diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js index fbc7043a97..c46c97a998 100644 --- a/source/_static/js/redirects.js +++ b/source/_static/js/redirects.js @@ -76,7 +76,10 @@ removedUrls['4.8'] = [ '/user-manual/capabilities/vulnerability-detection/cpe-helper.html', '/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html', '/user-manual/capabilities/vulnerability-detection/scan-types.html', - '/user-manual/capabilities/vulnerability-detection/allow-os.html' + '/user-manual/capabilities/vulnerability-detection/allow-os.html', + '/migration-guide/migrating-from-ossec/index.html', + '/migration-guide/migrating-from-ossec/ossec-server.html', + '/migration-guide/migrating-from-ossec/ossec-agent.html', ]; /* Redirections from 4.7 to 4.8 */ diff --git a/source/migration-guide/index.rst b/source/migration-guide/index.rst index 1bbda8ebc7..a87515b4eb 100644 --- a/source/migration-guide/index.rst +++ b/source/migration-guide/index.rst @@ -1,7 +1,7 @@ .. Copyright (C) 2015, Wazuh, Inc. .. meta:: - :description: Learn how to migrate from Open Distro for Elasticsearch or from OSSEC to Wazuh. This guide gives instructions to make these migration actions. + :description: Learn how to migrate from Open Distro for Elasticsearch to the Wazuh indexer and Wazuh dashboard. This guide gives instructions to perform the migration. Migration guide ================ @@ -12,12 +12,9 @@ From Wazuh 4.0.0 to Wazuh 4.2.7, the default Wazuh installation included the Waz - :doc:`Migrating to the Wazuh dashboard `: This section will guide you through the migration from Open Distro for Elasticsearch Kibana 1.13 to the Wazuh dashboard. This new web interface for the Wazuh platform is a customized `OpenSearch Dashboards `_ distribution that includes different sections, visualizations and tools to manage the Wazuh indexer information and the Wazuh Server. -This guide also includes a :doc:`Migrating from OSSEC ` section. Following this guide, you will learn how to migrate your existing OSSEC installation to the last version of Wazuh. Our solution is free, open-source, and unifies XDR and SIEM capabilities within a unique top-notch security platform. Migrating to Wazuh, your organizations get a comprehensive, easy-to-use, reliable, and scalable solution. - .. toctree:: :hidden: wazuh-indexer wazuh-dashboard - migrating-from-ossec/index files-backup/index diff --git a/source/migration-guide/migrating-from-ossec/index.rst b/source/migration-guide/migrating-from-ossec/index.rst deleted file mode 100644 index 5df9f1a182..0000000000 --- a/source/migration-guide/migrating-from-ossec/index.rst +++ /dev/null @@ -1,116 +0,0 @@ -.. Copyright (C) 2015, Wazuh, Inc. - -.. meta:: - :description: Wazuh was born as a fork of OSSEC. In this section we explain the value we add to the OSSEC project and how to move to Wazuh from OSSEC. - -.. _upgrading_ossec: - -Migrating from OSSEC -==================== - -Why it's time to migrate ------------------------- - -Unfortunately, OSSEC users have not seen lots of new features over the last decade. The project has been in maintenance mode for a long time and very little development work has been done. There is no active roadmap and the last releases consist mostly of bug fixes reported by occasional contributors. - -This is why, back in 2015, the Wazuh team decided to fork the project. The result is a much more comprehensive, easy-to-use, reliable, and scalable solution. The fork has had great adoption among the open source community, quickly becoming a broadly used solution in enterprise environments. - -Regarding project activity and roadmap, you can find Wazuh code in our `GitHub repository `_. We believe is relevant to mention that, at the time of writing this documentation, the project has over 40,000 commits (30,000+ more than OSSEC). - -Here is a brief summary of the value we added to the OSSEC project, and good reasons to upgrade your security monitoring infrastructure moving it to Wazuh: - -Scalability and reliability -+++++++++++++++++++++++++++ - -* Cluster support for managers to scale horizontally. -* Support for Puppet, Chef, Ansible, and Docker deployments. -* TCP support for agent-manager communications. -* Anti-flooding feature to prevent large burst of events from being lost or negatively impact network performance. -* AES encryption is used for agent-manager communications (instead of Blowfish). -* Multi-thread support for manager processes, dramatically increasing their performance. - -Installation and configuration management -+++++++++++++++++++++++++++++++++++++++++ - -* MSI signed package for Windows systems, with auto registration and configuration support. -* Unified RPM and Deb Linux packages. -* Support for AIX, Solaris, Mac OS X and HP-UX. -* RESTful API for status monitoring, querying, and configuration management. -* Ability to upgrade agents from the managers. -* Improved centralized configuration management using agent groups. - -Intrusion detection -+++++++++++++++++++ - -* Improved log analysis engine, with native JSON decoding and ability to name fields dynamically. -* Increased maximum message size from 6KB to 64KB (being able to analyze much larger log messages). -* Updated ruleset with new log analysis rules and decoders. -* Native rules for Suricata, making use of JSON decoder. -* Integration with `OwlH project `_ for unified NIDS management. -* Support for IP addresses reputation databases (e.g. `AlienVault OTX `_). -* Native integration with Linux auditing kernel subsystem and Windows audit policies to capture