Monitoring pfSense with Wazuh: A Comprehensive Guide

There are several ways to integrate pfSense with Wazuh. The easiest method is using syslog, but you can also use the Wazuh agent.

In pfSense, available in Yandex Cloud Marketplace/VK cloud Marketplace, Wazuh agent (native package for pfSense) is already pre-installed. So let’s get started with the configuration.

First, you need to enable the agent’s autorun. To do this, edit the /etc/rc.conf.local file and replace wazuh_agent_enable="NO" with wazuh_agent_enable="YES", or alternatively run the following command:

sysrc -f /etc/rc.conf.local wazuh_agent_enable="YES"

The next step is configuring the agent’s connection to the Wazuh cluster. To do this, edit the /var/ossec/etc/ossec.conf file and replace IP with the IP address or FQDN of the Wazuh cluster.

  <client>
    <server>
      <address>IP</address>
    </server>
    <config-profile></config-profile>
    <crypto_method>aes</crypto_method>
  </client>

Now we are going to launch the agent.

service wazuh-agent start

To optimize disk space usage, it is recommended to configure a cron task to automatically clear agent logs older than 30 days, for example. Run the following command

Run the command

crontab -e

Here is an example of a cleanup command

0 4 * * * find /var/ossec/logs/ossec/ -d 1 -mtime +30 -type d -exec rm -rf {} \; > /dev/null

After starting the agent, it should register with Wazuh; let’s check it out. To do this, connect to the Wazuh master via SSH and execute the following command

cd /var/ossec/bin/
./agent_control  -l 

If configured correctly, you should see the state of pfSense as ‘Active’.

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: pfsense.ru-central1.internal, IP: any, Active

You should also see the new agent in the Wazuh web interface.

The initial setup is complete; now changes to Wazuh are required.

Configuring Suricata in pfSense with sending logs to Wazuh

First, you need to install Suricata . If you are already using Suricata , you can skip this step.

Make sure to set these two parameters for the desired interfaces. All other eve.json parameters are at your discretion when configuring them.

In order for Wazuh to start analyzing events from Suricata, the following must be added to the /var/ossec/etc/ossec.conf configuration file:

<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/*/eve.json</location>
</localfile>

And restart the agent

service wazuh-agent restart

Configuring for firewall logs

Add the following to the /var/ossec/etc/ossec.conf configuration file and then restart the agent

<localfile>
	<log_format>syslog</log_format>
	<location>/var/log/filter.log</location>
</localfile>

The default pfSense firewall discard event rule is not logged, as specified by the string <options>no_log</options> in the rule declaration.

By default, if multiple requests are made from a single source by the pfSense firewall, the blocking event will be logged. If you want the blocking event from the pfSense firewall to be logged in Wazuh, you can change this behavior. The following shows how to do this.

Create a custom rules file.

Open the Wazuh menu and go to Management > Rules.

You need to find rules for pfSense

Click to open the rules in the 0540-pfsense_rules.xml file and copy the contents

<group name="pfsense,">
  <rule id="87700" level="0">
    <decoded_as>pf</decoded_as>
    <program_name>filterlog</program_name>
    <description>pfSense firewall rules grouped.</description>
  </rule>

  <!-- We don't log firewall events, because they go
    -  to their own log file.
    -->
  <rule id="87701" level="5">
    <if_sid>87700</if_sid>
    <action>block</action>
    <options>no_log</options>
    <description>pfSense firewall drop event.</description>
    <group>firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
  </rule>

  <rule id="87702" level="10" frequency="18" timeframe="45" ignore="240">
    <if_matched_sid>87701</if_matched_sid>
    <same_source_ip />
    <description>Multiple pfSense firewall blocks events from same source.</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>multiple_blocks,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Go back to the previous screen and select Add new rules file. The name of the new file can be anything you like, for example custom-pfSense-overrides.xml. Below is a sample content

<group name="pfsense,">
  <rule id="87700" level="0">
    <decoded_as>pf</decoded_as>
    <program_name>filterlog</program_name>
    <description>pfSense firewall rules grouped.</description>
  </rule>

  <!-- We don't log firewall events, because they go
    -  to their own log file.
    -->
  <rule id="87701" level="5" overwrite="yes">
    <if_sid>87700</if_sid>
    <action>block</action>
    <description>pfSense firewall drop event.</description>
    <group>firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
  </rule>

  <rule id="87702" level="10" frequency="18" timeframe="45" ignore="240">
    <if_matched_sid>87701</if_matched_sid>
    <same_source_ip />
    <description>Multiple pfSense firewall blocks events from same source.</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>multiple_blocks,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

In the example above, I removed <option>no_log</option> and also added overwrite for the rule.

Then press Save and Restart.

and confirm

You should now receive firewall events for the Wazuh agent on pfSense