Pfsense on Wazuh

[Gonçalo Antunes]

Hello everyone!

Ok, so I'm currently doing a bachelors in computer science and I'm doing a project with a colleague, where we are using Wazuh.

We are using DigitalOcean to put Wazuh on the Internet and we have a vitual machine with the pfsense firewall.

Our problem here is that we can't see the pfsense syslogs on the Wazuh dashboard.

We already turned the logall_json option on and we put this block in the conf file:

  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.1.0/24</allowed-ips>
    <allowed-ips>172.16.1.0/24</allowed-ips>
    <local_ip>159.65.126.78</local_ip>
  </remote>

192.168.1.0 is referred to the firewall's IP

Initially we thought the problem was because this particular Wazuh is on the Internet, because we tried it out on a Wazuh VM we got and it was receiving the logs.

Can somebody help me on this subject?

I'm sorry if this is a dumb question, but we had to look it up online all we know about Wazuh and I found nothing helpful on this subject.

Thank you all!

[Jose Camargo]

Hi Gonçalo,

This might be happening because the <allowed-ips> you're using seem to be private IPs, and as your Wazuh manager is on the internet, you should use the public IPs.

You can also try doing a tcpdump to check if logs are arriving at the Wazuh node:

tcpdump -i <interface> host <IP> and port 514 and udp -AA

If you do see results coming from your Firewall's IP, it might mean that you don't have the correct decoders/rules to create alerts based on the logs. For this, you'll have to create custom rules and decoders as explained here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

I'll be awaiting your comments.

Regards,

Jose Camargo