Pfsense squid proxy allowed logs issue.

187 views
Skip to first unread message

asd zxc

unread,
Jan 4, 2024, 1:59:32 AM1/4/24
to Wazuh | Mailing List
Step1:
We have given below code in Pfsense wazuh agent ossec.conf file.

<log_format>
<log_group>firewall</log_group>
<log_source>Pfsense</log_source>
<location>/var/squid/logs/access.log</location>
</log_format>

Step2:
We have given below code in wazuh manager.

<remote>
    <connection>secure</connection>
    <port>1514</port>
  </remote>

we have done above 2 step and we are getting only block logs not allowed logs for Pfsense.
Can you please suggest for allowed logs steps?

Note: this is the path /var/squid/logs/access.log and in this file "access.log" both allowed & blocked logs are present. but we are getting only blocked logs in wazuh SIEM.
Squid is proxy.

Md. Nazmur Sakib

unread,
Jan 4, 2024, 2:25:14 AM1/4/24
to Wazuh | Mailing List

Hi asd zxc,


Hope you are doing well. Thank you for using Wazuh.


I believe by saying you are getting only block logs you are referring to not getting alerts for allowed logs in Wazuh dashboard . If so, can you share if you are using any custom decoder or rules.


Next 

Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall

This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.


Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.


Look for if there are any logs inside the archive log which are relevant to the allowed log . Use grep parameters related to the log.


cat /var/ossec/logs/archives/archives.log | grep Keywoard


Looking forward to your response.


Regards

Md. Nazmur Sakib

asd zxc

unread,
Jan 4, 2024, 4:08:18 AM1/4/24
to Wazuh | Mailing List
Hi,

Thanks for quick reply.

We have not created any  custom decoder or rules. we have used default decoder or rules.
Kindly find the attached default decoder or rules.
Squid decoders.txt
Squid rules.txt

Md. Nazmur Sakib

unread,
Jan 4, 2024, 5:34:45 AM1/4/24
to Wazuh | Mailing List

Hi asd zxc,


Can you enable archive log following this and send check if allowed logs there. 


Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall

This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.


Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.


Look for if there are any logs inside the archive log which are relevant to the allowed log . Use grep parameters related to the log.


cat /var/ossec/logs/archives/archives.log | grep Keywoard



If you find allowed logs there. Send me a sample allowed log and blocked log.


Also share an alert from your Wazuh dashboard that you are having from a blocked log.


Share those information so that I can test them in my lab.



Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages