Migrating OSSEC agent installed from packages
1. Backup your current configuration
Stop OSSEC:
$ /var/ossec/bin/ossec-control stop
Check if you have enough space to create a copy of /var/ossec
:
$ du -h /var/ossec | tail -n1
$ df -h /var
Backup /var/ossec
:
$ cp -rp /var/ossec /var/ossec_backup
2. Remove your current installation
Debian and Ubuntu:
$ apt-get remove ossec-hids-agent --purge
CentOS and Red Hat:
$ yum remove ossec-hids-agent
Remove directory:
$ rm -rf /var/ossec
3. Install Wazuh agent
Follow the next guide in order to install Wazuh agent:
4. Restore configuration
Stop OSSEC:
$ systemctl stop wazuh-agent
Restore files:
$ cp -p /var/ossec_backup/etc/ossec.conf /var/ossec/etc/ossec.conf.orig
$ cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
$ cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/
$ cp -p /var/ossec_backup/queue/rids/* /var/ossec/queue/rids/
5. Review ossec.conf
The previous configuration file is saved as /var/ossec/etc/ossec.conf.orig
. You should review the new configuration file /var/ossec/etc/ossec.conf
with the old one in case that you want to add some setting from the previous configuration.
Do not forget to restore the IP of the manager:
/var/ossec/etc/ossec.conf
<ossec_config>
<client>
<server-ip>MANAGER_IP</server-ip>
6. Start Wazuh
$ /var/ossec/bin/ossec-control start