Wazuh Custom Fields?

44 views
Skip to first unread message

Brenno Garcia

unread,
Oct 15, 2025, 12:46:25 PM (4 days ago) Oct 15
to Wazuh | Mailing List
Hello, 

My wazuh monitors some pfsense logs and to better management, I send these logs to rsyslog which forwards to wazuh.

Wazuh is able to extract hostname but the ip is always wazuh's ip.
Is there some way to create a custom field rule or decoder based on hostname?
Like if hostname is pfsense.domain then ip will be 10.10.10.10?

Bony V John

unread,
Oct 16, 2025, 2:32:41 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi,

Please allow me some time. I'm working on this and will get back to you with an update as soon as possible.  
Message has been deleted

Bony V John

unread,
Oct 16, 2025, 3:26:40 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi,

From your input, I understand that you are sending the pfSense logs to the Wazuh manager via rsyslog, following the flow below:  
pfsense > rsyslog > Wazuh manager (syslog)

In your case, the hostname shown in the alert corresponds to the Wazuh manager’s hostname. Are you referring to the hostname field as the agent.name in the alert?
If so, this is expected behavior when sending logs to the Wazuh manager via syslog. 

Unfortunately, add a static field in the log or change its hostname using a decoder or rule is not possible right now.

However, you can try a different approach — by adding a static field to the logs before they are analyzed by the Wazuh manager.
You can refer to a similar discussion on the Wazuh Slack community channel, where this method and its steps are explained.

If you would like to configure it in that way, please share the following details so we can analyze and guide you more accurately:

  • The raw log from pfSense

  • The corresponding alerts.json entry from the Wazuh dashboard related to this alert

  • Any custom decoders or rules you may have created

Additionally, you can check the location field in the alert — it indicates the source from which the syslog was received.
I’ve attached a screenshot of one of my test syslog alerts for your reference.

Screenshot 2025-10-16 124323.png

Brenno Garcia

unread,
Oct 16, 2025, 2:26:46 PM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi
The problem is that in my case, the location field is always masked with the IP address of the rsyslog server that receives the pfsense log before sending it to Wazuh, so I don't think it applies to my case.
I could send the pfsense log directly to Wazuh, but the log in archives.log arrives like this
2025 Oct 16 17:36:28 wazuh->192.168.0.1 1 2025-10-16T14:36:28.194977-03:00 pfsense.domain php-fpm 28726 - - /index.php: Successful login for user 'admin' from: 8.8.8.8 (LDAP/OurAD)

This being part of pfsense
1 2025-10-16T14:36:28.194977-03:00 pfsense.domain php-fpm 28726 - - /index.php: Successful login for user 'admin' from: 8.8.8.8 (LDAP/OurAD)

In this case, the location displays the correct IP address, but the log format simply doesn't match the custom decoders I've tried creating. Some even managed to get the user and IP address, but getting the hostname along with the user and IP address never worked.

So, I used rsyslog halfway through to first fix the timestamp and then reinsert the hostname at the end of the log to capture it later.
The log example:
Oct 10 13:44:22 pfsense.domain php-fpm[89645] /index.php: Successful login for user 'admin' from: 8.8.8.8 (LDAP/OurAD) pfsense.domain

The decoder:
<decoder name="pfsense-webconfig-success">
  <program_name>php-fpm</program_name>
  <prematch>Successful login for user</prematch>
  <regex type="pcre2">Successful login for user (\S+) from: (\S+) \([^)]+\) (\S+)$</regex>
  <order>user, srcip, host</order>
</decoder>

The rule alert json
{"timestamp":"2025-10-16T17:35:22.559+0000","rule":{"level":3,"description":"PfSense GUI login successful","id":"883014","firedtimes":1,"mail":false,"groups":["pfsense","authentication"]},"agent":{"id":"000","name":"wazuh.manager"},"manager":{"name":"wazuh.manager"},"id":"1760636122.16434265","full_log":"Oct 16 17:35:22 pfsense.domain php-fpm[20177] /index.php: Successful login for user 'admin' from: 8.8.8.8 (LDAP/OurAD) pfsense.domain","predecoder":{"program_name":"php-fpm","timestamp":"Oct 16 17:35:22","hostname":"pfsense.domain"},"decoder":{"name":"pfsense-webconfig-success"},"data":{"srcip":"8.8.8.8","dstuser":"'admin'","host":"pfsense.domain"},"location":"172.18.0.1"}

But in this case, the location will always be my rsyslog 172.18.0.1 -> docker interface

Bony V John

unread,
Oct 17, 2025, 3:00:15 AM (2 days ago) Oct 17
to Wazuh | Mailing List
Hi,

I understand your point. Based on the shared log and decoder, I have replicated the scenario on my end.

If you want to change the location field value to your pfSense IP (instead of your rsyslog server IP), you can achieve this by following the steps below.

In the steps below, we’ll modify the pipeline.json file on the Wazuh manager.
This pipeline is used by Filebeat when indexing alerts into the Wazuh indexer.
We’ll configure it so that if an alert belongs to the pfsense rule group and the current location field value equals 172.18.0.1, the pipeline will change the location field to your pfSense server’s IP or domain name that is configured in the value section.  

Backup the existing pipeline file:
cp /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json /tmp/pipeline.json

Edit the pipeline configuration, open the file in your preferred editor:
vi /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json

Insert the following processor near the beginning of the `processors` section:
{ "set": {
    "field": "location",
    "value": "pfsense.domain",
    "override": true,
    "if": "def g = ctx?.rule?.groups; (ctx?.location == ' 172.18.0.1') && g != null && ((g instanceof List && g.contains('pfsense')) || (g instanceof String && g == 'pfsense'))"
}},

Your pipeline section should look like this:
{
  "description": "Wazuh alerts pipeline",
  "processors": [
    { "json" : { "field" : "message", "add_to_root": true } },
    { "set": {
       "field": "location",
       "value": "pfsense.domain",
       "override": true,
       "if": "def g = ctx?.rule?.groups; (ctx?.location == ' 172.18.0.1') && g != null && ((g instanceof List && g.contains('pfsense')) || (g instanceof String && g == 'pfsense'))"
     }},
    {
      "set": {
        "field": "data.aws.region",
        "value": "{{data.aws.awsRegion}}",
        "override": false,
        "ignore_failure": true,
        "ignore_empty_value" : true
      }
    },

Save the configuration and apply the pipeline:
filebeat setup --pipelines
systemctl restart filebeat

After applying the configuration, trigger a new event and check the location field in the Wazuh dashboard for the new alert.
It should now display your pfSense domain (or IP) instead of the rsyslog server’s IP.

I’ve tested this configuration on my setup, and it’s working correctly.
Below are the results from my environment for reference:

  • Before configuration: location = 192.168.0.16

Screenshot 2025-10-17 122805.png

  • After configuration: location = pfsense.domain

Screenshot 2025-10-17 122915.png
Reply all
Reply to author
Forward
0 new messages