Combining pfSense Agent and Syslog Log Collection
73 views
Skip to first unread message
Julio Cesar
Aug 21, 2025, 4:30:43 AMAug 21
to Wazuh | Mailing List
Is there a way to collect logs from the pfSense agent, which I have been able to gather so far, but only for certain operations? For this reason, I would like to know if it is possible to collect logs via syslog-ng or any other method, effectively combining both approaches.
diego....@wazuh.com
Aug 21, 2025, 6:09:02 AMAug 21
to Wazuh | Mailing List
You can accomplish this by using Rsyslog: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
We highly recommend the use of Rsyslog to other log forwarding system.
Here's an example of how to implement pfSense to Wazuh so it monitors your logs. After installing Rsyslog in an agent, you can configure it in order to read files in ossec.conf like the example below.
In /var/ossec/etc/ossec.conf in your Wazuh Server, you can add this:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<FILE_NAME.log></location>
</localfile>
You will also need rules and possibly decoders for your logs. Please, review the attached documentation.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
You can also provide us with some sanitized logs, and we can create a sample set of rules and decoders to help you continue developing your own. If you need more help, don't hesitate to contact us.
We highly recommend the use of Rsyslog to other log forwarding system.
Here's an example of how to implement pfSense to Wazuh so it monitors your logs. After installing Rsyslog in an agent, you can configure it in order to read files in ossec.conf like the example below.
In /var/ossec/etc/ossec.conf in your Wazuh Server, you can add this:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<FILE_NAME.log></location>
</localfile>
You will also need rules and possibly decoders for your logs. Please, review the attached documentation.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
You can also provide us with some sanitized logs, and we can create a sample set of rules and decoders to help you continue developing your own. If you need more help, don't hesitate to contact us.
Julio Cesar
Aug 23, 2025, 6:26:17 AMAug 23
to Wazuh | Mailing List
Thank you. I used Suricata’s JSON implementation to configure it directly on pfSense. After that, I tested it further using the pfSense logs, and it worked.
However, through the agent, I’m only able to collect LAN information, whereas I’d like to collect data primarily from the WAN. Is there anything related to this that I should be aware of?
Julio Cesar
Aug 23, 2025, 6:26:20 AMAug 23
to Wazuh | Mailing List
Thank you. I used Suricata’s JSON implementation to configure it directly on pfSense. After that, I tested it further using the pfSense logs, and it worked.
However, through the agent, I’m only able to collect LAN information, whereas I’d like to collect data primarily from the WAN. Is there anything related to this that I should be aware of?
Em quinta-feira, 21 de agosto de 2025 às 07:09:02 UTC-3, diego....@wazuh.com escreveu:
diego....@wazuh.com
Sep 3, 2025, 3:42:55 AM (5 days ago) Sep 3
to Wazuh | Mailing List
Hi,
That configuration is performed in Suricata. Wazuh is now configured to receive the logs you selected, either WAN, LAN, or both.
If you wish to know how to configure Suricata, you may check the official documentation or discussions, for instance: https://www.reddit.com/r/PFSENSE/comments/g57z6m/suricata_lan_or_wan_or_both/
That configuration is performed in Suricata. Wazuh is now configured to receive the logs you selected, either WAN, LAN, or both.
If you wish to know how to configure Suricata, you may check the official documentation or discussions, for instance: https://www.reddit.com/r/PFSENSE/comments/g57z6m/suricata_lan_or_wan_or_both/
Reply all
Reply to author
Forward
0 new messages