In this guide, you will learn how to install Wazuh agent on pfSense. pfSense is the world’s most trusted opensource firewall which also doubles up as an opensource router. On the other hand, Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. Wazuh agents are used to collect log and event data from the remote end points that are being monitored and ship to the Wazuh server which then analyzes the event data and triggers alerts when threats or anomalies are detected.
Table of Contents
Install Wazuh Agent on pfSense
Note
This guide has been tested against pfSense 2.7.2 (based on FreeBSD 14.0-CURRENT) and Wazuh Manager 4.13.1
Install and Setup Wazuh Server Manager
Ensure that you have Wazuh manager up and running before you can proceed.
We have covered installation and setup of Wazuh manager server on various systems in our previous guides.
How to Install Wazuh Manager on Linux
Once the server is up and running, you can proceed to install the agent on pfSense.
Install Wazuh Agent on pfSense
Well, it is good to note that pfSense software is based on FreeBSD OS.
In my demo environment, we are running pfSense 2.8.1;
You can confirm from the command line;
cat /etc/versionSample output;
2.7.2-RELEASEOr from the pfSense dashboard;
As you can see, we have pfSense 2.7.2 based on FreeBSD 14.0-CURRENT.
Enable the use of FreeBSD Official Repositories on pfSense
Wazuh packages are not available on the official pfSense repositories. Thus the only way we can install Wazuh agent is via the use of official FreeBSD repos.
Note:
Installing software/packages from FreeBSD repositories on pfSense can easily brick your system. This method is neither supported nor recommended by Netgate. Thus, if you have decided to proceed in this manner, then take utmost caution. We cannot be held responsible for whatever happens to your system.
To enable the use of FreeBSD repositories on pfSense, login via SSH and open the SHELL. Then:
- Edit the file
/usr/local/etc/pkg/repos/FreeBSD.conf:
and change the line:vi /usr/local/etc/pkg/repos/FreeBSD.conf
to:FreeBSD: { enabled: no }FreeBSD: { enabled: yes }
- Edit the file /usr/local/etc/pfSense/pkg/repos/pfSense-repo-2.7.2.conf:
and change the line:vi /usr/local/etc/pfSense/pkg/repos/pfSense-repo-2.7.2.conf
to:FreeBSD: { enabled: no }FreeBSD: { enabled: yes }
Run Package Repository Catalogues Update
Once you have enabled the FreeBSD repositories, run the command below to updates package repository catalogues;
pkg updateWhen prompted, you can ignore the version mismatch and proceed.
Sample output;
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100% 179 B 0.2kB/s 00:01
Fetching data.pkg: 100% 10 MiB 10.6MB/s 00:01
Processing entries: 0%
Newer FreeBSD version for package zxing-cpp:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1500066
- running kernel: 1500029
Ignore the mismatch and continue? [y/N]: y
Processing entries: 100%
FreeBSD repository update completed. 36500 packages processed.
Updating pfSense-core repository catalogue...
Fetching meta.conf: 0%
Fetching data.pkg: 0%
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf: 0%
Fetching data.pkg: 0%
pfSense repository is up to date.
All repositories are up to date.
Check Available Wazuh Agent from FreeBSD Repos
As of this writing, Wazuh 4.13.1 is the current stable release version. Thus run the command below to check what version is provided by the official FreeBSD repositories;
pkg search wazuh-agentSample output;
wazuh-agent-4.12.0 Security tool to monitor and check logs and intrusions (agent)Unfortunately, the available version is a little bit lower than our current version of the Wazuh-manager.
We are also running Wazuh Manager 4.13.1!
/var/ossec/bin/wazuh-control infoWAZUH_VERSION="v4.13.1"
WAZUH_REVISION="rc1"
WAZUH_TYPE="server"Installing a version of Wazuh-agent that is a lower than the manager is supported by Wazuh, as documentation mentions:
Note:
Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent.
Install Wazuh Agent on pfSense
You can now install Wazuh agent package as follows;
pkg install wazuh-agentIf prompted, ignore the version issue and proceed with installation.
Sample installation output;
...
