11. Integrating Wazuh Agent with OPNsense for Enhanced Log Monitoring

In the ever-evolving landscape of cybersecurity, monitoring network logs is crucial for detecting threats and maintaining system integrity. OPNsense, a powerful open-source firewall based on FreeBSD, is widely used for its robust features in network security. Wazuh, an open-source security platform, excels in intrusion detection, log analysis, and compliance monitoring. By installing the Wazuh Agent on OPNsense and integrating it with a Wazuh server, you can centralize logs from your firewall, enabling real-time analysis and alerting.

This guide walks you through the step-by-step process of setting up the Wazuh Agent on OPNsense and configuring it to send logs to your Wazuh server. Whether you're a sysadmin or a security enthusiast, this integration can significantly boost your threat detection capabilities.

Prerequisites

Before diving in, ensure you have the following:

An OPNsense firewall running version 25.x or later (tested on OPNsense 25.1).
A Wazuh server already deployed (version 4.11.x recommended for compatibility).
Root or sudo access to your OPNsense system via SSH or console.
Basic knowledge of FreeBSD commands, as OPNsense is FreeBSD-based.
Network connectivity between OPNsense and the Wazuh server.

Note: Wazuh Agent for FreeBSD is available, and since OPNsense runs on FreeBSD, we'll use the FreeBSD package.

Step 1: Install the Wazuh Agent on OPNsense

Access to OPNSense dashboard, go to System => Firmware => Plugins => Select os-wazuh-agent.
or we can access through path /ui/core/firmware#plugins.

Step 2: Configure the Wazuh Agent

The agent needs to know where to send logs, point it to your Wazuh server.

Access the Wazuh Agent Settings
- Log in to your OPNsense web UI.
- From the left-hand menu, navigate to Services > Wazuh Agent > Settings.
Enable the Wazuh Agent
- In the General Settings section, check the Enable checkbox to activate the Wazuh Agent.
- Click the Apply button at the bottom to save the change.
Configure Manager Hostname
- Under Manager hostname, enter the IP address or hostname of your Wazuh server (e.g., 192.168.1.100).
- Ensure this matches the Wazuh server’s network configuration.
- Click Apply to save.
Select Applications for Log Monitoring
- In the Applications dropdown, select the log files you want the Wazuh Agent to monitor. Options typically include:
  - audit (auditd)
  - filter (filterlog) (for firewall logs)
  - openvpn (openvpn) (for VPN logs)
- Check the boxes next to the desired options (e.g., filter for firewall logs).
- Click Apply to save your selection.
- Use the Clear All or Select All buttons if needed to adjust your choices.
Enable Intrusion Detection Events (Optional)
- Check the Intrusion detection events checkbox if you want to monitor intrusion-related logs.
- Click Apply to save.
Configure Active Response (Optional)
- If you need automated responses to security events, enable the Active response option.
- Configure any additional settings as required (specific configurations may depend on your Wazuh server setup).
- Click Apply to save.
Set Up Enrollment (Optional)
- If your Wazuh server requires agent enrollment, go to the Enrollment section.
- Enter the enrollment credentials or key provided by the Wazuh server (obtained via /var/ossec/bin/manage_agents -a on the server).
- Click Apply to save.
Enable Policy Monitoring and Anomaly Detection (Optional)
- Check the Policy monitoring and anomaly detection box to enable these features.
- Click Apply to save.
Configure System Inventory and File Integrity Monitoring (Optional)
- Enable System inventory to monitor system details.
- Enable File integrity monitoring to track changes to critical files.
- Click Apply to save.
Apply and Restart
- After configuring all desired settings, click the Apply button again to ensure all changes are saved and applied.
- The Wazuh Agent will automatically restart with the new configuration.

Step 3: Verify Integration on the Wazuh Server

On your Wazuh server, check if the agent is connected: text/var/ossec/bin/agent_control -l You should see your OPNsense agent listed with status "Active."
Log into the Wazuh dashboard (usually at https://your-wazuh-server:5601). Navigate to the Agents section to confirm the OPNsense agent is reporting.
Test log forwarding by generating some traffic on OPNsense (e.g., block a ping in the firewall) and check for alerts in Wazuh.

Optional: Installing custom ossec.conf entries

Why Use Custom Templates?

Editing /var/ossec/etc/ossec.conf directly is not recommended because OPNsense overwrites this file on reboot or during plugin updates. By placing custom configurations in the designated template directory, your settings will persist across reboots and updates.

You can add these in /usr/local/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/, for example, to add a custom json feed, add a file containing the following content in there:

/usr/local/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/099-my-feed.conf

<localfile>
  <log_format>json</log_format>
  <location>/path/to/my/file.json</location>
</localfile>

Troubleshooting Tips

Connection Issues: Ensure port 1514/UDP is open between OPNsense and the Wazuh server.
Permission Errors: Run commands as root if needed.
Log Not Sending: Verify paths in ossec.conf and restart the agent.
FreeBSD Compatibility: If using an older OPNsense version, check Wazuh docs for compatible agent versions.
For more details, refer to the official Wazuh documentation on FreeBSD agents.

Conclusion

Integrating Wazuh Agent with OPNsense transforms your firewall into a monitored asset, providing centralized log analysis and threat detection. This setup is lightweight and doesn't impact OPNsense's performance significantly. If you encounter any issues or have improvements, share them in the comments!