Migrating from OSSEC

This document describes how to migrate your existing OSSEC installation (agent or manager) to Wazuh. For interactive help, our email forum is available. You can subscribe by sending an email to wazuh+subscribe@googlegroups.com.

Note

OSSEC agents are compatible with Wazuh manager, but if you don’t migrate your agents to Wazuh, you will lose some capabilities like OpenSCAP or some syscheck features in those agents.

The migration of Elastic stack, in the case that you already have it installed, is beyond the scope of Wazuh documentation. We recommend you visit our guides for Installing Elastic Stack.

Follow the appropriate section depending on the type of your OSSEC installation:

Upgrade from Type Installation type Upgrade to Guide
OSSEC 2.8.3+ Manager Packages Wazuh 2.0 Migrating OSSEC manager installed from packages
OSSEC 2.8.3+ Manager Sources Wazuh 2.0 Install Wazuh server with RPM packages
Install Wazuh server with Deb packages
OSSEC 2.8.3+ Agent Packages Wazuh 2.0 Migrating OSSEC agent installed from packages
OSSEC 2.8.3+ Agent Sources Wazuh 2.0 Install Wazuh agent with RPM packages
Install Wazuh agent with Deb packages

Warning

For cases where OSSEC was installed from sources, the configuration file /var/ossec/etc/ossec.conf will be overwritten. The old configuration file from the current installation is saved as ossec.conf.rpmorig or ossec.conf.deborig. You should compare the new file with the old one. Also, a backup of your previous ruleset will be saved at /var/ossec/etc/backup_ruleset. All the rules/decoders in files other than local_rules.xml or local_decoder.xml will be overwritten.