Send Pfsense logs to Wazuh

Page content

In this post I will show you how to send PFSense logs to Wazuh SIEM server.

Many examples on the internet says that you can use Wazuh agent to send logs to Wazuh Server. Well from PFsense 2.5 you can not install the agent without braking the PFsense upgrade manager UI. The next option is to send the PFsense logs directly from the firewall to the Wazuh Server syslog endpoint. I tried this method but my problem was the Log Message Format. From PFsense 2.5 you can use RFC5424 format but the Wazuh server syslog input dose not decode it well and the default log decoders for PFsense Dose not work. So I tried the legacy RFC3164 format. Well There is a bug in the FreeBSD implementation of the syslogd and it dose not include the hostname to the syslog message. It means this is not a valid syslog formatted message, and the Wazuh default log decoders for PFsense still not working. So first I tried the create custom decoders for the log messages. In the end I found a suggestion on PFsense forum to use the syslog-ng plugin of PFsense because it formats the syslog messages correctly.

Install Syslog-ng plugin

Navigate to System > Package Manager > Avaiable Packages and search for syslog the only result will be the syslog-ng package. Click on the install button to add it to the firewall.

wazuh infra

Setting syslog-ng

Navigate to Services > Syslog-ng > Settings Tab and set the syslog-ng on the GUI as the image below and click on the save button.

wazuh infra

Send pfSense Logs to syslog-ng

Navigate to Status > System Logs > Settings Tab and at the button check the Enable Remote Logging checkbox.

Set the settings as the picture below and click the save button.

wazuh infra

wazuh infra

Configure Wazuh syslog input

Edit the /var/ossec/etc/ossec.cfg on the Wazuh Manger:

<ossec_config>
  <!-- pfsense syslog input -->
  <remote>
    <connection>syslog</connection>
    <port>5514</port>
    <protocol>tcp</protocol>
    <allowed-ips>192.168.1.10</allowed-ips>
    <local_ip>192.168.1.5</local_ip>
  </remote>
  <remote>
    <connection>syslog</connection>
    <port>5514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.1.10</allowed-ips>
    <local_ip>192.168.1.5</local_ip>
  </remote>
</ossec_config>

The pfsense server’s ip is 192.168.1.10 and the wazuh server1s ip is 192.168.1.5.

Sending syslog-ng Logs to Remote Server

Syslog-ng is very flexible with its sources and destinations and the next step will be to crate a new destination to connect the local instance to the remote server.

First, we need to add a new destination entry named DST_WAZUH_SYSLOG. Navigate to Services > Syslog-ng > Advanced Tab and add a new destination as the picture below.

{ network("192.168.1.5" transport(udp) port(5514)); };

After, adding the destination we need to connect with the remote server adding a new log object as seen below.

{ source(_DEFAULT); destination(DST_WAZUH_SYSLOG); };

If you want to rewrite the hostname create a rewrite object named REWRITE_HOSTNAME:

{ set("pfsense.mydomain.intra", value("HOST")); };

The add the rewrite rule to the destination:

{ source(_DEFAULT); rewrite(REWRITE_HOSTNAME); destination(DST_WAZUH_SYSLOG); };

Check if the Service is running.

wazuh infra