OSSEC is an open source host-based Intrusion Detection System (IDS) that provides log analysis, integrity monitoring, real-time alerting, and active response capabilities. In recent years, the OSSEC project has been in maintenance mode with limited emphasis on active development. 

In 2015, the Wazuh team decided to fork the project, expanding upon the OSSEC core functionalities with additional features, enhancements, and a user-friendly interface. It is designed to be easily set up and used, making it a more accessible and comprehensive solution for security monitoring. 

Wazuh is a free, open source, unified XDR and enterprise-grade security monitoring platform for threat detection, incident response, and regulatory compliance. It provides comprehensive protection for on-premises, cloud, containerized, and virtualized environments. It also offers compatibility and integration methods with other security platforms. 

In this blog post, we cover how to migrate an existing OSSEC deployment to the latest version of Wazuh. This migration provides your organization with a comprehensive solution with capabilities that add significant value to your security efforts.

Benefits of upgrading to Wazuh

A summary of the value added to the OSSEC project by Wazuh is highlighted below:

  • Active and responsive development community: Wazuh has a proactive team and engaged open source community, resulting in frequent updates, bug fixes, and new features. This ensures that your security solution remains up-to-date and effective in the ever-evolving threat landscape.
  • Enhanced scalability and manageability: The Wazuh architecture is designed to handle large environments, making it well-suited for organizations with diverse and extensive infrastructure. It offers simplified agent and manager deployment, and user-friendly centralized configuration management. This allows security teams to efficiently monitor and respond to threats across a wide range of systems. Wazuh supports various deployment tools, including Puppet, Ansible, and Docker. It is also compatible with various operating systems including Windows, Linux, AIX, Solaris, Mac OS X, and HP-UX. 
  • Improved detection and third-party integration: Wazuh provides enhanced rule sets and improved threat detection mechanisms. The Wazuh team actively maintains and updates the rules to identify emerging threats, making it more effective at identifying malicious activities and vulnerabilities. Moreover, Wazuh integrates with various third-party tools (including VirusTotal, Suricata, AlienVault OTX, etc), enabling seamless interaction with other security solutions and expanding its utility within your security ecosystem.
  • Integration with cloud providers: Wazuh provides support for cloud providers such as AWS, Microsoft Azure, and Google Cloud Platform. This is achieved through integrations and the ability to analyze logs and security events, making it a valuable tool for organizations that operate with cloud environments. This support enhances your security posture by extending monitoring and incident response capabilities to the cloud. It helps you identify and mitigate security threats across hybrid and cloud-based infrastructure. 
  • Regulatory compliance: Wazuh offers advantages for regulatory compliance efforts through centralized log management, real-time monitoring, and alerting, along with customizable rule sets, detailed reporting, and integration capabilities. These features facilitate documentation and auditing, ensuring alignment with compliance requirements. Wazuh also provides compliance dashboards for Elastic, Splunk, and OpenSearch. 
  • Incident response: The Wazuh active response capability is designed to automate and streamline security incident responses. It empowers organizations to proactively defend against threats by automatically executing predefined actions when specific security events or anomalies are detected. This capability enhances system protection and reduces the need for manual intervention, ensuring a more efficient and responsive security posture. Wazuh also provides a module for the collection of software and hardware inventory data. The extensible RESTful API enables integration with existing incident response tools and workflows, enhancing overall response capabilities and facilitating coordination during security incidents.
  • Vulnerability detection and configuration assessment: Wazuh performs vulnerability assessment of monitored endpoints to detect vulnerable OS components and applications. Wazuh uses data from feeds from Canonical, Microsoft, the National Vulnerability Database (NVD), and more to provide real-time information about vulnerabilities. The Wazuh SCA module takes vulnerability assessment a step further by analyzing system configuration for vulnerabilities that may be peculiar to your organization’s setup. It continuously monitors your configurations to detect deviations from established security policies or best practices.

Infrastructure

  • An Ubuntu 22.04 LTS endpoint with OSSEC HIDS 3.7.0 server installed. Follow this link to download the server. 
  • An Ubuntu 22.04 LTS endpoint with OSSEC 3.7.0 agent installed. Follow this link to download the agent. 
  • A Windows 10 endpoint with OSSEC 3.7.0 agent installed. Follow this link to download the agent. 

Migrating from OSSEC to Wazuh

In this section, we describe how to migrate your existing OSSEC deployment to Wazuh. We cover how to perform the following:

Migrating the OSSEC server

Perform the following steps on the OSSEC server to migrate from OSSEC 2.8.3 or higher to Wazuh 4.5. Consider the requirements before proceeding with the migration. 

Backup files

To ensure configuration data or agent keys are not lost, we stop the OSSEC server and make a copy of the directory where it exists. The OSSEC server is usually installed in the /var/ossec directory. 

NOTE: Confirm there is sufficient disk space to create a copy of the directory.

1. Stop the OSSEC server:

$ sudo /var/ossec/bin/ossec-control stop

2. Create a backup folder for the /var/ossec directory:

$ sudo mkdir /var/ossec_backup

3. Copy all files to the backup directory:

$ sudo cp -rp /var/ossec/. /var/ossec_backup

Uninstall OSSEC

Perform the following steps to uninstall OSSEC. There are different methods to remove OSSEC depending on your installation type.

  • For DEB packages:
$ sudo apt-get remove ossec-hids-server --purge
$ sudo rm -f /etc/ossec-init.conf
$ sudo rm -rf /var/ossec
  • For RPM packages:
$ sudo yum remove ossec-hids-server
$ sudo rm -f /etc/ossec-init.conf
$ sudo rm -rf /var/ossec
  • From sources:
$ sudo rm -f /etc/ossec-init.conf
$ sudo rm -rf /var/ossec

Install Wazuh components

Follow the steps below to install the Wazuh central components – Wazuh indexer, Wazuh server, and Wazuh dashboard. Wazuh provides several options for installing these components. In this blog post, we use the Wazuh Quickstart guide. 

1. Download and run the Wazuh installation assistant:

$ curl -sO https://packages.wazuh.com/4.5/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Once the assistant finishes the installation, the output shows the access credentials and a message that confirms that the installation was successful.

INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
	User: admin
	Password: <ADMIN_PASSWORD>
INFO: Installation finished.

2. Access the Wazuh web user interface with the URL: https://<wazuh-dashboard-ip> and your credentials:

Username: admin
Password: <ADMIN_PASSWORD>

Refer to the Wazuh installation guide to explore other installation options.

Restore configuration

NOTE: Before restoring previous settings, note that some configuration options have been deprecated or use a different syntax which can cause the Wazuh manager not to start properly. You should manually review and copy your settings to avoid this. This also applies to rules and decoders. Refer to the Wazuh user manual for updated information on syntax and configuration options.

1. Stop the Wazuh manager service:

$ sudo systemctl stop wazuh-manager

2. In older versions of Wazuh, the user ossec is used. However, from Wazuh version 4.3 upwards, Wazuh replaces this user with wazuh. Update the ownership of the copied files to wazuh to avoid permission issues:

$ sudo chown -R wazuh:wazuh /var/ossec_backup/

3. Restore the following files that you backed up previously:

NOTE

1. Not all the files below will exist in your backup as every OSSEC deployment is not the same.

2. In addition to the local_rules.xml and local_decoder.xml files, ensure you move your other custom rules and decoders files to the /var/ossec/etc/rules and /var/ossec/etc/decoders directories respectively.

3. Some changes have been made to the syntax and new settings have been added to the /var/ossec/etc/ossec.conf file. It is important to review the file manually to import your previous configuration from the /var/ossec_backup/etc/ossec.conf file.  

For example, the element ‘program_name_pcre2‘ for <decoder> is not a valid element in Wazuh and is replaced by ‘program_name’. Similarly, the element ‘prematch_pcre2‘ for <decoder> is not a valid element in Wazuh and is replaced by ‘<a href="https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#program-name" target="_blank" rel="noreferrer noopener">prematch</a>’. Refer to the Wazuh decoders syntax for more information.

$ sudo cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/
$ sudo cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
$ sudo cp -p /var/ossec_backup/queue/rids/sender_counter /var/ossec/queue/rids/sender_counter
$ sudo cp -p /var/ossec_backup/etc/decoder.xml /var/ossec/etc/decoders/local_decoder.xml
$ sudo cp -p /var/ossec_backup/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml
$ sudo cp -p /var/ossec_backup/etc/shared/agent.conf /var/ossec/etc/shared/default/agent.conf
$ sudo cp -p /var/ossec_backup/agentless/.passlist /var/ossec/agentless/

4. Optional: Restore the following files to preserve alert log files, archive log files, and the databases of the Syscheck and Rootcheck modules.

