Wazuh + PfSense
59 views
Skip to first unread message
Brenno Garcia
Nov 17, 2025, 10:30:56 AM (5 days ago) Nov 17
to Wazuh | Mailing List
Hello,
Im using wazuh single node in docker.
I have some rules for pfsense logs and i'd like to create rules for ipsec VPNs enable/disable
The rules are working properly, but i need to fix some cases.
Ex:
These logs are from same ipsec vpn, so i want to supress based on conXX repetition.
The decoder already is able to capture the conXX before the _
Nov 14 19:51:56 hostname charon[77809] 08[CFG] installing 'con34_49' hostname
Nov 14 19:51:56 hostname charon[77809] 08[CFG] installing 'con34_48' hostname
but my rules 883043 and 883044 aren't triggering
<rule id="883040" level="3">
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>^installing</status>
<description>Tunel IPSec $(tunel) habilitado no host $(hostname)</description>
</rule>
<rule id="883041" level="3">
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>uninstalling</status>
<description>Tunel IPSec $(tunel) desabilitado no host $(hostname)</description>
</rule>
<rule id="883043" level="0" ignore="1" timeframe="1">
<if_matched_sid>883040</if_matched_sid>
<same_field>tunel</same_field>
<description>Supressao: evitar repetcao tunel IPSec habilitado</description>
</rule>
<rule id="883044" level="0" ignore="1" timeframe="1">
<if_matched_sid>883041</if_matched_sid>
<same_field>tunel</same_field>
<description>Supressao: evitar repeticao do tunel IPSec desabilitado</description>
</rule>
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>^installing</status>
<description>Tunel IPSec $(tunel) habilitado no host $(hostname)</description>
</rule>
<rule id="883041" level="3">
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>uninstalling</status>
<description>Tunel IPSec $(tunel) desabilitado no host $(hostname)</description>
</rule>
<rule id="883043" level="0" ignore="1" timeframe="1">
<if_matched_sid>883040</if_matched_sid>
<same_field>tunel</same_field>
<description>Supressao: evitar repetcao tunel IPSec habilitado</description>
</rule>
<rule id="883044" level="0" ignore="1" timeframe="1">
<if_matched_sid>883041</if_matched_sid>
<same_field>tunel</same_field>
<description>Supressao: evitar repeticao do tunel IPSec desabilitado</description>
</rule>
Benjamin Nworah
Nov 17, 2025, 3:25:03 PM (5 days ago) Nov 17
to Wazuh | Mailing List
Hello Brenno,
Please share with me the ipsec VPN logs that you want to suppress. Also share your decoder.
Brenno Garcia
Nov 19, 2025, 10:57:36 AM (3 days ago) Nov 19
to Wazuh | Mailing List
Hello, these logs are useful to me
Nov 14 19:51:56 domain charon[77809] 08[CFG] installing 'con34_49' domain
Nov 14 19:51:56 domain charon[77809] 08[CFG] uninstalling 'con34_48' domain
Nov 14 19:51:56 domain charon[77809] 08[CFG] uninstalling 'con34_48' domain
I need only installing/uninstalling logs from ipsec
other logs which are useless
Nov 19 13:04:47 domain charon[45008] 09[KNL] <con9|624447> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found domain
Nov 19 13:04:47 domain charon[45008] 09[NET] <876927> received packet: from 189.89.223.109[500] to 172.15.3.4[500] (288 bytes) domain
Nov 19 13:04:47 domain charon[45008] 09[ENC] <876927> parsed ID_PROT request 0 [ SA V V V V V V V V V V ] domain
Nov 19 13:04:47 domain charon[45008] 09[IKE] <876927> no IKE config found for 172.15.3.4...189.89.223.109, sending NO_PROPOSAL_CHOSEN domain
Benjamin Nworah
Nov 20, 2025, 7:50:30 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Hello Brenno,
Thank you for sharing the logs and more context to this case. I will revert shortly.
Benjamin Nworah
Nov 20, 2025, 9:03:19 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Hello Brenno,
The below decoder and rules addresses your use case:
Decoder:
<rule id="883040" level="3">
</rule>
<rule id="883041" level="3">
Nov 14 19:51:56 domain charon[77809] 08[CFG] installing 'con34_49' domain
Nov 14 19:51:56 domain charon[77809] 08[CFG] uninstalling 'con34_48' domain
Nov 19 13:04:47 domain charon[45008] 09[KNL] <con9|624447> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found domain
The below decoder and rules addresses your use case:
Decoder:
