch between heatmap and cluster views, filter by time range, and click any point to inspect individual logs |
| Dashboard | Traffic breakdowns, top blocked/allowed countries and IPs, top threats with ASN/city/rDNS/categories, top devices, services, DNS queries |
| Filters | Log type, time range, action, direction, VPN badge, interface, service, country, ASN, threat score, IP, rule name, text search |
| IP Enrichment | GeoIP (country, city, coordinates), ASN, reverse DNS via MaxMind GeoLite2 with scheduled auto-update and hot-reload |
| AbuseIPDB Integration | Threat scoring (23 categories, Tor detection, usage type), daily blacklist pre-seeding, automatic backfill |
| Syslog Receiver | UDP 514 listener parsing firewall, DHCP, Wi-Fi, DNS, and system events |
| Multi-WAN & Direction | Per-interface WAN IP mapping for failover/load-balanced setups. Auto-classifies traffic as inbound, outbound, inter-VLAN, local, or VPN |
| VPN Detection | Auto-detects VPN interfaces (WireGuard, OpenVPN, Teleport, Site Magic) with badge assignment, labels, and CIDRs |
| UniFi Integration | Network discovery, device name resolution, and firewall syslog management via UniFi OS (API key) or self-hosted controllers (username/password) |
| Pi-hole Integration | DNS query logging via Pi-hole v6+ API |
| AdGuard Home | DNS query logging support (coming soon) |
| Firewall Syslog Manager | Zone matrix with bulk toggle β enable syslog on firewall rules without leaving the app (UniFi OS) |
| AI Agent Integration (MCP) | Connect Claude Desktop, Claude Code, Gemini CLI (or any http mcp client) via the Model Context Protocol (MCP) to query your network data & setup through natural conversation |
| Device Names | Friendly names from UniFi clients/devices with historical backfill |
| Theming & Preferences | Dark/light theme, country display format, IP subline (show ASN beneath IPs) |
| Interface Labels | Color-coded labels for traffic flow, applied retroactively to all logs |
| CSV Export | Download filtered results up to 100K rows |
| Retention | Configurable per log type (60-day default, 10-day DNS) and cleanup time (HH:MM, container-local). Adjustable via Settings or env vars |
| Backup & Restore | Export/import all settings as JSON |
| External DB Support | Run against an external PostgreSQL instead of the embedded one β compatible with Coolify, Unraid, managed Postgres, and any platform where bundled databases aren't allowed. Setup guide Β· Migration guide for existing users |
| DNS Ready | Full DNS query parsing (requires configuration) |
| Mobile Responsive | Collapsible filters, full-width table on small screens |
| Setup Wizard | Two paths: UniFi API (auto-detects WAN, VLANs, topology) or Log Detection (discovers interfaces from live traffic) |
π Prerequisites
- Docker and Docker Compose
- UniFi Router (or any UniFi gateway that supports remote syslog)
- Zone-based firewall (not legacy/classic). The Firewall Syslog Manager and firewall policy API require the zone-based policy engine. If you are still on the legacy/classic firewall, migrate via Settings > Policy Engine in your UniFi controller before setting up ULI.
- MaxMind GeoLite2 account (free signup) - for GeoIP/ASN lookups
- AbuseIPDB API key (free tier, recommended but optional) - for threat scoring
Minimum host resources (estimated):
- CPU: 4 cores/threads minimum (PostgreSQL + receiver + API run concurrently)
- Memory/RAM: minimum of 4 GB of RAM
- Disk: 10 GB free for the database volume (
pgdata) at minimum
These are baseline estimates for a small home network. Higher log volume or longer retention will require more CPU cores, RAM and Disk space.
Docker log rotation is enabled by default in
docker-compose.yml(10 MB max, 5 files). If you use a custom compose file, add alogging:section to prevent unbounded container log growth.
πΈ App Screenshots
Desktop
Log Stream
Expanded Log Detail
Dashboard
Dashboard β Top IPs
Flow View β Sankey Chart
Flow View β Host Detail
Flow View β Zone Matrix
Threat Map β Heatmap
Threat Map β Clusters
Threat Map β Event Detail Sidebar
Firewall Syslog Matrix
Settings
Dark Mode
Mobile
Log Stream
Flow View
Dashboard
Threat Map
π License
Licensed under the Business Source License 1.1 (BSL 1.1).
You may freely use, modify, and self-host UniFi Log Insight for non-commercial and internal business purposes.
You may not offer the Licensed Work to third parties on a hosted or embedded basis to compete with the Licensor's paid offerings without a commercial license.
Each version converts to Apache License 2.0 four years after its release date.
Exceptions to the BSL terms may be granted on a case-by-case basis β contact the Licensor for inquiries.