Migrating from OSSEC¶
Why it’s time to migrate¶
Unfortunately, OSSEC users have not seen lots of new features over the last decade. The project has been in maintenance mode for a long time and very little development work has been done. There is no active roadmap and the last releases consist mostly of bug fixes reported by occasional contributors.
This is why, back in 2015, the Wazuh team decided to fork the project. The result is a much more comprehensive, easy-to-use, reliable, and scalable solution. The fork has had great adoption among the open source community, quickly becoming a broadly used solution in enterprise environments.
Regarding project activity and roadmap, you can find Wazuh code in our GitHub repository. We believe is relevant to mention that, at the time of writing this documentation, the project has over 8,500 commits (3,000+ more than OSSEC).
Here is a brief summary of the value we added to the OSSEC project, and good reasons to upgrade your security monitoring infrastructure moving it to Wazuh:
Scalability and reliability¶
Cluster support for managers to scale horizontally.
Support for Puppet, Chef, Ansible, and Docker deployments.
TCP support for agent-manager communications.
Anti-flooding feature to prevent large burst of events from being lost or negatively impact network performance.
AES encryption is used for agent-manager communications (instead of Blowfish).
Multi-thread support for manager processes, dramatically increasing their performance.
Installation and configuration management¶
MSI signed package for Windows systems, with auto registration and configuration support.
Unified RPM and Deb Linux packages.
Support for AIX, Solaris, Mac OS X and HP-UX.
RESTful API for status monitoring, querying, and configuration management.
Ability to upgrade agents from the managers.
Improved centralized configuration management using agent groups.
Improved log analysis engine, with native JSON decoding and ability to name fields dynamically.
Increased maximum message size from 6KB to 64KB (being able to analyze much larger log messages).
Updated ruleset with new log analysis rules and decoders.
Native rules for Suricata, making use of JSON decoder.
Integration with OwlH project for unified NIDS management.
Support for IP reputation databases (e.g. AlienVault OTX).
Native integration with Linux auditing kernel subsystem and Windows audit policies to capture who-data for FIM events.
Integration with cloud providers¶
Alert mapping with PCI DSS and GPG13 requirements.
Compliance dashboards for Elastic Stack, provided by Wazuh Kibana plugin.
Compliance dashboards for Splunk, provided by Wazuh app.
Use of OwlH project Suricata mapping for compliance.
SHA256 hashes used for file integrity monitoring (in addition to MD5 and SHA1).
Elastic Stack integration¶
Provides the ability to index and query data.
Data enrichment using GeoIP Elasticsearch module.
Kibana plugin used to visualize data (integrated using Wazuh REStful API).
Web user interface pre-configured extensions, adapting them to your use cases.
Module for collection of software and hardware inventory data.
Ability to query for software and hardware via RESTful API.
Module for integration with Osquery, being able to run queries on demand.
Implementation of new output options for log collector component.
Module for integration with Virustotal, used to detect the presence of malicious files.
How to move to Wazuh¶
The following guides describe how to migrate your existing OSSEC installation to Wazuh. Follow the appropriate one depending on the type (server or agent) of your OSSEC installation:
OSSEC 2.8.3 or higher
OSSEC 2.8.3 or higher
The migration of Elastic stack, in the case that you already have it installed, is beyond the scope of Wazuh documentation. We recommend you visit our guides for Installing Elastic Stack.
OSSEC agents are compatible with the Wazuh server. You can even have different versions of Wazuh and OSSEC agents reporting to a centralized Wazuh server. Having said that, it is recommended to keep both server and agents updated to the latest version. For interactive help, our mailing list is available. You can subscribe by sending an email to