On the dashboard you will only see the events that trip a rule. That is events that generate an alert.
From your previous messages we see that the logs from your firewall are reaching the manager so, most likely, the issue here is that the received events are either not being decoded correctly or they are not triggering any alerts.
The Wazuh ruleset includes
rules and
decoders for events coming from pfSense, but it is possible that they don't match exactly with your use case. In that case, new rules and decoders can be added.
To verify this you should do the following:
- Enable the logall_json option in the manager's configuration.
- Restart the manager.
- Allow some time for new logs from the firewall to arrive.
The
log_all option saves
all the received events on
/var/ossec/logs/archives/archives.json. (When disabled it only saves the events that generated alerts. After testing you should disable this option because that file could end up taking too much space)
- In this file, you should search your pfSense events and gather the content of the field full_log. This field contains the raw log received by the Wazuh manager.
- You should test these raw logs against Wazuh's ruleset using wazuh-logtest tool (/var/ossec/bin/wazuh-logtest) to see if they are being decoded and if they are tripping any rule.
In the following example, I used the wazuh-logtest tool with one of the pfSense sample logs that come with the ruleset. This event would trigger alert 87701.
:/var/ossec# bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166
**Phase 1: Completed pre-decoding.
full event: 'Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166'
timestamp: 'Nov 8 12:37:34'
hostname: 'pfSense'
program_name: 'filterlog'
**Phase 2: Completed decoding.
name: 'pf'
action: 'block'
dstip: '10.9.0.255'
dstport: '17600'
id: '1000102433'
length: '166'
protocol: 'udp'
srcip: '10.9.0.119'
srcport: '17500'
**Phase 3: Completed filtering (rules).
id: '87701'
level: '5'
description: 'pfSense firewall drop event.'
groups: '['pfsense', 'firewall_block']'
firedtimes: '1'
gpg13: '['4.12']'
hipaa: '['164.312.a.1']'
mail: 'False'
nist_800_53: '['SC.7']'
pci_dss: '['1.4']'
tsc: '['CC6.7', 'CC6.8']'
**Alert to be generated.
You should try that with the pfSense logs that you find in the archives.json file. Just with the content of the field full_log.
If the logs that you received are not decoded by the existing decoders you will need to create a custom decoder. And if the events don't trip any rule you will need to create custom rules to fit your needs.
You can take a look at the following documents:
Regards!