Configure Netgate pfSense Plus to send logs to Arctic Wolf

You can configure pfSense Plus® by Netgate to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)

  • Access to a device in the same network as the pfSense Plus Security Gateway Appliance

  • Administrator access to the pfSense Plus appliance interface

Configure syslog forwarding

  1. Sign in to the pfSense Plus appliance interface.

    Your pfSense Plus appliance interface URL is the IP address of your appliance, similar to https://192.168.1.1/.

  2. Click Status > System Logs.
  3. Click the Settings tab.
  4. In the General Logging Options section, in the Log Message Format list, select syslog (RFC 5424, with RFC 3339 microsecond precision timestamps).
  5. In the Remote Logging Options section, select the checkbox for Send log messages to remote syslog server.
  6. Configure these settings:

    • Source Address — From the list, select Default (any).

    • IP Protocol — From the list, select IPv4.

    • Remote log servers — Enter your Arctic Wolf Sensor IP address, with the port as 514. For example, 192.168.1.100:514.

    • Remote Syslog Contents — Select the Everything checkbox.
  7. Click Save.

Configure Suricata

Suricata is recommended for full Managed Detection and Response (MDR) functionality, but it is not mandatory. If performance constraints prevent you from enabling Suricata, MDR will continue to operate with limited detection authoring capabilities.

Note: Enabling Suricata may introduce performance overhead, especially in high-throughput and high activity environments. We recommend a very strong understanding of your environments' system capacity and traffic profile before enabling Suricata in production. Make sure to follow best practices for configuring your policies, for example by monitoring your organization's traffic in detect modes to identify critical services that could be affected prior to enabling any blocking.
  1. Sign in to the pfSense Plus appliance interface.
  2. Click System > Package Manager.
  3. On the Available Packages tab, search for Suricata.
  4. Click + Install.
  5. After the installation is complete, click Services > Suricata.
  6. On the Global Settings tab, make sure that these checkboxes are selected:

    • Install ETOpen Emerging Threats rules section — ETOpen is a free open source set of Suricata rules whose coverage is more limited than ETPro.

    • Log to System Log section — Copy Suricata messages to the firewall system log.

  7. Click Save.
  8. Click the Interfaces tab, and then click + Add.
  9. In the General Settings section, select an Interface that you want to enable Suricata for, and then enable Suricata inspection on it.
    Tip: We recommend enabling Suricata for a LAN interface.
  10. In the Logging Settings section, make sure that the Send Alerts to System Log checkbox is selected.
  11. In the EVE Output Settings section, configure these settings
    • EVE JSON Log — Select the Suricata will output selected info in JSON format to a single file or to syslog. Default is Not Checked. checkbox.
    • EVE Output Type — In the list, select FILE.
    • EVE Log Alerts — Select the Suricata will output Alerts via EVE checkbox.
  12. Click Save.
  13. Click the LAN Categories tab.
  14. In the Select the rulesets (Categories) Suricata will load at startup section, deselect all of the Ruleset: Default Rules checkboxes, and then select all of the Ruleset: ET Open Rules checkboxes.
  15. Click Save.
    The interface is now configured.
  16. Click the Interfaces tab to view the interface that you just configured.
  17. In the Suricata Status column for the interface, click Start.
    A Checkmark appears in the Suricata Status column when the service starts.

Configure Syslog-ng

Note: Arctic Wolf observed truncated logs sent from pfSense in some installs that only had the default syslog service. Installing Syslog-ng in addition to configuring syslog with the stated RFC selections helped address the log truncation issues. For more information about other syslog services, message size limits, and syslog transport mapping, see RFC Editor documentation.
  1. Sign in to the pfSense Plus appliance interface.
  2. Click System > Package Manager.
  3. On the Available Packages tab, search for Syslog-ng.
  4. Click + Install.
  5. After the installation is complete, click Services > Syslog-ng.
  6. On the General tab, in the General Options section, configure these settings:
    • Interface Selection — In the list, select loopback.
    • Default Protocol — In the list, select UDP.
    • Default Port — Enter 5140.
  7. Click Save.
  8. Click the Advanced tab, and then click + Add.
  9. In the General Options section, configure these settings:
    • Object Name — Enter awn_sensor in the field.
    • Object Type — In the list, select Destination.
    • Object Parameters — Enter:
      CODE 
      {
	udp("<your_awn_sensor_ip_address>" port(514));
};
  10. Click Save.
  11. Click the Advanced tab, and then click + Add.
  12. In the General Options section, configure these settings:
    • Object Name — Enter Suricata in the field.
    • Object Type — In the list, select Source.
    • Object Parameters — Enter:
      CODE 
      {
  wildcard-file(
    base-dir("/var/log/suricata/")
    filename-pattern("eve.json")
    recursive(yes)
    flags(no-parse)
  );
};
  13. Click Save.
  14. Click the Advanced tab, and then click + Add.
  15. In the General Options section, configure these settings:
    • Object Name — Enter log_suricata in the field.
    • Object Type — In the list, select Log.
    • Object Parameters — Enter:
      CODE 
      {
	source(Suricata);
	destination(awn_sensor);
};
  16. Click Save.
  17. Navigate to Status > Services.
  18. For Syslog-ng, click Restart.
    The service is now configured.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.