Install Wazuh Agent on pfSense

gen_too
|
Last Updated:
|
Monitoring, Elastic Stack, HowTos, Security, Wazuh
|
8 Comments

In this guide, you will learn how to install Wazuh agent on pfSense. pfSense is the world’s most trusted opensource firewall which also doubles up as an opensource router. On the other hand, Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. Wazuh agents are used to collect log and event data from the remote end points that are being monitored and ship to the Wazuh server which then analyzes the event data and triggers alerts when threats or anomalies are detected.

Installing Wazuh Agent on pfSense

Ensure that you have Wazuh manager up and running before you can proceed.

We have covered installation and setup of Wazuh manager server on various systems in our previous guides.

Install and Configure Wazuh Manager on Ubuntu 22.04

Install Wazuh Server on Rocky Linux 8

Install and Setup Wazuh Server in CentOS 8/Fedora 32

Once the server is up and running, you can proceed to install the agent on pfSense.

Well, it is good to note that pfSense software is based on FreeBSD OS.

In my demo environment, we are running pfSense 2.6.0;

You can confirm from the command line;

cat /etc/version

Sample output;

2.6.0-RELEASE

Or from the pfSense dashboard;

Install Wazuh Agent on pfSense

As you can see, we have pfSense 2.6.0 based on FreeBSD 12.3.

Enable the use of FreeBSD Official Repositories on pfSense

Wazuh packages are not available on the official pfSense repositories. Thus the only way we can install Wazuh agent is via the use of official FreeBSD repos.

NOTE: Installing software/packages from FreeBSD repositories on pfSense can easily brick your system. This method is neither supported nor recommended by Netgate. Thus, if you have decided to proceed in this manner, then take utmost caution. We cannot be held responsible for whatever happens to your system.

To enable the use of FreeBSD repositories on pfSense;

  • Edit the file /usr/local/etc/pkg/repos/FreeBSD.conf;
vi /usr/local/etc/pkg/repos/FreeBSD.conf

and change the line;

FreeBSD: { enabled: no  }

to;

FreeBSD: { enabled: yes  }
  • Edit the file /usr/local/etc/pkg/repos/pfSense.conf;
vi /usr/local/etc/pkg/repos/pfSense.conf

and change the line;

FreeBSD: { enabled: no  }

to;

FreeBSD: { enabled: yes  }

Run Package Repository Catalogues Update

Once you have enabled the FreeBSD repositories, run the command below to updates package repository catalogues;

pkg update

Sample output;

Updating FreeBSD repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
Fetching packagesite.pkg: 100%    6 MiB   1.7MB/s    00:04    
Processing entries: 100%
FreeBSD repository update completed. 33014 packages processed.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.

Check Available Wazuh Agent from FreeBSD Repos

As of this writing, Wazuh 4.3.10 is the current stable release version. Thus run the command below to check what version is provided by the official FreeBSD repositories;

pkg search wazuh-agent

Sample output;

wazuh-agent-4.3.10_1           Security tool to monitor and check logs and intrusions (agent)

So we go the latest stable release Wazuh package!

We are also running Wazuh Manager 4.3.10!

/var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.10"
WAZUH_REVISION="40323"
WAZUH_TYPE="server"

Installing Wazuh Agent

You can now install Wazuh agent package as follows;

pkg install wazuh-agent

Sample installation command output;

Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
...
...
=====
Message from wazuh-agent-4.3.10_1:

--
Wazuh Agent was installed

1) Copy /etc/locatime to /var/ossec/etc directory

   # cp /etc/localtime /var/ossec/etc

2) You must edit /var/ossec/etc/ossec.conf.sample for your setup and rename/copy
   it to ossec.conf

   Take a look wazuh configuration at the following url:

   https://documentation.wazuh.com/current/user-manual/index.html

3) You can find additional useful files installed at

  # /var/ossec/packages_files/agent_installation_scripts

4) Add Wazuh agent to /etc/rc.conf

  # sysrc wazuh_agent_enable="YES"

5) Start Wazuh agent

  # service wazuh_agent start

6) Enjoy it ;)

The installation summary gives how to finalize Wazuh agent setup on pfSense.

