syslog with id 000

[Jonatan]

Hello team,

I have a pfSense firewall reporting syslog to my Wazuh Server.

These reports come to me with the agent.id 000 (which corresponds to the Wazuh Server) and the agent.name corresponding to the Server.
But the "location" arrives to me with the correct IP of my pfSense.

Through IP, is it possible to send the alerts to a specific group? Or that it appears with the correct agent.id and agent.name?

I have tried to register the agent manually with "manage_agents" assigning ID, name and ip, but it does not work.

Thank you

Translated with www.DeepL.com/Translator (free version)

[Abdullah Al Rafi Fahim]

Hello Jonatan,

Thank you for sharing your query with us!

Did you mean adding your pfSense firewall device to an agent group by " send the alerts to a specific group"? If you are receiving remote syslog from your firewall directly to a specific port of Wazuh Manager as described here, it can not be considered as a specific agent.

As you can not install and configure wazuh-agent service in network devices like your pfSense firewall, it can not be considered as an agent with individual agent name and agent id. However, you can forward your firewall events through a syslog server having Rsyslog and wazuh-agent as described here: Forward syslog events. In that case, the agent name and id of the syslog server will be added to the firewall events and hence can be used for agent grouping.

I hope it helps. Please let us know if you have any further query here.

[Sarah Annou]

Hi WAZUH TEAM,

I am preparing a soc lab using WAZUH and pfsense firewall

I have a question about how i can get the logs from pfsense to wazuh without using wazuh agent ( using syslog) ??