Wazuh Agent integration - call for tests

[juliocbc]

Hi!

I've created this small script to put wazuh-agent to work together with OPNsense. It's working well in one of our environments, till now ;-)

Script:
https://github.com/cloudfence/opnsense-wazuh/blob/master/opnsense-ban.sh

The main idea is to ban an offensor IP address that is often is catch by the wazuh's active response feature.

If you are using OPNsense with Wazuh, I invite you to make some tests and let me know if it will work well for you too!

Installation instructions here: https://github.com/cloudfence/opnsense-wazuh/blob/master/README.md

[mimugmail]

Good addition! First I have to build an official port but the wazuh guys doing some unacceptable things in their install.sh

[juliocbc]

Michael,

Great!!! Just waiting your wazuh port.

About the plugin, what about if we work together in it?

[lfirewall1243]

Any news for a Wazuh Port?
Would be an amazing plugin for OPNsense I think.

[peterwkc]

How to install?

[franco]

We may be working on a Wazuh plugin for the community. 


Cheers,
Franco

[thwien]

Thanks a lot for integrating Wazuh agent as an OPNsense plugin at version 23.7.2. I am using Wazuh as SIEM and installed wazuh-agent via CLI, configured Syslog-ng to produce the old standard log format and it works perfectly. Due to this plugin it will be easier to use Wazuh agent on new installed OPNsense firewalls. This saves time. Keep up your good work.

[peterwkc]

How to install Wazuh plugin?

[mimugmail]

You need to be on a later version and search for the plugin. Which version do you have installed?

[_tribal_]

Is any sudgestions for this issue?
https://forum.opnsense.org/index.php?topic=39222.msg192088

On latests version all the same  :'(

os-wazuh-agent 1.0_1

OPNsense 24.1.4-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

[mimugmail]

See other post

[squarepantsii]

Hi,

First of all, thank you for developing the plugin for OPNsense. It makes the integration of wazuh agent extremely easy.

I am, however, trying to run a older version of Wazuh Agent due to our manager running version 4.6.0.
As my OPNsense is the latest version (24.1.6) on FreeBSD 13.2-RELEASE-p11, I am finding that the installing using Plugin or using 'pkg' from CLI only has wazuh-agent 4.7.4 available.

To remedy this, I am trying to compile from the OPNsense ports

Code: [Select]

# opnsense-code ports
# cd /usr/ports/security/wazuh-agent
# git restore --source <hash> *
# make
# make install

I am currently stuck - do I run any post-install scripts? For example, add_localfiles.sh or gen_ossec.sh?

Furthermore, am I even on the right track?
Is this entire endeavour going to work?
Most instructions online call for the use of install.sh, but that's not included in the OPNsense port.

Any advice very much welcomed.

[mimugmail]

Why not updating wazuh manager? Peace of cake ...

[squarepantsii]

I know, right?
Unfortunately, it's in production and the upgrade would be very disruptive, for now.

[franco]

I think upstream needs better release management... like Zabbix which I personally do not like in approach of too. The same question still arise... when why is release XYZ but mine says ABC what can I do?

As far as version compatibility goes these systems tend to be a bit naive that they can get away without it.


Cheers,
Franco