Monitoring Wireguard VPN Connections with JSON Log Forwarding - cfloquetprojects/homelab GitHub Wiki

Introduction:

This guide is a continuation of my first guide for installing & configuring Wireguard on a Centos 7 minimal host to use as a VPN server.

While Wireguard is known for it's high speeds and simple design, it unfortunately lacks somewhat in providing easy to configure logging capabilities straight out of the box on the server side of things.

That is why today, we will be leveraging the wireguard-tools repository (specifically wg-json) to convert the output of wg-show into a json file which we can forward to a centralized SIEM for management and analysis.

The reason why we will be using JSON specifically, rather than a different format is simply that it is widely accepted across many different SIEMs and also offers decent performance.

Pre-Flight Check:

We will be making changes to an already networked, updated, and installed Wireguard VPN Server on Centos 7. If you aren't at this stage of deployment yet please read my previous post that I linked earlier in the document.

Be sure that your system has both wireguard-tools,wget, as well as the latest epel-release installed on it, if you aren't sure if you do just run the commands below:

$ yum -y install epel-release
$ yum -y install wget wireguard-tools

Test wireguard-tools and create json directory:

Before we proceed further let's test our wireguard-tools installation by issuing the wg show

[cfloquet@wireguard01]$ wg show
interface: wg0
  public key: hD1I9tpsPoOOxxMm3gpoXDMUMIIJGxrfQ6vhXCH6oQo=
  private key: (hidden)
  listening port: 51263

peer: quDzy...
  preshared key: (hidden)
  endpoint: 73.17.150.243:4826
  allowed ips: 10.0.4.3/32
  latest handshake: 35 seconds ago
  transfer: 185.12 MiB received, 989.15 MiB sent

If wg show outputted something similar to what is shown above, you have successfully installed wireguard-tools, and we can now move onto creating the folder structure for the wg-json script.

If you plan on taking advantage of more (or all) features of wireguard-tools feel free to clone their entire GitHub Repo, however for our purposes we will only be using wg-json, so that is the only file we will download and use.

Create whatever directory structure (or lackthereof) for storing your wg-json and logger.bash scripts, I have chosen to follow wireguard-tools structure within my existing wireguard folder incase I choose to get more packages in the future, so my scripts will be stored under /etc/wireguard/wireguard-tools/contrib/json/

$ mkdir -p /etc/wireguard/wireguard-tools/contrib/json/

Retrieve wg-json & logger.bash script from WireGuard on GitHub:

We can use my custom wg-json script which converts wg-show output into JSON format. This was originally taken from WireGuard's Github which can be found here, and modified to remove private & preshared keys being parsed into json logs, as well as removing the tabs and new lines making it easier for our SIEM to parse.

All credit for the script goes to the owners, and developers of wg-json and wireguard-tools, with me only having slightly modified the script which trims out sensitive info being parsed, as well as the unnecessary spacing for our SIEM solution.

$ pwd
/etc/wireguard/wireguard-tools/contrib/json
$ wget https://raw.githubusercontent.com/cfloquetprojects/homelab/main/Wireguard/wg-json.bash

Let's make the wg-json bash script executable with the following:

$ chmod +x wg-json.bash

Now that we have our script prepared, we just need to setup a cronjob using crontab on our system to run wg-json.bash script every 5 minutes, and add the result to our existing log file within /var/log/wireguard:

$ crontab -e
$ crontab -l
*/5  * * * * /etc/wireguard/wireguard-tools/contrib/json/wg-json.bash >> /var/log/wireguard/log.json

If your permissions are properly configured that script should be able to regularly update /var/log/wireguard every 5 minutes with the cleaned up contents of wg show all dump command.

Forwarding JSON Logs to Centralized SIEM (Splunk):

This is where we move into forwarding these logs for alerting and analysis purposes to our centralized log server, which in our case is going to be a Splunk indexer.

I've already written a post (and there's plenty of other documentation online) for how to install a Splunk Universal Forwarder (UF) on a Fedora/Debian based system.

Once you have the Splunk UF installed on the Wireguard VPN server, we can add a configuration for to the inputs.conf to monitor our /var/log/wireguard directory.

$ pwd
/opt/splunkforwarder/etc/system/local
$ cat inputs.conf
[default]
host = wireguard01
[monitor:///var/log/wireguard/log.json]
index = wireguard
sourcetype = wg-json
disabled = false