Decoder for OPNsense Firewall for logs
Vivek Kumar
Isaac Yusuf
Another approach is that with Wazuh, you can monitor pretty much anything that has a log. OPNsense needs to have a log file which you most likely have configured by now. Then, you can configure the collection of that log file:
Configuring Wazuh to collect that log. Wazuhs Log data collection capabilities give an overview of how to collect logs with Wazuh.
Here you can learn how to write decoders and rules which is the part you are left with.
To create a decoder, you can leverage Custom rules and decoders - Ruleset · Wazuh documentation which explains the process. Below is how to go about it:
From your Dashboard. → Wazuh Menu → Management → Decoder
Click on Custom Decoders → Add new decoders file →
Save the new decoder file name with a name of your choice and modify the file based on instructions on the
Custom rules and decoders - Ruleset · Wazuh documentation to suit your logsDuring the creation, it is noted also to bear it in mind to take advantage of our RegEx
Regular Expression Syntax - Ruleset XML syntax · Wazuh documentation which can help in creating complex decoders.Save the decoder and restart the manager:
Test your new decoder using the Wazuh testing tool following sample logs that have been ingested into the Wazuh environment.
Here are also some previous users who have had to create OPNsense which might be a great start for your use case:
https://groups.google.com/g/wazuh/c/iYBTHZLer5U/m/0tvFv0TXAQAJ
https://groups.google.com/g/wazuh/c/TefUGoZXC_I/m/Pi-vrMDyBwAJ
https://wazuh.slack.com/archives/C0A933R8E/p1687778716295019
I hope this helps with your concern.