FreeBSD syslog messages via RFC5424

[Ive]

Hi Team,

First of all thank you for developing and supporting such a great product!

Can you please advise on the use case described below?

Use case

I need Wazuh to process logs from pfSense (BSD based firewall). My understanding that there is no agent for BSD and anyway for some non-related reasons I have to use syslog.

Issue #1.

Syslog RFC3164 (default that is used by Wazuh as per my understanding) is broken with old FreeBSD implementations - FreeBSD syslog implementation misses hostname field when sending syslog messages. On practice it means that Wazuh's pre-decoder cannot process incoming logs appropriately (there is no hostname within it). Seems that for backward compatibility reasons FreeBSD team won't fix the bug. Instead they added option to use modern Syslog RFC5424.

Issue #2.

Wazuh currently doesn't support RFC5424 and the request to make it has been hanging for almost two years.

So what do you think are the long-term options?

A few considerations:

- Wazuh to introduce RFC5424 support (not very hard?)

- Wazuh to introduce an officially supported agent for FreeBSD (hard?)

If none of above it would mean that Wazuh won't be able to support FreeBSD family and many other modern system that use RFC5424 out-of-the-box...

So what do you think are the short-term options?

A few ideas:

- Does Wazuh have a way to change/play with pre-decoders?

- Intermediate syslog server that fix/patch missig hostname on a fly?

I will appreciate your solutions and ideas! Thank you.

Kind Regards,

Ive

[Lee Seeman]

Second this ;-)

[m.m...@gmail.com]

Hi,

I maintain the FreeBSD port of wazuh-agent, it's just the pfsense guys don't make it available for it.

The pkg is available in OPNsense and works fine. 

Best

Michael

[Ive]

Hi Michael,

Thank you for your reply and help! It is definitely a solution for certain cases!

Unfortunately in some cases (in my one too, for some non-related reasons ) only syslog is viable option...

Regards,

[Ive]

Hi Wazuh team,

Can you please also take a look on the initial post/questions and kindly provide your vision/feedback?

Thank you!

Regards,

Ive

[Daniel Folch]

Hello Ive,

Sorry for the late response, as Michel said it is possible to compile and run the Wazuh agent in FreeBSD based systems.

I have installed pfsense and configured it to send sylog to the manager and I was able to get alerts from it:

{"timestamp":"2021-01-04T11:11:20.938+0000","rule":{"level":5,"description":"syslog:  User authentication  failure.","id":"2501","firedtimes":1,"mail":false,"groups":["syslog","access_control","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"manager"},"manager":{"name":"manager"},"id":"1609758680.15887","full_log":"Jan   4 11:11:20 php-fpm[341]: /index.php: webConfigurator authentication  error for user 'admin' from:  192.168.18.154","predecoder":{"timestamp":"Jan  4  11:11:20","hostname":"php-fpm[341]:"},"decoder":{},"location":"192.168.18.36"}

Indeed the lack of hostname breaks the parsing of the log as it is taking php-fpm[341], as you said the problem lies in way FreeBSD sends the log through remote syslog, as it skips the hostname.

A possible work arround would be to use syslog-ng instead of the default syslogd, you will need to install the syslog-ng package and set the following configuration:

destination remote_log_server {
 udp("manager_ip" port(514));
 };
 log { source(src); destination(remote_log_server); };

This is an example of the previous alert but using syslog-ng instead of syslogd:

{"timestamp":"2021-01-04T15:53:36.644+0000","rule":{"level":5,"description":"syslog:  User authentication  failure.","id":"2501","firedtimes":4,"mail":false,"groups":["syslog","access_control","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"manager"},"manager":{"name":"manager"},"id":"1609775616.77019","full_log":"Jan   4 16:53:34 pfSense php-fpm[341]: /index.php: webConfigurator  authentication error for user 'admin' from:  192.168.18.231","predecoder":{"program_name":"php-fpm","timestamp":"Jan   4  16:53:34","hostname":"pfSense"},"decoder":{},"location":"192.168.18.235"}

As you can see it is the hostname has been set correctly to pfsense.

Regards,
Daniel Folch

​

[Ive]

Hello Daniel,

Thank you for the solution provided!

A couple clarifications that make it work for me (might be helpful for other who follows the thread and please correct me if I'm wrong):

1. Install syslog-ng package (available as pfSense package)
2. Configure syslog-ng:
   1. To listen for logs locally
      
   2. To forward logs to the Wazuh ip:address
      
3. Point all the pfSense logs to be sent to locally installed syslog-ng (Status => System Logs = > Settings => Remote Log Server = 127.0.0.1:port (as per configuration of syslog-ng)
   
4. In Wazuh config file add allowed-ips with ip of syslog-ng

BTW, if you have multiple pfsense interfaces and want pfsense hostname properly reflected in the syslog messages, then in the Source Address (step #3) use interface that bonded to pfSense hostname (can be foun in DHCP lease stats)

[BoltThrower321]

For people who looking for an update in this matter:

01.01.2024 and pfSense 23.09.1-RELEASE (I own a Netgate appliance) still has this issue.
And still, Wazuh hasn't updated their decoders.

Considering how widely used the pfSense System is (many Enterprise environments use it), I highly suggest to update the decoders!