1

I am attempting to centralize logs from different systems.

I installed the Elastick Stack (Elasticsearch, Logstash, Kibana) and WAZUH OSSEC on one server (named elk).

I have installed the OSSEC agent on three ubuntu server and I am able to check logs and file integrity.

However, how could I also get logs from a pfSense ? I tried installing OSSEC agent by compiling it, but it is not so easy... I was thinking to do it via remote syslog, but it doesn't seem to be working...

On the pfSense Interface -> Status -> System Logs -> Settings I put the address and port of my elk in the remote log server field, and I added this in /var/ossec/etc/ossec.conf of elk :

<remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.2.0/24</allowed-ips>
    <local_ip>192.168.2.4</local_ip>
</remote>

But I don't get any logs of my pfSense when I visualize them with Kibana... Do you know how to make it work?

2 Answers 2

1

Try running tcpdump to actually confirm you have traffic coming from your pfSense device. For example you could run something like:

tcpdump -nni eth0 port 514 -s 0 -AA 

That will show you the packet header and payload.

Try also checking that ossec-remoted process is listening for incoming traffic. You can do it by running:

netstat -nap | grep 514

In addition, as another option that I personally like, you can use (on the Wazuh server) Rsyslog daemon to collect Syslog data and dump it into a file.

Then you can configure the Wazuh server logcollector component to read that log file, so it is also processed by Wazuh and the analysis engine.

A good tool to monitor if Rsyslog is writing to the file and if ossec-logcollector component is reading it is running lsof. Example:

lsof /var/log/your_syslog_file.log

To use Rsyslog you will need to configure it to listen for remote data, and a rule to write logs to the file. An example of a rule would be:

if ($fromhost == '192.168.98.1') and ($msg contains 'pfSense') then -/var/log/your_syslog_file.lgo

If you go this way, to avoid conflict, remember to disable ossec-remote sysl

1
  • Thank you for your answer. I am able to see traffic coming from pfSense via tcpdump... The format of the pfSense logs and other logs coming from ohter devices (auth.log for example) are slightly different... May it be the problem ? Does elk know how to parse it ?
    – eli0T
    Commented Apr 27, 2018 at 8:21
0

Now, installing the Wazuh agent on PFsense is much easier, just enable FreeBSD package repositories set enabled to yes in these two files: /usr/local/etc/pkg/repos/pfSense.conf, and /usr/local/etc/pkg/repos/FreeBSD.conf.

Then execute the following commands:

# Update the package cache
pkg update

# Search the package cache for the Wazuh agent
pkg search wazuh-agent

# Install the agent
# Replace v with your version number
pkg install wazuh-agent-v

Now you can configure the agent and change its state using service wazuh-agent command.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .