Migrating OSSEC agent¶
The following instructions have been written to migrate OSSEC agents to Wazuh agents on Linux systems. For Windows and other platforms please check our Installation guide.
Backup your files¶
To avoid losing any configuration data, or the agent key, we will stop the OSSEC agent and make a copy of the directory where it lives. But first, lets check if we have enough space to create a copy of
$ sudo du -h /var/ossec | tail -n1 $ sudo df -h /var
Now we copy all files to a separated backup directory:
$ sudo /var/ossec/bin/ossec-control stop $ sudo cp -rp /var/ossec /var/ossec_backup
Remove your current installation¶
|Installation type||How to remove OSSEC|
$ sudo apt-get remove ossec-hids-agent --purge $ sudo rm -f /etc/ossec-init.conf $ sudo rm -rf /var/ossec
$ sudo yum remove ossec-hids-agent $ sudo rm -f /etc/ossec-init.conf $ sudo rm -rf /var/ossec
$ sudo rm -f /etc/ossec-init.conf $ sudo rm -rf /var/ossec
Install Wazuh agent¶
Now it’s time to install the Wazuh agent component. This can be done from sources or from binary packages. Go to our documentation to Installing Wazuh agent section for detailed instructions on this process.
Before restoring our previous settings please note that some configuration options have been deprecated or use a different syntax, what can cause the agent not to start properly. To avoid this, you can manually try to migrate your settings. Same thing happens with rules and decoders. In case of doubt take a look at our User manual.
The first step is to stop the agent processes:
$ systemctl stop wazuh-agent
Now we will restore the following files:
$ cp -p /var/ossec_backup/etc/ossec.conf /var/ossec/etc/ossec.conf.orig $ cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf $ cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/ $ cp -p /var/ossec_backup/queue/rids/* /var/ossec/queue/rids/
There have been some syntax changes, and new settings, incorporated to
ossec.conf file. Please review this file manually in order to import your previous configuration. More specifically, one of the changes is the configuration stanza for the communication with the manager:
<ossec_config> <client> <server-ip>MANAGER_IP</server-ip>
Finally we can start the agent again. Please check
/var/ossec/logs/ossec.log file to ensure there are no errors or warnings related to the settings migration.
$ systemctl start wazuh-agent