$ sudo cp -rp /var/ossec_backup/logs/archives/* /var/ossec/logs/archives
$ sudo cp -rp /var/ossec_backup/logs/alerts/* /var/ossec/logs/alerts
$ sudo cp -rp /var/ossec_backup/queue/rootcheck/* /var/ossec/queue/rootcheck
$ sudo cp -rp /var/ossec_backup/queue/syscheck/* /var/ossec/queue/syscheck

NOTE: To restore old logs, refer to the following documentation. However, note that OSSEC does not have JSON output configured by default.

5 Start the Wazuh manager service:

$ sudo systemctl start wazuh-manager

Check the /var/ossec/logs/ossec.log file to ensure there are no errors or warnings related to the migration of your settings.

NOTE: If you have existing OSSEC agents, you may need to enable receiving UDP on port 1514 by modifying the following block in the /var/ossec/etc/ossec.conf configuration file:

<remote>
  <connection>secure</connection>
  <port>1514</port>
  <protocol>tcp</protocol>

Add udp in the <protocol> tag:

<remote>
  <connection>secure</connection>
  <port>1514</port>
  <protocol>tcp,udp</protocol>

Migrating the OSSEC agent

OSSEC agents are compatible with the Wazuh server. It is possible to have different versions of Wazuh and OSSEC agents reporting to a centralized Wazuh server. However, we recommend keeping both server and agents updated to the latest version of Wazuh

NOTE: Higher versions of Wazuh agents are not compatible with Wazuh managers running lower versions.

Perform the following steps on the endpoint where the OSSEC agent is installed to migrate from OSSEC 2.8.3 or higher to Wazuh 4.5 or higher. 

Linux endpoint

Backup files

To ensure configuration data or agent keys are not lost, we stop the OSSEC agent and make a copy of the directory where it exists. The OSSEC agent is usually installed in the /var/ossec directory on the monitored Linux endpoint. 

NOTE: Confirm there is sufficient disk space to create a copy of the directory.

Perform the steps below to stop the OSSEC agent and copy all files to a separate backup directory. We use /var/ossec_backup in this blog post.

1. Stop the OSSEC agent:

$ sudo /var/ossec/bin/ossec-control stop

2. Create a backup folder for the /var/ossec directory:

$ sudo mkdir /var/ossec_backup

3. Copy all files to the backup directory:

$ sudo cp -rp /var/ossec/. /var/ossec_backup

Uninstall OSSEC

Perform the following steps to uninstall OSSEC. There are different methods to remove OSSEC depending on the installation type.

  • For DEB packages:
$ sudo apt-get remove ossec-hids-agent --purge
$ sudo rm -f /etc/ossec-init.conf
$ sudo rm -rf /var/ossec
  • For RPM packages:
$ sudo yum remove ossec-hids-agent
$ sudo rm -f /etc/ossec-init.conf
$ sudo rm -rf /var/ossec
  • From sources:
$ sudo rm -f /etc/ossec-init.conf
$ sudo rm -rf /var/ossec

Install Wazuh agent

Perform the following steps to install a Wazuh agent on the Linux endpoint.

NOTE: You need root user privileges to run all the commands described below.

1. Add the Wazuh repository to download the official packages:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
# apt-get update

2. Deploy the Wazuh agent. Edit the <WAZUH_MANAGER_IP> variable to contain your Wazuh manager IP address:

# WAZUH_MANAGER="<WAZUH_MANAGER_IP>" apt-get install wazuh-agent

3. Enable and start the Wazuh agent service:

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

Refer to the following installation guide for more information.

Restore configuration

NOTE: Before restoring previous settings, note that some configuration options have been deprecated or use a different syntax which can cause the Wazuh agent not to start properly. You can manually review and copy your settings to avoid this.

1. Stop the Wazuh agent service:

$ sudo systemctl stop wazuh-agent

2. In older versions of Wazuh, the user ossec is used. However, from Wazuh version 4.3 upwards, Wazuh replaces this user with wazuh. Update the ownership of the copied files to wazuh to avoid permission issues:

$ sudo chown -R wazuh:wazuh /var/ossec_backup/

3. Restore the following files that you backed up previously:

$ sudo cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
$ sudo cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/
$ sudo cp -p /var/ossec_backup/queue/rids/* /var/ossec/queue/rids/

NOTE: Some changes have been made to the syntax and new settings have been added to the /var/ossec/etc/ossec.conf file. It is important to review the file manually to import your previous configuration from the /var/ossec_backup/etc/ossec.conf file. Refer to the ossec.conf documentation.

4. Start the Wazuh agent service:

$ sudo systemctl start wazuh-agent

Check the Wazuh agent /var/ossec/logs/ossec.log log file to ensure there are no errors or warnings related to the migration of your settings.

NOTE: You can keep using the OSSEC agent if you do not want to install the Wazuh agent, however, this is not recommended.

To achieve this, run the following commands to enroll the OSSEC agent to the Wazuh server:

$ sudo /var/ossec/bin/agent-auth -m <WAZUH-MANAGER-IP> -p 1515
$ sudo /var/ossec/bin/ossec-control restart

Windows endpoint

Backup files

To ensure configuration data or agent keys are not lost, we stop the OSSEC agent and make a copy of the directory where it exists. The OSSEC agent is usually installed in the C:\Program Files (x86)\ossec-agent directory on the monitored Windows endpoint. 

NOTE: Confirm there is sufficient disk space to create a copy of the directory.

Perform the steps below in Powershell with administrator privileges:

1. Stop the OSSEC server:

> Stop-Service -Name OssecSvc

2. Create a backup folder for the C:\Program Files (x86)\ossec-agent  directory:

> New-Item -Path 'C:\Program Files (x86)\ossec-agent-backup' -ItemType Directory

3. Copy all files to the backup directory:

> Copy-Item -Path 'C:\Program Files (x86)\ossec-agent\*' -Destination 'C:\Program Files (x86)\ossec-agent-backup' -Recurse -Force

Uninstall OSSEC

Run the following command to switch to the C:\Program Files (x86)\ossec-agent directory and uninstall OSSEC:

> cd 'C:\Program Files (x86)\ossec-agent' ; .\uninstall.exe

After running the command, the OSSEC uninstall wizard pops up. Click Next on all prompts.

Install Wazuh agent

Perform the following steps to install a Wazuh agent on the Windows endpoint:

NOTE: You need administrator privileges to run all the commands described below.

1. Download the Windows installer.

2. Install the Wazuh agent using PowerShell. Edit the WAZUH_MANAGER_IP variable to contain your Wazuh manager IP address:

> .\wazuh-agent-4.5.4-1.msi /q WAZUH_MANAGER="WAZUH_MANAGER_IP"

3. Start the Wazuh agent:

> NET START Wazuh

Refer to the installation guide for more information.

Restore configuration

NOTE: Before restoring previous settings, note that some configuration options have been deprecated or use a different syntax which can cause the Wazuh agent not to start properly. You can manually review and copy your settings to avoid this.

1. Stop the Wazuh agent service:

> Stop-Service -Name wazuh

2. Restore the following files that you backed up previously:

> Copy-Item -Path "C:\Program Files (x86)\ossec-agent-backup\ossec.conf" -Destination "C:\Program Files (x86)\ossec-agent\ossec.conf.orig"
> Copy-Item -Path "C:\Program Files (x86)\ossec-agent-backup\local_internal_options.conf" -Destination "C:\Program Files (x86)\ossec-agent\local_internal_options.conf" -Force
> Copy-Item -Path "C:\Program Files (x86)\ossec-agent-backup\client.keys" -Destination "C:\Program Files (x86)\ossec-agent\" -Force
> Copy-Item -Path "C:\Program Files (x86)\ossec-agent-backup\rids\*" -Destination "C:\Program Files (x86)\ossec-agent\rids\" -Force

NOTE: Some changes have been made to the syntax and new settings have been added to the C:\Program Files (x86)\ossec-agent\ossec.conf file. It is important to review the file manually to import your previous configuration from the ossec.conf.orig file.

3. Start the Wazuh agent service:

> Start-Service -Name wazuh

Check the Wazuh agent C:\Program Files (x86)\ossec-agent\logs\ossec.log log file to ensure there are no errors or warnings related to the migration of your settings.

Conclusion

In this blog post, we describe how to migrate OSSEC deployment to Wazuh. Migrating from OSSEC to Wazuh offers a multitude of benefits and enhancements to your organization’s security efforts. 

Wazuh offers significant advantages, including active development, enhanced scalability, improved threat detection, and seamless integration with third-party tools and cloud platforms. By migrating to Wazuh, organizations can stay agile and well-prepared to tackle evolving security threats. 

References

Syscheck OSSEC

Storing alerts as JSON