OPNsense filterlog decoder
16 views
Skip to first unread message
Giuseppe Ruberto
Dec 18, 2025, 6:28:42 AM (2 days ago) Dec 18
to Wazuh | Mailing List
Hello everyone,
I need to capture and analyze these logs from an OPNsense server.
The logs are sent to the Wazuh server through the opnsense wazuh plugin.
The log format is as follows:
2025 Dec 17 18:50:31 (OPNsense.aaa.it) any->/var/ossec/logs/opnsense_syslog.log Dec 17 18:50:28 OPNsense.aaa.it filterlog[48205]: 46,,,518c1c0aeec8484b7e46acb85a0765e9,vtnet0,match,pass,in,4,0x0,,128,41872,0,none,17,udp,79,10.1.0.68,172.16.250.222,60319,161,59
I started creating a decoder to test how it works:
I need to capture and analyze these logs from an OPNsense server.
The logs are sent to the Wazuh server through the opnsense wazuh plugin.
The log format is as follows:
2025 Dec 17 18:50:31 (OPNsense.aaa.it) any->/var/ossec/logs/opnsense_syslog.log Dec 17 18:50:28 OPNsense.aaa.it filterlog[48205]: 46,,,518c1c0aeec8484b7e46acb85a0765e9,vtnet0,match,pass,in,4,0x0,,128,41872,0,none,17,udp,79,10.1.0.68,172.16.250.222,60319,161,59
I started creating a decoder to test how it works:
<decoder name="filterlog_gw">
<prematch type="pcre2">OPNsense\.aaa\.it\s+filterlog\[\d+</prematch>
</decoder>
<!-- Estraggo TUTTI i campi del filterlog -->
<decoder name="filterlog_gw_opnsense_fields">
<parent>filterlog_gw</parent>
<prematch offset="after_parent" type="pcre2">]:\s</prematch>
<regex offset="after_prematch" type="pcre2">(\d*),,,(\w+),(\w+),(\w+),(\w+),(\w+),\d*,\w*,\w*,\d*,\d*,\d*,\w*,\d*,(\w+),\d*,(\d+\.\d+\.\d+\.\d+),(\d+\.\d+\.\d+\.\d+),(\d+),(\d+)</regex
<prematch type="pcre2">OPNsense\.aaa\.it\s+filterlog\[\d+</prematch>
</decoder>
<!-- Estraggo TUTTI i campi del filterlog -->
<decoder name="filterlog_gw_opnsense_fields">
<parent>filterlog_gw</parent>
<prematch offset="after_parent" type="pcre2">]:\s</prematch>
<regex offset="after_prematch" type="pcre2">(\d*),,,(\w+),(\w+),(\w+),(\w+),(\w+),\d*,\w*,\w*,\d*,\d*,\d*,\w*,\d*,(\w+),\d*,(\d+\.\d+\.\d+\.\d+),(\d+\.\d+\.\d+\.\d+),(\d+),(\d+)</regex
<order>rule,tracker,interface,reason,action,direction,protocol,srcip,dstip,srcport,dstport</order>
</decoder>
</decoder>
Now, when I run the decoder test, I get this result:
**Phase 1: Completed pre-decoding. full event: 'Dec 17 18:50:28 OPNsense.aaa.it filterlog[48205]: 31,,,fae559338f65e11c53669fc3642c93c2,vtnet0,match,pass,out,4,0x0,,127,5647,0,none,17,udp,76,10.1.0.10,172.16.200.100,60305,161,56' timestamp: 'Dec 17 18:50:28' hostname: 'OPNsense.aaa.it' program_name: 'filterlog' **Phase 2: Completed decoding. name: 'pf' action: 'pass' dstip: '172.16.200.100' dstport: '161' id: 'fae559338f65e11c53669fc3642c93c2' length: '56' protocol: 'udp' srcip: '10.1.0.10' srcport: '60305' **Phase 3: Completed filtering (rules). id: '87700' level: '0' description: 'pfSense firewall rules grouped.' groups: '["pfsense"]' firedtimes: '20' mail: 'false'
**Phase 1: Completed pre-decoding. full event: 'Dec 17 18:50:28 OPNsense.aaa.it filterlog[48205]: 31,,,fae559338f65e11c53669fc3642c93c2,vtnet0,match,pass,out,4,0x0,,127,5647,0,none,17,udp,76,10.1.0.10,172.16.200.100,60305,161,56' timestamp: 'Dec 17 18:50:28' hostname: 'OPNsense.aaa.it' program_name: 'filterlog' **Phase 2: Completed decoding. name: 'pf' action: 'pass' dstip: '172.16.200.100' dstport: '161' id: 'fae559338f65e11c53669fc3642c93c2' length: '56' protocol: 'udp' srcip: '10.1.0.10' srcport: '60305' **Phase 3: Completed filtering (rules). id: '87700' level: '0' description: 'pfSense firewall rules grouped.' groups: '["pfsense"]' firedtimes: '20' mail: 'false'
This behavior is not what I want, because my decoder cannot match it.
What do you recommend I do?
Thank you for your help.
What do you recommend I do?
Thank you for your help.
Stuti Gupta
Dec 18, 2025, 6:52:06 AM (2 days ago) Dec 18
to Wazuh | Mailing List
Hi Giuseppe
Your custom decoder is not working because the log pattern matches the default decoders and rules.
In case you don't want the default one to match the log pattern, then you need to exclude the default decoders. For that, you need to follow the steps given here https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
Replace the file name with the default decoder file name that matches your log pattern; in your case, that is, /ruleset/decoders/0455-pfsense_decoders.xml.
Once you copied and pasted the file in /var/ossec/etc/decoders/0455-pfsense_decoders.xml with the correct permissions and ownership. Modify or add your decoders there and restart the wazuh-manager to apply that.
Let me know if this works. In case it didn't, then please let me know which fields are not decoded.
Reply all
Reply to author
Forward
0 new messages