syslog pfsense to wazuh
2,579 views
Skip to first unread message
Carlos Celio
Jun 30, 2022, 3:01:33 PM6/30/22
to Wazuh mailing list
hello,
Version v4.3.4
I'm sending logs from pfsense to wazuh and it's arriving at the network card as in the photo but nothing appears in the wazuh events. I already changed the logall_json setting to yes.
what am I doing wrong?
Version v4.3.4
Mauricio Ruben Santillan
Jun 30, 2022, 3:48:04 PM6/30/22
to Wazuh mailing list
Hello Carlos,
Thanks for using Wazuh!
Although Wazuh includes rules for PFsense, it is very possible that your events are not matching our decoders or rules. Thus, you might need to create some customer decoders and rules for your events.
You can check samples of supported PFsense events in PFsense decoders file (/var/ossec/ruleset/decoders/0455-pfsense_decoders.xml):
Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166
Jan 22 18:34:00 filterlog: 65,,,0,vmx1,match,pass,out,4,0x0,,63,21011,0,none,1,icmp,56,192.168.105.11,192.168.105.1,datalength=36
In any case, I recommend you to enable logall_json in your Wazuh Manager's configuration. This will make it dump all events into /var/ossec/logs/archives/archives.json.
In any case, I recommend you to enable logall_json in your Wazuh Manager's configuration. This will make it dump all events into /var/ossec/logs/archives/archives.json.
In this file, you should search your PFsense events and gather the content of the field full_log. This field contains the raw log received by the Wazuh manager. You should test these raw logs against Wazuh's ruleset using wazuh-logtest-legacy tool (/var/ossec/bin/wazuh-logtest-legacy).
In case you have a correct match, you'll see an output similar to this:
root@wazuh-server:/# /var/ossec/bin/wazuh-logtest-legacy
2022/06/30 19:42:39 wazuh-testrule: INFO: Started (pid: 2374).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
wazuh-testrule: Type one log per line.
Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166
**Phase 1: Completed pre-decoding.
full event: 'Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166'
timestamp: 'Nov 8 12:37:34'
hostname: 'pfSense'
program_name: 'filterlog'
log: '5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166'
**Phase 2: Completed decoding.
decoder: 'pf'
id: '1000102433'
action: 'block'
protocol: 'udp'
srcip: '10.9.0.119'
dstip: '10.9.0.255'
srcport: '17500'
dstport: '17600'
length: '166'
**Phase 3: Completed filtering (rules).
Rule id: '87701'
Level: '5'
Description: 'pfSense firewall drop event.'
2022/06/30 19:42:39 wazuh-testrule: INFO: Started (pid: 2374).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
wazuh-testrule: Type one log per line.
Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166
**Phase 1: Completed pre-decoding.
full event: 'Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166'
timestamp: 'Nov 8 12:37:34'
hostname: 'pfSense'
program_name: 'filterlog'
log: '5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166'
**Phase 2: Completed decoding.
decoder: 'pf'
id: '1000102433'
action: 'block'
protocol: 'udp'
srcip: '10.9.0.119'
dstip: '10.9.0.255'
srcport: '17500'
dstport: '17600'
length: '166'
**Phase 3: Completed filtering (rules).
Rule id: '87701'
Level: '5'
Description: 'pfSense firewall drop event.'
In case there's no match, the field "log" from this output will point you from where you need to create your decoders.
If you could provide me with some log samples, I can help you with the decoders and rules.
Looking forward to your comments!
Carlos Celio
Jul 1, 2022, 12:35:41 PM7/1/22
to Wazuh mailing list
Ok thanks for help.
I already
enabled logall_json in my Wazuh Manager's configuration and now i have the logs in archives.json, but nothing appears from pfsense.
but i can see the pfsense packet arriving on wazuh port 514 with tcpdump as you can see in the attached image.
but i can see the pfsense packet arriving on wazuh port 514 with tcpdump as you can see in the attached image.
Sorry for the lack of experience but what test should I do next?
Carlos Celio
Jul 1, 2022, 2:11:03 PM7/1/22
to Wazuh mailing list
log from pfsense :
Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'my user' from: 11.11.11.124 (LDAP/OpenLDAP)
Carlos Celio
Jul 1, 2022, 2:47:48 PM7/1/22
to Wazuh mailing list
I'm doing it this way
<decoder name="php-fpm">
<program_name>^php-fpm</program_name>
</decoder>
<decoder name="php-fpm">
<parent>php-fpm</parent>
<regex>Successful login for user '(\w+)' from: '(\d+.\d+.\d+.\d+)' (LDAP/OpenLDAP)</regex>
<order>user, srcip</order>
</decoder>
/var/ossec/etc/rules/local_rules.xml
<rule id="100010" level="0">
<program_name>php-fpm</program_name>
<description>User logged PFsense</description>
</rule>
<program_name>php-fpm</program_name>
<description>User logged PFsense</description>
</rule>
but i am having problem using wazuh logtest
Type one log per line
Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)
**Phase 1: Completed pre-decoding.
full event: 'Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
timestamp: 'Jul 1 14:55:56'
hostname: 'php-fpm[66104]:'
**Phase 2: Completed decoding.
No decoder matched.
Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)
**Phase 1: Completed pre-decoding.
full event: 'Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
timestamp: 'Jul 1 14:55:56'
hostname: 'php-fpm[66104]:'
**Phase 2: Completed decoding.
No decoder matched.
Mauricio Ruben Santillan
Jul 2, 2022, 8:31:33 AM7/2/22
to Wazuh mailing list
Hello Carlos,
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
According to your logtest results, and as previously mentioned, your events are not matching any Wazuh decoder. They don't have the same format shown in my comment, thus no rule triggers and no alerts is shown in Wazuh's GUI. You'll need to create custom decoders and rules.
As commented before, by running /var/ossec/bin/wazuh-logtest-legacy intead of /var/ossec/bin/wazuh-logtest you'll be able to see an output like this one:
Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)
**Phase 1: Completed pre-decoding.
full event: 'Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
timestamp: 'Jul 1 14:55:56'
**Phase 1: Completed pre-decoding.
full event: 'Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
timestamp: 'Jul 1 14:55:56'
hostname: 'localhost'
program_name: '(null)'
log: 'php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
program_name: '(null)'
log: 'php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
**Phase 2: Completed decoding.
No decoder matched.
Here you can see the field log that shows where you need to start creating your decoders. Please notice that the timestamp is already being decoded, so you don't need to decode it.
Try adding next decoders to your manager's /var/ossec/etc/decoders/local_decoder.xml:
<decoder name="pfsense-custom">
<prematch>php-fpm</prematch>
</decoder>
<decoder name="pfsense-custom">
<parent>pfsense-custom</parent>
<regex>(\w+)[\d+]: \.+:(\.+)</regex>
<order>hostname, description</order>
</decoder>
<prematch>php-fpm</prematch>
</decoder>
<decoder name="pfsense-custom">
<parent>pfsense-custom</parent>
<regex>(\w+)[\d+]: \.+:(\.+)</regex>
<order>hostname, description</order>
</decoder>
And next rule to your manager's /var/ossec/etc/rules/local_rules.xml:
<group name="pfsense-custom">
<rule id="100170" level="5">
<decoded_as>pfsense-custom</decoded_as>
<description>PFsense alert: $(description)</description>
</rule>
</group>
<rule id="100170" level="5">
<decoded_as>pfsense-custom</decoded_as>
<description>PFsense alert: $(description)</description>
</rule>
</group>
With them I got next result:
Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)
**Phase 1: Completed pre-decoding.
full event: 'Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
timestamp: 'Jul 1 14:55:56'
**Phase 1: Completed pre-decoding.
full event: 'Jul 1 14:55:56 php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
timestamp: 'Jul 1 14:55:56'
hostname: 'localhost'
program_name: '(null)'
log: 'php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
**Phase 2: Completed decoding.
decoder: 'pfsense-custom'
hostname: 'php-fpm'
description: ' Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
program_name: '(null)'
log: 'php-fpm[66104]: /index.php: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
**Phase 2: Completed decoding.
decoder: 'pfsense-custom'
hostname: 'php-fpm'
description: ' Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
**Phase 3: Completed filtering (rules).
Rule id: '100170'
Level: '5'
Description: 'PFsense alert: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
**Alert to be generated.
Level: '5'
Description: 'PFsense alert: Successful login for user 'carlos.graca' from: 11.11.11.124 (LDAP/OpenLDAP)'
**Alert to be generated.
Fell free to adjust them as your needs.
You can find related information next:
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
I hope this helps!
Carlos Celio
Jul 2, 2022, 10:29:53 AM7/2/22
to Wazuh mailing list
Oh thanks man,
I did everything but it still doesn't appear in archives.json or wazuh.
Carlos Celio
Jul 2, 2022, 10:43:44 AM7/2/22
to Wazuh mailing list
can you tell me what else i can try.?
Mauricio Ruben Santillan
Jul 2, 2022, 3:43:35 PM7/2/22
to Wazuh mailing list
Hello Carlos,
Did you add the necessary remote module for syslog ingestion as explained here?
Without it Wazuh won't capture syslog traffic.
Let me know.
Carlos Celio
Jul 3, 2022, 6:47:33 PM7/3/22
to Wazuh mailing list
Hello man,
I do not know how to thank you. Now it's working
I do not know how to thank you. Now it's working
.
Mauricio Ruben Santillan
Jul 6, 2022, 12:46:28 PM7/6/22
to Carlos Celio, Wazuh mailing list
That is awesome news! I'm glad it worked!
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/019f1ca8-d2f8-4ee1-a4a2-a9f0f7a5d83bn%40googlegroups.com.
Mauricio SantillanIT Security Engineer - Ops Support Division 3 DRI
The Open Source Security PlatformReply all
Reply to author
Forward
0 new messages