As suggested;

  • Copy /etc/locatime to /var/ossec/etc directory
cp /etc/localtime /var/ossec/etc
  • Rename the sample Wazuh agent configuration file, /var/ossec/etc/ossec.conf.sample to /var/ossec/etc/ossec.conf.
cp /var/ossec/etc/ossec.conf{.sample,}
  • Edit the Wazuh agent config file and set the Wazuh manager IP;
vi /var/ossec/etc/ossec.conf

Change the section;

    <server>
      <address>IP</address>
    </server>

to;

    <server>
      <address>192.168.58.22</address>
    </server>
  • Add extract pfSense logs to monitor;

In my demo setup, apart from the default log files monitored by Wazuh by default;

  <!-- Log analysis -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 5</command>
    <frequency>360</frequency>
  </localfile>

I will add some more;

/var/log/openvpn.log
/var/log/system.log
/var/log/gateways.log
/var/log/userlog

As shown below;

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/openvpn.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/system.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/gateways.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/userlog</location>
  </localfile>
  • Enable and start Wazuh agent;
sysrc wazuh_agent_enable="YES"
/var/ossec/bin/wazuh-control start

Sample output;

Starting Wazuh v4.3.10...
Started wazuh-execd...
Started wazuh-agentd...
2022/12/21 20:47:01 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

You can check the logs file if any issue;

tail -f /var/ossec/logs/ossec.log

Disable the use of FreeBSD Official Repositories on pfSense

You can now disable the use of FreeBSD official repositories on pfSense.

sed -iE '/FreeBSD: { enabled: yes  }/s/yes/no/' /usr/local/etc/pkg/repos/FreeBSD.conf
vi /usr/local/etc/pkg/repos/pfSense.conf

and change the line;

FreeBSD: { enabled: yes  }

to;

FreeBSD: { enabled: no  }

Update package catalogue;

pkg clean all
pkg update

Confirm pfSense Wazuh Agent Status on Wazuh Manager

Login to Wazuh manager interface and confirm the pfSense agent status;

Install Wazuh Agent on pfSense

As you can see, the pfSense Wazuh agent (pfSense.home.arpa) is connected to the Wazuh server and is up and running.

You can simulate some activities such as;

  • successful or failed logins to the server.
  • e.t.c

Now click on the agent to see more details related to events collected from it.

Install Wazuh Agent on pfSense

Click on Security Events to see more event details;

Dashboard

pfsense agent events dashboard

Events;

pfsense agent events dashboard raw

And that is it on how to install Wazuh agent on pfSense.

Other Tutorials

Install Wazuh Agent on Rocky Linux 8

Easy Way to Install Wazuh Agents on Ubuntu/Debian

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
gen_too
Co-founder of Kifarunix.com, Linux Tips and Tutorials. Linux/Unix admin and author at Kifarunix.com.

Related Posts

Install NoMachine on Ubuntu 24.04/Ubuntu 22.04

Gracefully Remove Worker Node from Kubernetes Cluster

Integrate sysPass with OpenLDAP for Authentication

How to Install Redis on Ubuntu 18.04 LTS

Install ELK Stack on Ubuntu 20.04

Implement OpenLDAP Password Policies

8 thoughts on “Install Wazuh Agent on pfSense”

  3. Good morning. Please how to configure Wazuh server so that it can perform vulnerability scan of my pfsense router?

    Reply

  4. Good morning. Please how to configure Wazuh server so that it can perform vulnerability scan of my pfsense router

    Reply

  5. Hello, my pfsense is unable to update the pkg repository, gives the following error:

    pkg: Error extracting the archive: ‘Write error’
    pkg: No signature found

    I have been googling for a week or so on it and haven’t found any answers up to this point. the FreeBSD.conf file is
    FreeBSD: { enabled: yes }

    the pfSense.conf file will revert automatically to FreeBSD: {enabled: no } after a few minutes from when i change it. I feel like 2.7.2 may have extra guards against adding BSD packages or my config is messed up for some reason.

    Reply

Leave a Comment

© 2024 kifarunix.com

Home Advertise with us Privacy Policy