Data-log from Pfsense to a separate file in a wazuh-manager

[Nemo191 Nm]

Hi! Try to connect Pfsense to Wazuh without an agent. Can you tell me how to create a separate log file  in the wazuh-manager  data from Pfsense?

Am I doing the right thing?

Added a block to the ossec.conf of the wazuh manager:

<<local file>
<log_format>system log</log_format>
<location>/var/log/pfsense.log</location>
</</local file>

right?

[Cedrick Foko]

Hello,

Thank you for using Wazuh, 

The <localfile> configuration is used to configure the collection of log data from local (existing) files, not for creating a separate log file.

If you configured syslog on your manager to receive logs from PFsense, the logs are then sent immediately to the wazuh-analysis daemon, and you can't write them to a file.

If you want to write the logs to a file before analyzing them, you can install rsyslog on your manager and configure it to write the received logs in a file. 
You can find more information here:  Forward syslog events - Your environment · Wazuh documentation

I hope this helps.

Please don't hesitate to ask if you have any other question or doubt.

[Nemo191 Nm]

And else, added a block to the ossec.conf of the wazuh manager:

<remote>

  <connection>syslog</connection>
  <<порт>514</порт>
  <<протокол>tcp</протокол>
  <allowed-ips>192.168.1.15/24</allowed-ips>  Pfsense
  <local_ip>192.168.1.5</local_ip>  Wazuh-manager
</remote>

понедельник, 8 апреля 2024 г. в 15:07:33 UTC+3, Nemo191 Nm:

[Cedrick Foko]

Hello again,

As I explained, using that configuration, the logs are then sent immediately to the wazuh-analysis daemon, and you can't write them to a log file.

Please let me know if you have any other question.

[Nemo191 Nm]

Thank you! I wanted to see log from pfsense. I turned on the LOGALL but did not see the logs from pfsense. Checked:        tcpdump -i any src host 192.168.1.15

Only see:   

15:54:12.464991 enp0s3 In  IP 192.168.1.15.syslog > wazuh47all.lan.syslog: SYSLOG user.warning, length: 111

As far as I understand, do I need to look at the full log in /var/ossec/logs/archives/ ? there is no pfsense log there. I saw one line with tcpdump.

понедельник, 8 апреля 2024 г. в 15:41:38 UTC+3, Nemo191 Nm:

[Nemo191 Nm]

Can I see the raw log from pfsense? How do I do this? I used Log all, and see in /var/ossec/logs/archives/archives.log, but there is no information from pfsense.

понедельник, 8 апреля 2024 г. в 16:05:49 UTC+3, Nemo191 Nm:

[Cedrick Foko]

Hello, 

If you enabled the logall option in manager's configuration and can't find your logs in  /var/ossec/logs/archives/archives.log file, it means the logs are not received by the manager for some reason. 
I'll recommend checking the configuration on pfsense side to make sure it is done correctly.

Additionnaly, you can use tcpdump to capture the network traffic entering into the manager. You can then use wireshark to analyze the traffic and check if pfsense are sending logs to the manager.

I hope this helps.

[Nemo191 Nm]

Thank you!

вторник, 9 апреля 2024 г. в 19:20:16 UTC+3, Cedrick Foko:

[Cedrick Foko]

You're welcome!

Please don't hesitate to ask may you have any other question or require further help.

[Nemo191 Nm]

Ok! Thank you!

четверг, 11 апреля 2024 г. в 10:23:10 UTC+3, Cedrick Foko: