NxtFireGuard Logo

OPNsense Integration Guide

Overview

OPNsense does not natively support forwarding IDS events directly to an HTTP destination. To integrate with NxtFireGuard, you'll use a Threat Feed Aggregator as an intermediary. This guide walks you through configuring OPNsense's Suricata IDS to forward events to NxtFireGuard via Syslog.

What You'll Need

  • A running OPNsense instance with Suricata enabled
  • A separate server with Docker installed to host the Threat Feed Aggregator

Prerequisites

  • Suricata is installed and operational on your OPNsense instance
  • EVE JSON logging is enabled in Suricata (see Step 1 below)
  • A server with Docker available for the Threat Feed Aggregator

Integration Architecture

OPNsense logs Suricata IDS events via EVE JSON, which are then forwarded over Syslog (UDP) to your Threat Feed Aggregator. The aggregator processes and forwards these threat events to NxtFireGuard's ingestion endpoint.

OPNsense (Suricata / EVE JSON)
        ↓  Syslog UDP :1026
Threat Feed Aggregator
        ↓  HTTPS
NxtFireGuard

Setup Instructions

Step 1: Set Up a Threat Feed Aggregator

Before configuring OPNsense, you'll need a running Threat Feed Aggregator with Syslog enabled.

  1. In your NxtFireGuard Dashboard, navigate to Data Ingestion → Feed Aggregators
  2. Click Create Aggregator and give it a descriptive name
  3. During setup, ensure Enable Syslog is toggled on
  4. Complete the creation process and follow the provided installation guide to deploy the aggregator on your Docker host

Step 2: Enable EVE JSON Logging in Suricata

EVE JSON logging must be enabled for OPNsense to produce structured IDS event output.

  1. In OPNsense, navigate to Services → Intrusion Detection → Administration
  2. Ensure Enable syslog alerts and Enable eve syslog output are enabled
  3. Save your changes

You can verify that alerts are being generated by visiting the Alerts tab in the Intrusion Detection section.

Step 3: Configure Remote Syslog Forwarding

With EVE logging active, configure OPNsense to forward Suricata logs to your Threat Feed Aggregator.

  1. Navigate to System → Settings → Logging → Remote
  2. Click Add to create a new log destination
  3. Configure the destination with the following settings:
FieldValue
TransportUDP
ApplicationSuricata
LevelInfo
Hostname / IPIP or hostname of your Threat Feed Aggregator
Port1026
  1. Save the configuration

Step 4: Verify Data Flow

After completing the setup, allow a few minutes for the pipeline to establish, then verify that events are flowing through correctly.

  1. Navigate to Events → Threat Events in your NxtFireGuard Dashboard
  2. Check for incoming events from your OPNsense firewall
  3. You can also review Events → Processing for ingestion status

If events are appearing, your integration is working correctly.

Additional Resources

Support

For issues specific to:

  • OPNsense / Suricata configuration — refer to the OPNsense documentation and community forums
  • NxtFireGuard integration — contact NxtFireGuard support or visit the documentation portal