=====
Message from wazuh-agent-4.12.0:
--
Wazuh Agent was installed
1) Copy /etc/locatime to /var/ossec/etc directory
# cp /etc/localtime /var/ossec/etc
2) You must edit /var/ossec/etc/ossec.conf.sample for your setup and rename/copy
it to ossec.conf
Take a look wazuh configuration at the following url:
https://documentation.wazuh.com/current/user-manual/index.html
3) Move /var/ossec/etc/client.keys.sample to /var/ossec/etc/client.keys. This
file is used to store agent credentials
# mv /var/ossec/etc/client.keys.sample /var/ossec/etc/client.keys
4) You can find additional useful files installed at
# /var/ossec/packages_files/agent_installation_scripts
5) FreeBSD SCA files are installed by default to the following directory:
# /var/ossec/packages_files/agent_installation_scripts/sca/freebsd
For more information about FreeBSD SCA updates take a look at:
https://github.com/alonsobsd/wazuh-freebsd
6) Add Wazuh agent to /etc/rc.conf
# sysrc wazuh_agent_enable="YES"
or
# service wazuh-agent enable
7) Start Wazuh agent
# service wazuh-agent start
8) Enjoy it ;)Configure Wazuh Agent on pfSense
The installation summary gives additional steps on how to finalize Wazuh agent setup on pfSense.
As suggested;
- Copy /etc/locatime to /var/ossec/etc directory:
cp /etc/localtime /var/ossec/etc - Rename the sample Wazuh agent configuration file,
/var/ossec/etc/ossec.conf.sampleto/var/ossec/etc/ossec.conf:cp /var/ossec/etc/ossec.conf{.sample,} - Move /var/ossec/etc/client.keys.sample to /var/ossec/etc/client.keys. This file is used to store agent credentials:
mv /var/ossec/etc/client.keys{.sample,} - Edit the Wazuh agent config file and set the Wazuh manager IP:
Change the section;vi /var/ossec/etc/ossec.conf
to (Set your respective Wazuh manager IP):<server>
<address>IP</address>
Similarly, change the connection protocol to UDP. Wazuh server service for agent connection listens on TCP port 1514 by default.<server>
<address>192.168.233.96</address>
From:
To:<protocol>udp</protocol><protocol>tcp</protocol> - Add extract pfSense logs to monitor.
In my demo setup, apart from the default log files monitored by Wazuh;
I will add some more log files to be monitored:<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
<frequency>360</frequency>
</localfile>
Such that the configuration will now include these additional log files:/var/log/openvpn.log
/var/log/system.log
/var/log/gateways.log
/var/log/userlog
Save and exit the configuration file.<localfile>
<log_format>syslog</log_format>
<location>/var/log/openvpn.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/system.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/gateways.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/userlog</location>
</localfile> - Enable to run on boot and start Wazuh agent;
Then start it:sysrc wazuh_agent_enable="YES"
Or:/var/ossec/bin/wazuh-control start
Sample output;service wazuh-agent start
You can check the logs file if any issue;Starting Wazuh v4.12.0...
wazuh-execd already running...
wazuh-agentd already running...
wazuh-syscheckd already running...
wazuh-logcollector already running...
wazuh-modulesd already running...
Completed.
Sample logs:tail -f /var/ossec/logs/ossec.log2025/10/14 20:56:41 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2025/10/14 20:56:41 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/10/14 20:56:42 wazuh-execd: INFO: Started (pid: 81545).
2025/10/14 20:56:42 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2025/10/14 20:56:42 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2025/10/14 20:56:42 wazuh-agentd: INFO: Version detected -> FreeBSD |pfSense.kifarunix.com |14.0-CURRENT |FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F |amd64 [BSD|bsd: 14.0] - Wazuh v4.12.0
2025/10/14 20:56:42 wazuh-agentd: INFO: Started (pid: 82792).
2025/10/14 20:56:42 wazuh-agentd: INFO: Using AES as encryption method.
2025/10/14 20:56:42 wazuh-agentd: INFO: Trying to connect to server ([192.168.233.96]:1514/tcp).
2025/10/14 20:56:42 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.233.96]:1514/tcp).
2025/10/14 20:56:43 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
2025/10/14 20:56:43 wazuh-syscheckd: INFO: Started (pid: 87657).
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/sys/kernel/security'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/sys/kernel/debug'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6000): Starting daemon...
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2025/10/14 20:56:43 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2025/10/14 20:56:43 rootcheck: INFO: Starting rootcheck scan.
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/10/14 20:56:43 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/messages' due to [(2)-(No such file or directory)].
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2025/10/14 20:56:43 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/cron' due to [(2)-(No such file or directory)].
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/cron'.
2025/10/14 20:56:43 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/daemon.log' due to [(2)-(No such file or directory)].
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/daemon.log'.
