Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Configuring Syslog and Netflows For OPNsense Firewall

Owned by Customer Success & Engineering
Last updated: Feb 27, 2023
3 min read

Overview

In this document we will guide with the steps on to integrate OPNsense firewall with Seceon SIEM to have a better visibility of threats happening in your environment . We will guide with steps to configure Syslog's and NetFlow's.

Steps Of Configuration

Syslog Configuration

Go to the System->Settings->Logging Targets and Click on Add a new Destination and the next page will appear as :

Do the following changes to send the Syslog to CCE server:

  1. Enabled - this field allows you to enable the destination.

  2. Transport - set a message sending protocol (UDP 4)

  3. Applications - select applications from which you want to collect output, or choose every message that OPNsense creates. More than 20 options are available, so this pretty much covers every administrator's need.

  4. Levels - seven usual options are offered, though you can opt-in debug level additionally.

  5. Facilities - the field is similar to Applications one when it comes to the abundance of possibilities it gives. Here you can fine-grain logs you are receiving from applications.

  6. Hostname and Port - simply add the CCE IP and port as 514 to capture the syslog .

  7. Click on Apply to save the changes.

NetFlow Configuration

Go to the Reporting/NetFlow page on the GUI you will find following parameters :

Do the following changes to send the NetFlow’s to the CCE server :

  1. Listening interfaces - configure interfaces on which NetFlow will listen and send data.

  2. WAN interfaces - remove duplicate flows from NAT.

  3. Capture local - usually this field is used for local, Insight GUI app. Insight is a quick and simple NetFlow Analyzer, although limited to 100MB in size.

  4. Version - you can choose between v5 or v9.

  5. Destinations - Put the CCE IP and port as CCEIP:PORT

  6. Active and Inactive timeout - these last two options are best to be left to be a default.

  7. Once the above options are filled click on Apply to save.

Verification

On CCE Server

  1. Login to CCE server as a seceon user.

  2. Run the command sudo tcpdump -i any port 514 and host <firewall IP> to check the syslog's are coming on CCE.

  3. Run the command sudo tcpdump -i any port 9995 and host <firewall IP> to check the NetFlow’s are coming on CCE.

On UI

  1. Log in to UI with Administrative Rights & Navigate to System>> Log/Flow Collection Status Option.

  2. Inside Source Device IP, the IP Address of the Device will reflect including the no. of logs/flows sent to the Seceon Servers.

 

Reference : https://www.netvizura.com/blog/opnsense-netflow-and-eventlog-configuration

Seceon Inc. All rights reserved. https://www.seceon.com