Migrating from OSSEC

This document describes how to migrate your existing OSSEC installation (agent or manager) to Wazuh. For interactive help, our email forum is available. You can subscribe by sending an email to wazuh+subscribe@googlegroups.com.

Note

OSSEC agents are compatible with Wazuh manager, but if you don’t migrate your agents to Wazuh, you will lose some capabilities like OpenSCAP or some syscheck features in those agents.

The migration of Elastic stack, in the case that you already have it installed, is beyond the scope of Wazuh documentation. We recommend you visit our guides for Installing Elastic Stack.

Follow the appropriate section depending on the type of your OSSEC installation:

Upgrade from

Type

Installation type

Upgrade to

Guide

OSSEC 2.8.3+

Manager

Packages

Wazuh 2.0

Migrating OSSEC manager installed from packages

OSSEC 2.8.3+

Manager

Sources

Wazuh 2.0

Install Wazuh server with RPM packages

Install Wazuh server with Deb packages

OSSEC 2.8.3+

Agent

Packages

Wazuh 2.0

Migrating OSSEC agent installed from packages

OSSEC 2.8.3+

Agent

Sources

Wazuh 2.0

Install Wazuh agent with RPM packages

Install Wazuh agent with Deb packages

Warning

For cases where OSSEC was installed from sources, the configuration file /var/ossec/etc/ossec.conf will be overwritten. The old configuration file from the current installation is saved as ossec.conf.rpmorig or ossec.conf.deborig. You should compare the new file with the old one. Also, a backup of your previous ruleset will be saved at /var/ossec/etc/backup_ruleset. All the rules/decoders in files other than local_rules.xml or local_decoder.xml will be overwritten.