PfSense & Wazuh: Tutorial On Centralized Log Monitoring

Woiah · · 12 min read

Table Of Content

  1. Why Integrate pfSense Logs with Wazuh?
  2. Prerequisites
  3. Step 1: Configuring pfSense to Send Logs
  4. Step 2: Configuring Wazuh to Receive pfSense Logs
  5. Step 3: Testing the Integration
  6. Troubleshooting Common Issues
  7. Conclusion

Hey guys! Ever wondered how to get those valuable logs from your pfSense firewall into Wazuh for some serious security monitoring? Well, you've come to the right place! This tutorial will walk you through the process, step by step, making sure you don't miss a thing. We'll cover everything from setting up pfSense to configuring Wazuh to receive and analyze those logs. So, buckle up and let's dive in!

Why Integrate pfSense Logs with Wazuh?

Before we jump into the how-to, let's quickly chat about the why. Integrating pfSense logs with Wazuh is like giving your security a super boost. pfSense is fantastic for firewalling, routing, and all sorts of network magic, but its logs alone are like puzzle pieces scattered on a table. Wazuh, on the other hand, is the puzzle solver! It takes those logs, puts them together, and paints a clear picture of what's happening on your network. You will gain comprehensive network visibility.

Here's why this integration is a game-changer:

  • Real-time Threat Detection: Wazuh analyzes logs in real-time, meaning it can spot suspicious activity as it happens. Think of it as having a vigilant security guard watching your network 24/7.
  • Security Incident Response: When something does go wrong, Wazuh provides the context you need to respond effectively. It's like having a detailed incident report ready to go, saving you time and stress.
  • Compliance: Many security standards require log analysis. Integrating pfSense with Wazuh helps you meet these requirements, keeping you on the right side of the rules.
  • Centralized Log Management: No more hunting through different systems for logs! Wazuh brings everything together in one place, making your life much easier.
  • In-depth Analysis: Wazuh doesn't just store logs; it analyzes them. It looks for patterns, anomalies, and known threats, giving you a much deeper understanding of your security posture.

So, now that we're all on the same page about the benefits, let's get our hands dirty with the configuration!

Prerequisites

Before we get started, let's make sure you have everything you need. Think of this as gathering your tools before starting a project. Here's what you'll need:

  • A Running pfSense Instance: Obviously, you'll need a pfSense firewall up and running. Make sure you have administrative access.
  • A Wazuh Server: You'll need a Wazuh server installed and configured. If you don't have one yet, check out the official Wazuh documentation for installation instructions. It's easier than you might think!
  • Network Connectivity: Your pfSense firewall and Wazuh server need to be able to talk to each other. Make sure there are no firewall rules blocking communication between them.
  • Basic Networking Knowledge: A little understanding of networking concepts like IP addresses, ports, and protocols will go a long way.
  • Text Editor: You'll need a text editor to modify configuration files. Notepad++, Sublime Text, or even the built-in Notepad on Windows will do the trick.

Got all that? Great! Let's move on to the first step: configuring pfSense.

Step 1: Configuring pfSense to Send Logs

The first part of our adventure involves telling pfSense to send its logs to our Wazuh server. We'll be using the Remote Logging feature in pfSense to forward logs via the syslog protocol. Syslog is like a universal language for logs, making it easy for different systems to communicate.

Here's how to do it:

  1. Log in to your pfSense web interface: Open your web browser and navigate to the IP address of your pfSense firewall. Log in using your administrative credentials.
  2. Navigate to Status > System Logs > Settings: This is where we'll configure the remote logging settings.
  3. Enable Remote Logging: Check the box labeled "Enable Remote Logging". This is the big switch that turns on log forwarding.
  4. Add a Remote Log Server:
    • Click the "Add" button to add a new remote log server.
    • Source Address: Select the interface that pfSense will use to send logs. Usually, this will be your LAN or WAN interface.
    • Protocol: Choose "UDP" as the protocol. UDP is a lightweight protocol that's well-suited for log forwarding.
    • IP Address: Enter the IP address of your Wazuh server. This is where the logs will be sent.
    • Port: Enter the port number that Wazuh is listening on for syslog messages. The default port is 514, but you might have changed it during Wazuh installation. Be sure to double check your Wazuh configuration.
    • Log Format: Keep the default "BSD" log format.
    • Description: Give your log server a descriptive name, like "Wazuh Server".
  5. Save the Settings: Click the "Save" button to save your changes. pfSense will now start sending logs to your Wazuh server.
  6. Configure specific logs to be sent:
    • Navigate to Status > System Logs > System or Status > System Logs > Firewall or others tabs to set log options.
    • Select which logs you want to forward to Wazuh, like system events, firewall logs, or DHCP logs. The more logs you send, the more visibility you'll have in Wazuh, but be mindful of the potential for log volume to become overwhelming.
    • Click the "Save" button to save your log options settings.

That's it for the pfSense side! Now, let's head over to the Wazuh server and get it ready to receive these logs.

Step 2: Configuring Wazuh to Receive pfSense Logs

Now that pfSense is sending logs, we need to configure Wazuh to receive and process them. This involves a few steps on the Wazuh server itself.

