pfsense Wazuh client
1,820 views
Skip to first unread message
Mike Masino
Oct 10, 2019, 10:14:32 PM10/10/19
to wa...@googlegroups.com
Hi All
I am wondering if there is any good docs on setting up PFSense to work with Wazuh. I am not seeing a OpenBSD package in "Installing Wazuh agent" docs.
Mike
David Vidriales
Oct 11, 2019, 10:58:21 AM10/11/19
to Wazuh mailing list
Hi Mike,
We currently don't build OpenBSD packages. Nonetheless, you can try and compile Wazuh from sources in OpenBSD (it should work just fine). These are the basic steps you should take:
1) Execute pkg_add gmake git libtool to install the necessary dependencies.
2) Clone the branch version of Wazuh that you want to install (example for 3.10.2): git clone -b v3.10.2 https://github.com/wazuh/wazuh.git
3) I've tried it myself and I found a couple of easy to fix errors. You must include the following libraries:
In wazuh/src/headers/list_op.h:
#ifndef _OS_LIST
#define _OS_LIST
#include "pthreads_op.h"
#define _OS_LIST
#include "pthreads_op.h"
In wazuh/src/headers/pthreads_op.h:
#ifndef PTHREADS_OP_H
#define PTHREADS_OP_H
#include <pthread.h>#define PTHREADS_OP_H
4) After that, execute: gmake deps && gmake TARGET=agent
5) in wazuh, execute: ./install.sh and follow the instructions.
Depending on your use case there may be some alternatives. As I've seen PFSense is a software for router/firewall based on FreeBSD. My guess (correct me if I'm wrong) is that you want Wazuh to collect the PFSense logs and generate alerts based on them.
If that's the case you can configure syslog service in your OpenBSD machine to send those logs to a Wazuh manager. This is explained in https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_OpenBSD_syslog.html?cp=SS42VS_7.3.2
You also should configure a remote syslog block in your manager (as explained in https://documentation.wazuh.com/3.10/user-manual/reference/ossec-conf/remote.html):
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>IPS_OR_NET</allowed-ips>
<local_ip>MANAGER_IP</local_ip>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>IPS_OR_NET</allowed-ips>
<local_ip>MANAGER_IP</local_ip>
</remote>
Once you've configured and restarted both, you should receive the logs collected by syslog in your manager (you can see them in /var/ossec/logs/archives/archives.log once you've activated the <logall> option in <global> block of your manager's configuration).
In any of those two cases (wether if you compile and install Wazuh agent in OpenBSD or if you choose to configure syslog to send the PFSense messages to Wazuh), keep in mind, that is probable that you need to create rules for the PFSense logs. Once you have the logs I can help you create an example rule for that (explained in https://documentation.wazuh.com/3.10/user-manual/ruleset/custom.html)
I hope you find this helpful. If you have any troubles wether compiling Wazuh for OpenBSD or configuring Wazuh to receive syslog messages don't hesitate to answer this mail with your doubts.
Kind regards,
David
Rick Gutierrez
Oct 28, 2019, 9:23:56 PM10/28/19
to David Vidriales, Wazuh mailing list
Hi david, at the end of this week and the other I am doing tests, I have several pfsense and I need to connect them to wazuh, to see the firewall traffic, I will keep you informed
Regards!!
David Vidriales
Oct 29, 2019, 6:45:52 AM10/29/19
to Wazuh mailing list
Hi Rick,
Of course, let me know if you experience any troubles.
Best regards,
David
On Tuesday, October 29, 2019 at 2:23:56 AM UTC+1, Rick Gutierrez wrote:
Rick Gutierrez
Nov 5, 2019, 9:22:37 PM11/5/19
to David Vidriales, Wazuh mailing list
El mar., 29 oct. 2019 a las 4:45, David Vidriales
(<david.v...@wazuh.com>) escribió:
when compiling wazuh-agent in pfsense 2.4.4
look the screen jpg.
regards!!
--
rickygm
http://gnuforever.homelinux.com
(<david.v...@wazuh.com>) escribió:
>
> Hi Rick,
>
> Of course, let me know if you experience any troubles.
>
> Best regards,
> David
>
> On Tuesday, October 29, 2019 at 2:23:56 AM UTC+1, Rick Gutierrez wrote:
>>
hi David, I followed your instructions, but it generates an error
> Hi Rick,
>
> Of course, let me know if you experience any troubles.
>
> Best regards,
> David
>
> On Tuesday, October 29, 2019 at 2:23:56 AM UTC+1, Rick Gutierrez wrote:
>>
when compiling wazuh-agent in pfsense 2.4.4
look the screen jpg.
regards!!
--
rickygm
http://gnuforever.homelinux.com
Eva Lopez
Nov 8, 2019, 12:04:48 PM11/8/19
to Wazuh mailing list
Hello Rick,
This error can be due to it isn’t possible to compile in pfSense. To install Wazuh you can compile in FreeBSD and move the binaries to pfSense.
You can read more about compile software to pfSense here
The FreeBSD version to compile Wazuh for pfSense 4.2.2 is 11.2 version.
You can see the versions table following link
I hope it helps you.
If the error appears in FreeBSD let us know. Also, attach more information about the OS version and the steps used for compilation and installation.
Best regards,
Eva
Reply all
Reply to author
Forward
0 new messages