Maybe I am not understanding this, but, I thought I could go to Wazuh > Threat intelligence > Threat Hunting and get an overview over Suricata events, however it does not seem to pick up any events from /var/log/suricata/eve.json?
OPNsense firewall version:
Versions
OPNsense 25.1.4_1-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
os-wazuh-agent installed on OPNsense firewall:
os-wazuh-agent (installed) 1.2 40.4KiB 3 OPNsense Agent for the open source security platform Wazuh
Wazuh (LXC container installed by helper script: https://community-scripts.github.io/ProxmoxVE/scripts?id=wazuh):
4.11.2
The agent installed on the firewall is marked as active in Wazuh.
Configuration file for agent installed on firewall:
cat /var/ossec/etc/ossec.conf
<ossec_config>
<client>
<server>
<address>192.168.1.12</address>
<protocol>tcp</protocol>
<port>1514</port>
</server>
<crypto_method>aes</crypto_method>
<enrollment>
<port>1515</port>
</enrollment>
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<response_timeout>30</response_timeout>
<queue_size>16384</queue_size>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/opnsense_syslog.log</location>
</localfile>
<!-- Suricata -->
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
<!-- Active response -->
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
The necessary permissions are in place on the firewall, as root is running the 'wazuh-logcollector'- which is presumably able to read /var/log/suricata/eve.json?
ps aux | grep wazuh
root 35464 0.0 0.1 49484 16068 - S 21:32 0:05.04 /var/ossec/bin/wazuh-logcollector
root 86633 0.0 0.0 23596 12032 - I 21:32 0:00.00 /var/ossec/bin/wazuh-execd
wazuh 90197 0.0 0.1 39936 14848 - S 21:32 0:35.77 /var/ossec/bin/wazuh-agentd
root 95620 0.0 0.1 46636 17808 - SN 21:32 0:12.82 /var/ossec/bin/wazuh-syscheckd
root 92113 0.0 0.0 13748 2036 1 S+ 23:14 0:00.00 grep wazuh
Additional Information, group membership for user wazuh:
id wazuh
uid=309(wazuh) gid=309(wazuh) groups=309(wazuh)
File permissions for eve.json:
ls -al /var/log/suricata/eve.json
-rwx------ 1 root wheel 15899978 Apr 5 23:16 /var/log/suricata/eve.json
There are active events being logged to eve.json- although they are not of "event_type":"alerts", but rather "event_type":"tls":
tail -f /var/log/suricata/eve.json
{"timestamp":"2025-04-05T23:18:25.645024+0200","flow_id":434493063789884,"in_iface":"vtnet1","event_type":"tls","src_ip":"p.p.p.p","src_port":13938,"dest_ip":"z.z.z.z","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"CN=*.iot.eu-west-1.amazonaws.com","issuerdn":"C=US, O=Amazon, CN=Amazon RSA 2048 M01","serial":"04:83:77:02:F6:2F:7A:39:61:31:41:F2:29:7A:8E:CF","fingerprint":"5a:ee:c9:1e:e7:3c:6b:48:86:66:dc:f7:a5:0a:ea:24:49:15:cb:eb","sni":"al9fa5uwnmgg7-ats.iot.eu-west-1.amazonaws.com","version":"TLS 1.2","notbefore":"2024-08-21T00:00:00","notafter":"2025-07-28T23:59:59","ja3":{"hash":"d311fcfe5b660d59dc616e20831c55a0","string":"771,52393-49195-49196-52392-49199-49200-49161-49162-49171-49172-156-157-47-53,65281-0-23-13-5-11-10,29-23-24,0"},"ja3s":{"hash":"e36e593c5f33a620e2c9d3801f61be4a","string":"771,49199,0-11-65281-23"}}}
{"timestamp":"2025-04-05T23:18:25.740509+0200","flow_id":285055222499977,"in_iface":"vtnet1","event_type":"tls","src_ip":"x.x.x.x","src_port":14301,"dest_ip":"y.y.y.y","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"CN=*.iot.eu-west-1.amazonaws.com","issuerdn":"C=US, O=Amazon, CN=Amazon RSA 2048 M01","serial":"04:83:77:02:F6:2F:7A:39:61:31:41:F2:29:7A:8E:CF","fingerprint":"5a:ee:c9:1e:e7:3c:6b:48:86:66:dc:f7:a5:0a:ea:24:49:15:cb:eb","sni":"al9fa5uwnmgg7-ats.iot.eu-west-1.amazonaws.com","version":"TLS 1.2","notbefore":"2024-08-21T00:00:00","notafter":"2025-07-28T23:59:59","ja3":{"hash":"d311fcfe5b660d59dc616e20831c55a0","string":"771,52393-49195-49196-52392-49199-49200-49161-49162-49171-49172-156-157-47-53,65281-0-23-13-5-11-10,29-23-24,0"},"ja3s":{"hash":"e36e593c5f33a620e2c9d3801f61be4a","string":"771,49199,0-11-65281-23"}}}
Yay, ChatGPT to the rescue.
So I learned today that Wazuh basically only lists *alerts*.
I confirmed that Wazuh receives events from eve.json by kind of following https://benheater.com/integrating-pfsense-with-wazuh/
Wazuh > Server Management > Rules > Add new rules file
Suricata-Overrides.xml
<!-- Modify it at your will. -->
<group name="ids,suricata,">
<!--
{"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"abcde","payload_printable":"hi test","stream":0,"host":"suricata.com"}
-->
<rule id="86604" level="7" overwrite="yes">
<if_sid>86600</if_sid>
<field name="event_type">^tls$</field>
<description>Suricata: TLS.</description>
</rule>
</group>
Then I could go Wazuh > Explore > Discover and under wazuh-alerts-* index filter by "rule.id: 86604", and I saw TLS type of events.