  1. Access your Wazuh server: Log in to your Wazuh server via SSH or however you typically access it. You'll need administrative privileges to modify the Wazuh configuration files.
  2. Edit the ossec.conf file: This is the main configuration file for Wazuh. You'll find it in the /var/ossec/etc/ directory. Use your favorite text editor to open it.
    sudo vi /var/ossec/etc/ossec.conf
  3. Add a <syslog_server> block: We need to tell Wazuh to listen for syslog messages. Add the following block within the <ossec_config> section of the ossec.conf file:
    <syslog_server>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>192.168.1.1</allowed-ips> <!-- Replace with your pfSense IP address -->
</syslog_server>
    • <port>: This should match the port you configured in pfSense (usually 514).
    • <protocol>: This should also match the protocol you chose in pfSense (UDP).
    • <allowed-ips>: This is a crucial security setting. Replace 192.168.1.1 with the IP address of your pfSense firewall. This tells Wazuh to only accept syslog messages from this IP address, preventing unauthorized systems from sending logs.
    • If you have multiple pfSense firewalls, you can add multiple <allowed-ips> entries.
  4. (Optional) Configure Log Decoding: Wazuh uses decoders to parse logs and extract meaningful information. For pfSense logs, Wazuh usually has built-in decoders that work well. However, if you need to customize the decoding, you can create or modify decoders in the /var/ossec/etc/decoders/ directory.
  5. (Optional) Configure Rules: Wazuh uses rules to analyze logs and generate alerts. Similar to decoders, Wazuh has a set of rules for common log formats, including pfSense. If you want to customize the alerting behavior, you can create or modify rules in the /var/ossec/etc/rules/ directory.
  6. Save the ossec.conf file: Save your changes and exit the text editor.
  7. Restart the Wazuh manager: For the changes to take effect, you need to restart the Wazuh manager service. Use the following command:
    sudo systemctl restart wazuh-manager
  8. Verify Wazuh is listening: You can verify that Wazuh is listening on the specified port using the netstat command:
    sudo netstat -lnup | grep 514
    You should see a line indicating that Wazuh is listening on port 514 (or whatever port you configured).

With these steps completed, Wazuh is now ready to receive and process pfSense logs!

Step 3: Testing the Integration

Now comes the fun part: testing to make sure everything is working! We want to see those pfSense logs flowing into Wazuh and triggering alerts as expected.

Here's how to test the integration:

  1. Generate some pfSense logs: The easiest way to do this is to perform some actions on your network that will generate log entries. For example:
    • Try accessing a website that's blocked by your firewall rules. This should generate a firewall log entry.
    • Log in and out of the pfSense web interface. This will generate authentication log entries.
    • If you have DHCP enabled, let a device connect to your network. This will generate DHCP log entries.
  2. Check the Wazuh dashboard: Log in to your Wazuh dashboard (usually accessible via a web browser). Navigate to the "Security Events" or "Events" section. You should start seeing events related to your pfSense firewall.
  3. Filter for pfSense events: You can filter the events by source IP address to see only the logs coming from your pfSense firewall. This makes it easier to verify that the integration is working correctly.
  4. Look for specific events: If you performed specific actions to generate logs (like accessing a blocked website), look for those events in the Wazuh dashboard. This will confirm that Wazuh is correctly parsing and analyzing the pfSense logs.
  5. Check Wazuh alerts: If you have rules configured to generate alerts for certain events (like firewall blocks or suspicious login attempts), make sure those alerts are being triggered. This is a crucial step to ensure that Wazuh is actively monitoring your network for threats.
  6. Examine the Wazuh logs: If you're not seeing the logs in the dashboard, you can check the Wazuh logs themselves. The Wazuh manager logs are located in /var/ossec/logs/ossec.log. Look for any error messages or warnings related to syslog reception or log processing.

If you're seeing pfSense logs in the Wazuh dashboard and alerts are being triggered as expected, congratulations! You've successfully integrated pfSense with Wazuh. If not, don't worry! Go back through the steps and double-check your configuration. Common issues include incorrect IP addresses, port numbers, or firewall rules blocking communication.

Troubleshooting Common Issues

Even with the best instructions, things can sometimes go wrong. Let's look at some common issues you might encounter and how to fix them.

  • No logs are appearing in Wazuh:
    • Check network connectivity: Make sure your pfSense firewall can reach your Wazuh server on the specified port. Use ping and telnet to test connectivity.
    • Verify IP addresses: Double-check that the IP address of your Wazuh server is correctly configured in pfSense and that the IP address of your pfSense firewall is allowed in the Wazuh ossec.conf file.
    • Check firewall rules: Ensure that there are no firewall rules blocking traffic between pfSense and Wazuh.
    • Restart services: Try restarting the Wazuh manager service and the syslog service on pfSense.
  • Logs are appearing, but not being parsed correctly:
    • Check the log format: Make sure you're using the correct log format (BSD) in pfSense.
    • Review Wazuh decoders: If the logs are not being parsed correctly, you might need to adjust the Wazuh decoders. Check the /var/ossec/etc/decoders/ directory for relevant decoder files.
  • Alerts are not being triggered:
    • Check Wazuh rules: Make sure you have rules configured to generate alerts for the events you're interested in. Check the /var/ossec/etc/rules/ directory for rule files.
    • Review rule syntax: If alerts are not being triggered, there might be an error in your rule syntax. Use the Wazuh documentation to verify your rule syntax.
  • High log volume:
    • Filter logs in pfSense: You can configure pfSense to send only specific types of logs to Wazuh. This can help reduce the log volume.
    • Adjust Wazuh rules: You can adjust Wazuh rules to filter out less important events and reduce the number of alerts.

Remember, the Wazuh documentation is your best friend when troubleshooting. It's packed with information and examples to help you resolve issues.

Conclusion

And there you have it! You've successfully integrated pfSense logs with Wazuh, giving your network security a major upgrade. By following these steps, you've created a powerful security monitoring solution that will help you detect threats, respond to incidents, and maintain compliance. This integration enhances your network security significantly.

Remember, security is an ongoing process. Regularly review your Wazuh configuration, update your rules and decoders, and stay informed about the latest threats. Keep those logs flowing, and stay secure!

Related Posts