Skip to content

Security Log Ingestion

Prerequisites

  1. VirtualBox or VMware Workstation Pro Installed.
  2. Virtual Machine [project-x-sec-work] is turned on and configured.
  3. Virtual Machine [project-x-corp-fw] is turned on.
  4. Optional - Virtual Machine [project-x-attacker] is turned on.

Network Topology

Part 1

Base Layout
(Click to zoom)

Part 2

Base Layout
(Click to zoom)

Log Ingestion

Logging is imperative to any security function, without it, we would have no idea what is going on. Security log ingestion is the collection, centralization, enrichment, and storing of logs from various system, applications, and network devices into a platform, Wazuh SIEM in our case.

These logs can include authentication attempts, system events, traffic metadata, firewall activity, IDS/IPS Alerts (this is what we are doing!), and more.

Log ingestion is imperative, they can help with many different security functions, including:

  • Threat Detection: Security logs are the first line of defense for identifying suspicious behavior, indicators of compromise (IOCs), and patterns that might signal an attack.

  • Incident Response: When an incident occurs, logs provide forensic data to trace attacker activity, determine impact, and support containment or remediation steps.

  • Compliance: Many regulations (HIPAA, PCI-DSS, NIST, GDPR) require organizations to maintain security logs and monitor them continuously.

  • Auditing: Logs help track who did what and when—crucial for insider threat detection and user behavior analysis.

  • Correlation & Enrichment: Ingested logs can be enriched (e.g., with geolocation or threat intelligence) and correlated with other data sources to build a clearer picture of events across systems.

eve.json & fast.log

Suricata provides many different types of logs that can be used to track, detect, and prevent malicious network activity.

Two of the most essential logs types include eve.json and fast.log.

eve.json

Is Suricata’s main structured log file in JSON format. It's designed for machine parsing and integration with tools like Elasticsearch, Splunk, or SIEM platforms.

eve.json will include all types of events including alerts, protocol level data, fileinfo, packet stats, and network flow.

fast.log

A simple readable log file that includes only alert events in a single-line format. Each line contains the alert's priority, timestamp, signature ID, source/destination IPs, ports, and message.

Both of these can be useful to onboard for security log detections and alerting.

We are going to learn how to do this using our out-of-the-box Suricata solution in [project-x-sec-work] and [project-x-corp-fw] (pfSuricata).

Part 1: Suricata Logs In [project-x-sec-work]

Power on [project-x-sec-work].

Verify [project-x-sec-work] has an IP address in the CORP-LAN subnet (192.168.15.1/24).

ip a

Suricata, by default, appends it's logs to the /var/log/suricata file path.

  • /var/log/suricata/fast.log

  • /var/log/suricata/eve.json

Let's add both of these to Wazuh's ossec.conf file to track and ingest into the Wazuh manager.

Navigate to the /var/ossec/etc/ossec.conf file on [project-x-sec-work].

sudo nano /var/ossec/etc/ossec.conf

Search the file with CTRL + W.

Type "localfile".

Navigate to the "Log analysis" section, at the bottom, we will add two <localfile> blocks.

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
Base Layout
(Click to zoom)
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/suricata/fast.json</location>
  </localfile>
Base Layout
(Click to zoom)

Exit Nano with CTRL + X, then Y key, Enter Key.

Restart the wazuh-agent to refresh the configuration file.

sudo systemctl restart wazuh-agent

Base Layout
(Click to zoom)

Navigate back to [project-x-sec-box].

Go the the "Discover" tab.

Search "/var/log".

You should start to see logs come in, with its source file location from /var/log/suricata/eve.json.

Base Layout
(Click to zoom)
This log is being triggered when we set off our "Block ICMP Request", the test rule we created when we set up Suricata.

Success!

Part 2: pfSense Logs

Make sure the [project-x-corp-fw] VM is powered on.

Go to a new browser session on your host machine.

Navigate to the IP address: http://192.168.15.2 on your host machine in the browser.

Navigate to to "Status" ➔ "System Logs".

Base Layout
(Click to zoom)

Choose "Settings".

Base Layout
(Click to zoom)

Scroll down to the bottom.

Check the "Send log messages to remote syslog server".

Add in the IP address of the [project-x-sec-box].

Choose the "Firewall Events, DNS Events, DHCP Events".

Save.

Base Layout
(Click to zoom)

Navigate to "Services" ➔ "Syslog-ng".

Choose the following as shown in the screenshot.

Base Layout
(Click to zoom)

Change the following settings "Save".

Go to the "Advanced" Tab ➔ Select the "+ Add".

Add the following, take not of the following. "Save".

{ network("192.168.15.50" transport(udp) port(5514)); };

Base Layout
(Click to zoom)

Go to the "Advanced" Tab ➔ Select the "+ Add".

Add the following, take not of the following. "Save".

{ source(_DEFAULT); destination(DST_WAZUH_SYSLOG); };

Base Layout
(Click to zoom)

Navigate to [project-x-sec-box].

Create a new .conf file to enable Wazuh to receive syslog logs.

sudo nano /etc/rsyslog.d/30-pfsense.conf

Paste in the following:

# Listen on UDP 5140
module(load="imudp")
input(type="imudp" port="5140")

# Optional: listen on TCP 5140
# module(load="imtcp")
# input(type="imtcp" port="5140")

# Log all pfSense logs to this file
if ($fromhost-ip startswith '192.168.15.2') then /var/log/pfsense.log
& stop

Restart the rsyslog service.

sudo systemctl restart rsyslog.

Create a new log entry inside ossec.conf so Wazuh knows how to read the pfSense logs on [project-x-sec-box].

sudo nano /var/ossec/etc/ossec.conf

Search the file with CTRL + W.

Type "localfile".

Add the following <localfile> block.

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/pfsense.log</location>
  </localfile>
Base Layout
(Click to zoom)

Add the following under the <remote> block. 

<remote>
    <connection>syslog</connection>
    <port>5514</port>
    <protocol>tcp</protocol>
    <allowed-ips>192.168.15.2</allowed-ips>
    <local_ip>192.168.15.50</local_ip>
  </remote>
  <remote>
    <connection>syslog</connection>
    <port>5514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.15.2</allowed-ips>
    <local_ip>192.168.15.50</local_ip>
  </remote>
</remote>

Base Layout
(Click to zoom)

Restart Wazuh.

sudo systemctl restart wazuh-manager.

Allow the following ports with ufw.

ufw allow 5514 5140

You can start to see "pfSense" logs come in through the archives.log.

tail -f /var/ossec/logs/archives/archives.log | grep pfsense

Go the the "Discover" tab.

You should start to see logs ingest from the file path /var/log/pfsense.log.

Success!