============
<decoder name="test123">
<program_name>charon</program_name>
</decoder>
<decoder name="test_charon">
<parent>test123</parent>
<regex type="pcre2">\d+\[\S+\]\s*(\S+) '(\S+)' domain</regex>
<order>status_ipsec_connection, ipsec_connection</order>
</decoder>
Rules
<program_name>charon</program_name>
</decoder>
<decoder name="test_charon">
<parent>test123</parent>
<regex type="pcre2">\d+\[\S+\]\s*(\S+) '(\S+)' domain</regex>
<order>status_ipsec_connection, ipsec_connection</order>
</decoder>
Rules
============
<rule id="883040" level="3">
<decoded_as>test123</decoded_as>
<field name="status_ipsec_connection" type="pcre2">^installing$</field>
<description>The $(ipsec_connection) is being installed.</description>
<field name="status_ipsec_connection" type="pcre2">^installing$</field>
<description>The $(ipsec_connection) is being installed.</description>
</rule>
<rule id="883041" level="3">
<decoded_as>test123</decoded_as>
<field name="status_ipsec_connection" type="pcre2">^uninstalling$</field>
<description>The $(ipsec_connection) is being uninstalled.</description>
</rule>
<field name="status_ipsec_connection" type="pcre2">^uninstalling$</field>
<description>The $(ipsec_connection) is being uninstalled.</description>
</rule>
Testing your use case
=======================
=======================
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.11.0
Type one log per line
Starting wazuh-logtest v4.11.0
Type one log per line
Nov 14 19:51:56 domain charon[77809] 08[CFG] installing 'con34_49' domain
**Phase 1: Completed pre-decoding.
full event: 'Nov 14 19:51:56 domain charon[77809] 08[CFG] installing 'con34_49' domain'
timestamp: 'Nov 14 19:51:56'
hostname: 'domain'
program_name: 'charon'
**Phase 2: Completed decoding.
name: 'test123'
ipsec_connection: 'con34_49'
status_ipsec_connection: 'installing'
**Phase 3: Completed filtering (rules).
id: '883040'
level: '3'
description: 'The con34_49 is being installed.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
full event: 'Nov 14 19:51:56 domain charon[77809] 08[CFG] installing 'con34_49' domain'
timestamp: 'Nov 14 19:51:56'
hostname: 'domain'
program_name: 'charon'
**Phase 2: Completed decoding.
name: 'test123'
ipsec_connection: 'con34_49'
status_ipsec_connection: 'installing'
**Phase 3: Completed filtering (rules).
id: '883040'
level: '3'
description: 'The con34_49 is being installed.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Nov 14 19:51:56 domain charon[77809] 08[CFG] uninstalling 'con34_48' domain
**Phase 1: Completed pre-decoding.
full event: 'Nov 14 19:51:56 domain charon[77809] 08[CFG] uninstalling 'con34_48' domain'
timestamp: 'Nov 14 19:51:56'
hostname: 'domain'
program_name: 'charon'
**Phase 2: Completed decoding.
name: 'test123'
ipsec_connection: 'con34_48'
status_ipsec_connection: 'uninstalling'
**Phase 3: Completed filtering (rules).
id: '883041'
level: '3'
description: 'The con34_48 is being uninstalled.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
full event: 'Nov 14 19:51:56 domain charon[77809] 08[CFG] uninstalling 'con34_48' domain'
timestamp: 'Nov 14 19:51:56'
hostname: 'domain'
program_name: 'charon'
**Phase 2: Completed decoding.
name: 'test123'
ipsec_connection: 'con34_48'
status_ipsec_connection: 'uninstalling'
**Phase 3: Completed filtering (rules).
id: '883041'
level: '3'
description: 'The con34_48 is being uninstalled.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Nov 19 13:04:47 domain charon[45008] 09[KNL] <con9|624447> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found domain
**Phase 1: Completed pre-decoding.
full event: 'Nov 19 13:04:47 domain charon[45008] 09[KNL] <con9|624447> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found domain'
timestamp: 'Nov 19 13:04:47'
hostname: 'domain'
program_name: 'charon'
**Phase 2: Completed decoding.
name: 'test123'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
full event: 'Nov 19 13:04:47 domain charon[45008] 09[KNL] <con9|624447> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found domain'
timestamp: 'Nov 19 13:04:47'
hostname: 'domain'
program_name: 'charon'
**Phase 2: Completed decoding.
name: 'test123'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
Brenno Garcia
Nov 21, 2025, 11:37:39 AM (yesterday) Nov 21
to Wazuh | Mailing List
Hello,
The alerts were already working correctly with the previous decoders. What I'd like to know is if it's possible to make Wazuh reject these other logs, since they are very frequent and consume a lot of space.
I know there's a similar approach to Windows Event IDs.
I don't know if this is possible since these logs arrive via remote logs.
If it's also possible via localfile, I can write the logs there.
I know there's a similar approach to Windows Event IDs.
I don't know if this is possible since these logs arrive via remote logs.
If it's also possible via localfile, I can write the logs there.
Benjamin Nworah
Nov 21, 2025, 1:59:52 PM (yesterday) Nov 21
to Wazuh | Mailing List
Hello Brenno,
If the logs are already reaching Wazuh, then unfortunately Wazuh cannot prevent them from being ingested.
The only way to stop these logs from arriving is to disable or filter them at the source system that is sending the logs.
However, you can prevent these logs from generating alerts or showing in the dashboard.
In your case, the specific logs you mentioned does not generate alerts by default, so it will not appear unless a custom rule elevates it.
If the logs come from a <localfile> block, then you can disable or remove that configuration to stop Wazuh from reading the file.
But for remote logs, they must be filtered or disabled at the origin.
Reply all
Reply to author
Forward
0 new messages