OPNsense with wazuh agent
35 views
Skip to first unread message
Phil Schilling
Jun 23, 2026, 10:16:12 AM (5 days ago) Jun 23
to Wazuh | Mailing List
Looking to see if anyone has had any experience with the OPNsense Wazuh agent. I have it all set up but am having issues with the forwarded firewall logs.
On the OPNsense box it have a file /var/ossec/logs/opnsense.syslog.log. The entries in that file are like this.
Jun 23 08:07:21 systemname.domain.com filterlog[24868]: 4,,,ecd3a310894625657c6591b80daa956a,igb3,match,block,in,4,0x60,,242,23392,0,none,6,tcp,44,35.203.210.48,192.82.99.190,49907,20857,0,S,2539678119,,1024,,mss
This decodes and the rule says Alert to be generated when run through wazuh-logtest. When they are forwarded to the Wazuh manager they show up as
2026 Jun 23 08:15:25 (systemname.domain.com) any->/var/ossec/logs/opnsense_syslog.log Jun 23 08:11:32 systemname.domain.com filterlog[24868]: 4,,,ecd3a310894625657c6591b80daa956a,igb3,match,block,in,4,0x0,,238,54321,0,none,6,tcp,40,5.61.209.224,192.82.99.190,52730,664,0,S,1981649711,,65535,,
Adding the Date - systemname filterlog > /var/ossec/logs/opnsense_syslog.log
header to the actual message. This of course does not decode.
Has anyone figured out a way to stop OPNsense from adding that header to the log entries? I haven't been able to figure out how to strip that with my decoder and was hoping just to fix what is being sent.
Thanks for looking and any assistance would be greatly appreciated.
Phil
Olamilekan Abdullateef Ajani
Jun 23, 2026, 11:15:20 AM (4 days ago) Jun 23
to Wazuh | Mailing List
Hello Phil,
The extra prefix is not coming from OPNsense itself. The added header is from the Wazuh agent when the log is forwarded to the manager. So you dont need to try to stop it, instead you can adjust the decoder to ignore everything before the real syslog message.
In your case, the decoder should not start matching from Jun 23... directly, because the manager receives the line as:
2026 Jun 23 ... any->/var/ossec/logs/opnsense_syslog.log Jun 23 ... filterlog[...]
A quick way to identify where the actual log starts from is to evaluate the log inside archives.json file. You can enable this if not already enabled by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
----
<logall>yes</logall>
<logall_json>yes</logall_json>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "filterlog"
Once you verify the log structure, work with it and build the decoders around that and it should match as you may have tested in the logtest too
So the issue is not the forwarding itself. Adjusting the decoder to skip the Wazuh agent prefix and match the exact raw log should fix the issue.
Please let me know if you require further assistance. Kindly share a sample log from archives.json file too.
In your case, the decoder should not start matching from Jun 23... directly, because the manager receives the line as:
2026 Jun 23 ... any->/var/ossec/logs/opnsense_syslog.log Jun 23 ... filterlog[...]
A quick way to identify where the actual log starts from is to evaluate the log inside archives.json file. You can enable this if not already enabled by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
----
<logall>yes</logall>
<logall_json>yes</logall_json>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "filterlog"
Once you verify the log structure, work with it and build the decoders around that and it should match as you may have tested in the logtest too
So the issue is not the forwarding itself. Adjusting the decoder to skip the Wazuh agent prefix and match the exact raw log should fix the issue.
Please let me know if you require further assistance. Kindly share a sample log from archives.json file too.
Phil Schilling
Jun 24, 2026, 7:54:29 AM (4 days ago) Jun 24
to Wazuh | Mailing List
Thank you. You have gotten me much closer. I have pasted a log line from the json log. I am working on my rules now.
{"timestamp":"2026-06-23T15:34:07.445-0500","rule":{"level":5,"description":"pfSense firewall drop event.","id":"87701","firedtimes":362,"mail":false,"groups":["pfsense","firewall_block"],"pci_dss":["1.4"],"gpg13":["4.12"],"hipaa":["164.312.a.1"],"nist_800_53":["SC.7"],"tsc":["CC6.7","CC6.8"]},"agent":{"id":"167","name":"OPNsense.gcstech.net","ip":"192.168.0.154"},"manager":{"name":"wazuh2"},"id":"1782246847.1517792381","full_log":"Jun 23 15:30:13 opnsense.gcstetch.net filterlog[24868]: 4,,,ecd3a310894625657c6591b80daa956a,igb3,match,block,in,4,0x0,,237,50524,0,none,6,tcp,40,5.188.206.66,192.168.99.190,58592,8146,0,S,2092742960,,1024,,","predecoder":{"program_name":"filterlog","timestamp":"Jun 23 15:30:13","hostname":"opnsense.gcstetch.net"},"decoder":{"name":"pf"},"data":{"protocol":"tcp","action":"block","srcip":"5.188.206.66","srcport":"58592","dstip":"192.168.99.190","dstport":"8146","id":"ecd3a310894625657c6591b80daa956a","length":"0"},"location":"/var/ossec/logs/opnsense_syslog.log"}
Olamilekan Abdullateef Ajani
Jun 24, 2026, 10:09:41 AM (4 days ago) Jun 24
to Wazuh | Mailing List
Hello Phil,
Thank you for the feedback, the actual log to work with is seen below:
Jun 23 15:30:13 opnsense.gcstetch.net filterlog[24868]: 4,,,ecd3a310894625657c6591b80daa956a,igb3,match,block,in,4,0x0,,237,50524,0,none,6,tcp,40,5.188.206.66,192.168.99.190,58592,8146,0,S,2092742960,,1024
Regarding the rules, please let me know of your require further assistance.
Regards,
Reply all
Reply to author
Forward
0 new messages