2025/10/14 20:56:43 wazuh-logcollector: ERROR: (1103): Could not open file '/var/log/debug.log' due to [(2)-(No such file or directory)].
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/debug.log'.
2025/10/14 20:56:43 wazuh-logcollector: WARNING: (1958): Log file '/var/log/userlog' is duplicated.
2025/10/14 20:56:43 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/10/14 20:56:43 wazuh-logcollector: INFO: Monitoring full output of command(360): (netstat -n -f inet && netstat -n -f inet) | grep -e "udp" -e "tcp" | sed 's/\([[:alnum:]]*\)\ *[[:digit:]]*\ *[[:digit:]]*\ *\([[:digit:]\.]*\)\.\([[:digit:]]*\)\ *\([[:digit:]\.]*\).*/\1 \2 == \3 == \4/' | sort -k4 -g | sed 's/ == \(.*\) ==/.\1/'
2025/10/14 20:56:43 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 5
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/openvpn.log'.
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/system.log'.
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/gateways.log'.
2025/10/14 20:56:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/userlog'.
2025/10/14 20:56:43 wazuh-logcollector: INFO: Started (pid: 89366).
2025/10/14 20:56:44 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/cis_freebsd14.yml'
2025/10/14 20:56:44 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/10/14 20:56:44 wazuh-syscheckd: INFO: FIM sync module started.
2025/10/14 20:56:44 wazuh-modulesd: INFO: Started (pid: 3520).
2025/10/14 20:56:44 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2025/10/14 20:56:44 wazuh-modulesd:control: INFO: Starting control thread.
2025/10/14 20:56:44 wazuh-modulesd:oscap: INFO: Module disabled. Exiting...
2025/10/14 20:56:44 wazuh-modulesd:syscollector: INFO: Module started.
2025/10/14 20:56:44 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/10/14 20:56:44 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/10/14 20:56:52 rootcheck: INFO: Ending rootcheck scan.
Disable the use of FreeBSD Official Repositories on pfSense
You can now disable the use of FreeBSD official repositories on pfSense.
sed -iE '/^FreeBSD/s/yes/no/' /usr/local/etc/pkg/repos/FreeBSD.conf /usr/local/etc/pfSense/pkg/repos/pfSense-repo-2.7.2.confUpdate package catalogue;
pkg clean allpkg updateConfirm pfSense Wazuh Agent Status on Wazuh Manager
Login to Wazuh manager interface and confirm the pfSense agent status;
As you can see, the pfSense Wazuh agent (pfSense.kifarunix.com) is connected to the Wazuh server and is up and running.
You can simulate some activities such as;
- successful or failed logins to the server.
- e.t.c
Now click on the agent to see more details related to events collected from it.
See our sample Threat Hunting dashboard.
Click on Events tab to see more event details;
And that is it on how to install Wazuh agent on pfSense.
Hello I am Inri for 3 days I try to reproduce your tutorial but it does not work
what is the challenge?
Hello, for me, it does not work. Can you help me with your configuration?
Hello, it’s good it works. After doing it again, I saw my mistake. Thank you so much
Great. Glad to hear that
pardon quelle est ta solution? mon agent ne communique pas avec le serveur
Good morning. Please how to configure Wazuh server so that it can perform vulnerability scan of my pfsense router?
Good morning. Please how to configure Wazuh server so that it can perform vulnerability scan of my pfsense router
Hello, my pfsense is unable to update the pkg repository, gives the following error:
pkg: Error extracting the archive: ‘Write error’
pkg: No signature found
I have been googling for a week or so on it and haven’t found any answers up to this point. the FreeBSD.conf file is
FreeBSD: { enabled: yes }
the pfSense.conf file will revert automatically to FreeBSD: {enabled: no } after a few minutes from when i change it. I feel like 2.7.2 may have extra guards against adding BSD packages or my config is messed up for some reason.
To find updates and packages and the catalog you must execute the following commands on the pfSense :
certctl rehash
pkg-static update -f
pkg-static install -fy pkg pfSense-repo pfSense-upgrade
Hello, excellent tutorial! I tried it, but at the last step, the agent pfSense.home.arpa appears on my Wazuh server, but it always shows as ‘never connected’. Every time I try to redo the tutorial, I get the same issue. What could be the problem?”
Hello,
thanks for the tutorial, i got the same issue as Baba, i see pfSense.home.arpa on my summary list on wazuh interface, but “never connected”
does someone got a solution ? thank you 🙂
Ah, let’s check on this and update