Migrating from OSSEC
This document describes how to migrate your existing OSSEC installation (agent or manager) to Wazuh. For interactive help, our email forum is available. You can subscribe by sending an email to wazuh+subscribe@googlegroups.com
.
Note
OSSEC agents are compatible with Wazuh manager, but if you don't migrate your agents to Wazuh, you will lose some capabilities like OpenSCAP or some syscheck features in those agents.
The migration of Elastic stack, in the case that you already have it installed, is beyond the scope of Wazuh documentation. We recommend you visit our guides for Installing Elastic Stack.
Follow the appropriate section depending on the type of your OSSEC installation:
Upgrade from |
Type |
Installation type |
Upgrade to |
Guide |
---|---|---|---|---|
OSSEC 2.8.3+ |
Manager |
Packages |
Wazuh 3.x |
|
OSSEC 2.8.3+ |
Manager |
Sources |
Wazuh 3.x |
|
OSSEC 2.8.3+ |
Agent |
Packages |
Wazuh 3.x |
|
OSSEC 2.8.3+ |
Agent |
Sources |
Wazuh 3.x |
|
Warning
For cases where OSSEC was installed from sources, the configuration file /var/ossec/etc/ossec.conf
will be overwritten. The old configuration file from the current installation is saved as ossec.conf.rpmorig
or ossec.conf.deborig
. You should compare the new file with the old one. Also, a backup of your previous ruleset will be saved at /var/ossec/etc/backup_ruleset
. All the rules/decoders in files other than local_rules.xml
or local_decoder.xml
will be overwritten.