About Wazuh agent plugin


"Wazuh is a free and open-source security platform that unifies XDR and SIEM protection for endpoints and cloud workloads." - from wazuh.com


The plugin is designed to simplify the configuration of the Wazuh agent package, making it easier to connect to the Wazuh Manager and parse events from OPNsense logs.

Cloudfence developed this plugin to provide its customers with active response capabilities. It was created by forking the Cloudfence Agent plugin, which is available exclusively to MSS and OPNsense support subscription customers. However, this plugin is freely available to anyone and does not require a subscription to function properly.

The primary aim of the plugin is to enable active response capabilities in OPNsense by correctly parsing its logs and triggering a script to block the offending IP addresses. While it's possible to achieve this goal using only the Wazuh agent package, doing so requires some manual work, such as writing an active response script and decoders on the manager to ensure it can understand the OPNsense log formats.

Plugin components


The plugin comprises several components that enable log parsing and the use of active response functionality.

Log transformation

The log transformation was our solution for parsing the default logs format in OPNsense, which cannot be parsed by Wazuh's default decoders. This allows for the configuration of additional alerts and the use of active response actions. The transformations are accomplished by utilizing custom syslog-ng configuration files that are included with the plugin.


The default logs are located in the /var/log/wazuhagent directory and include the following:
  • filter.log: Firewall logs from /var/log/filter/
  • lighttpd.log: WebGUI logs from /var/log/lighttpd/
  • sshd.log: SSH daemon logs from /var/log/auditd

In addition to these logs, the plugin also parses the active-response.log file from the /var/ossec/logs directory.

Active Response

Active response capabilities enable a Wazuh agent to respond to configured events on the manager side with a defined action. To accomplish this, a script or program/command is executed on the agent side. However, with the default active response scripts/commands installed by the Wazuh agent package, blocking an offender's IP address in the packet filter without additional customization or configuration is not possible.

The plugin includes a shell script that is written using the new active response standards implemented by Wazuh since version 4.2. This script adds the offender's IP address to the Firewall Alias virusprot every time an active response rule is triggered. This alias is used to simplify the blocking process and avoid creating more firewall rules and aliases on OPNsense. We are considering adding custom rules/aliases in a future release of the plugin.

Since the script is a stateful type, it clears the block after a set time-window, which is defined in the manager configuration.




Plugin Setup


In order for the agent to function properly, it requires a properly configured and functioning Wazuh Manager. All rules and active response actions will be configured on the manager. You can install and configure the Wazuh manager using the official documentation.

As an official partner of Wazuh, Cloudfence can provide assistance in setting up a Wazuh manager on-premises or in the cloud. Click here to learn more


Installation and Configuration

The plugin is available in the Cloudfence repository. To add and configure it, please refer to this article:
OPNsense - Cloudfence plugins repository. The plugin will automatically add the wazuh-agent package.

After the installation process, we need to configure the Wazuh agent plugin. Following are the configuration steps:


Image Placeholder
Configuring Wazuh Agent plugin

  1. Click on the Enabled option to enable the plugin
  2. Fill the Manager Address with your Wazuh manager hostname/IP address and the Agent key/Password with the key or password extracted from Wazuh manager depending on the manager's auth configuration.
  3. Click on the Apply button to save and apply configuration
  4. If the agent is in the 'pending' status, the above message will be displayed. Clicking on Register agent with Wazuh Manager will attempt to register the agent with the manager. This message will automatically disappear once the registration process is successfully completed.

When the agent is successfully connected, the following message will be displayed:

Image Placeholder
Wazuh agent successfully connected to the manager





Active Response - Configuration


To enable the Active Reponse the option Active Response must be checked in the Services: Wazuh Agent: General page.

To enable the Active Reponse, the option Active Response must be checked in the Services: Wazuh Agent: General page.


Wazuh Manager

On the manager will be necessary to configure:


  1. On Wazuh dashboard, go to Management / Configuration: Edit configuration
  2. Add the following after the last <command> block inside the configuration file:



   <command>
     <name>opnsense-pf</name>
     <executable>opnsense-pf</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>


Following, add an active-response block:


  <active-response>
    <disabled>no</disabled>
    <command>opnsense-pf</command>
    <location>local</location>
    <rules_id>5763</rules_id>
    <timeout>180</timeout>
</active-response>


This will trigger an active response, every time a host try a ssh brute-force against the OPNsense with the wazuh agent plugin installed. 


3. Click on the Save button and Restart Manager to apply the configuration.


To test, you can follow this article form Wazuh official documentation.


If everything worked as expected, the source IP will be displayed in Wazuh agent plugin widget and the connections from the test-host will be blocked by OPNsense packet filter. 



Managing - Blocked IP addresses


If you need to check which IPs were blocked by the Wazuh agent, you can enable the Wazuh Agent widget on the OPNsense dashboard:

Image Placeholder
Wazuh Agent plugin widget: adding widget to OPNsense dashboard


Alternatively, you can check the Firewall: Diagnostics: Aliases and select the virusprot alias to view/manage the blocked IP address.


Each time an IP address is blocked, it is logged in the plugin's active response log at Services: Wazuh Agent: Log - Active Responses.

The log format is:

Date Action Source_IP_address Event[rule ID] Mitre_Techniques

Image Placeholder

Active Response logs example


Image Placeholder
Wazuh agent plugin widget - Blocked IP address


Tip: Clicking on the IP address will open a external blacklist query.


Logs


The plugin has two available menus to check logs:

  • Log - Active Responses: will display logs related to active response events
  • Log - Agent: will display logs from wazuh agent (ossec.log)

Final Thoughts


The Wazuh Agent plugin for OPNsense is a powerful tool that brings active response capabilities and extended logging to this popular open-source firewall. By leveraging the Wazuh stack solution, you can improve your network security posture and quickly respond to security events.

The plugin provides an easy-to-use interface that allows you to configure the Wazuh Agent settings, view the logs, and monitor the active responses. It also includes a custom script for active response that blocks offenders' IP addresses in the OPNsense packet filter.

Cloudfence is a Wazuh official partner and can provide your company with professional support for both Wazuh and OPNsense. Our experts can help you get the most out of your security solutions and ensure that your network is well-protected. Contact us today to learn more about our services!