who-data for FIM events. - -Integration with cloud providers -++++++++++++++++++++++++++++++++ - -* Module for native integration with Amazon AWS (pulling data from `Cloudtrail `_ or `Cloudwatch `_). -* New rules and decoders for Amazon AWS. -* Module for native integration with Microsoft Azure. -* New rules and decoders for Microsoft Azure. - -Regulatory compliance -+++++++++++++++++++++ - -* Alert mapping with PCI DSS and GPG13 requirements. -* Compliance dashboards for `Elastic Stack `_, provided by Wazuh Kibana plugin. -* Compliance dashboards for `Splunk `_, provided by Wazuh app. -* Use of `OwlH project `_ Suricata mapping for compliance. -* SHA256 hashes used for file integrity monitoring (in addition to MD5 and SHA1). - -Elastic Stack integration -+++++++++++++++++++++++++ - -* Provides the ability to index and query data. -* Data enrichment using GeoIP Elasticsearch module. -* Kibana plugin used to visualize data (integrated using Wazuh REStful API). -* Web user interface pre-configured extensions, adapting them to your use cases. - -Incident response -+++++++++++++++++ - -* Module for collection of software and hardware inventory data. -* Ability to query for software and hardware via RESTful API. -* Module for integration with `Osquery `_, being able to run queries on demand. -* Implementation of new output options for log collector component. -* Module for integration with `Virustotal `_, used to detect the presence of malicious files. - -Vulnerability detection and configuration assessment -++++++++++++++++++++++++++++++++++++++++++++++++++++ - -* Dynamic creation of CVE vulnerability databases, gathering data from OVAL repositories. -* Cross correlation with applications inventory data to detect vulnerable software. -* Support for CIS-CAT, by `Center of Internet Security `_ scanner integration. - -How to move to Wazuh --------------------- - -The following guides describe how to migrate your existing OSSEC installation to Wazuh. Follow the appropriate one depending on the type (server or agent) of your OSSEC installation: - -.. csv-table:: - :header: Installation type, Upgrade from, Upgrade to, Guide - :widths: 20 30 20 30 - - Server, OSSEC 2.8.3 or higher, Wazuh 3.x, :ref:`Upgrade OSSEC server ` - Agent, OSSEC 2.8.3 or higher, Wazuh 3.x, :ref:`Upgrade OSSEC agent ` - -The migration of Elastic Stack, in the case that you already have it installed, is beyond the scope of Wazuh documentation. To learn more about the default Wazuh installation, see the :doc:`/installation-guide/index`. - -.. note:: - OSSEC agents are compatible with the Wazuh server. You can even have different versions of Wazuh and OSSEC agents reporting to a centralized Wazuh server. Having said that, it is recommended to keep both server and agents updated to the latest version. For interactive help, our `mailing list `_ is available. You can subscribe by sending an email to ``wazuh+subscribe@googlegroups.com``. - -.. toctree:: - :hidden: - :maxdepth: 2 - - ossec-server - ossec-agent diff --git a/source/migration-guide/migrating-from-ossec/ossec-agent.rst b/source/migration-guide/migrating-from-ossec/ossec-agent.rst deleted file mode 100644 index 42b24a561e..0000000000 --- a/source/migration-guide/migrating-from-ossec/ossec-agent.rst +++ /dev/null @@ -1,98 +0,0 @@ -.. Copyright (C) 2015, Wazuh, Inc. - -.. meta:: - :description: Learn in this section how to migrate OSSEC agents to Wazuh agents on Linux systems without losing any configuration data. - -.. _ossec_agent: - -Migrating OSSEC agent -===================== - -The following instructions have been written to migrate OSSEC agents to Wazuh agents on Linux systems. For Windows and other platforms please check our :ref:`Installation guide `. - -Backup your files ------------------ - -To avoid losing any configuration data, or the agent key, we will stop the OSSEC agent and make a copy of the directory where it lives. But first, lets check if we have enough space to create a copy of ``/var/ossec``: - -.. code-block:: console - - $ sudo du -h /var/ossec | tail -n1 - $ sudo df -h /var - -Now we copy all files to a separated backup directory: - -.. code-block:: console - - $ sudo /var/ossec/bin/ossec-control stop - $ sudo cp -rp /var/ossec /var/ossec_backup - -Remove your current installation --------------------------------- - -.. list-table:: - :widths: 30 70 - :header-rows: 1 - - * - Installation type - - How to remove OSSEC - - * - Deb packages - - .. code-block:: console - - $ sudo apt-get remove ossec-hids-agent --purge - $ sudo rm -f /etc/ossec-init.conf - $ sudo rm -rf /var/ossec - - * - RPM packages - - .. code-block:: console - - $ sudo yum remove ossec-hids-agent - $ sudo rm -f /etc/ossec-init.conf - $ sudo rm -rf /var/ossec - - * - From sources - - .. code-block:: console - - $ sudo rm -f /etc/ossec-init.conf - $ sudo rm -rf /var/ossec - -Install Wazuh agent -------------------- - -Now it's time to install the Wazuh agent component. This can be done from sources or from binary packages. Go to our documentation to :doc:`Wazuh agent ` section for detailed instructions on this process. - - -Restore configuration ---------------------- - -Before restoring our previous settings please note that some configuration options have been deprecated or use a different syntax, what can cause the agent not to start properly. To avoid this, you can manually try to migrate your settings. Same thing happens with rules and decoders. In case of doubt take a look at our :doc:`User manual `. - -The first step is to stop the agent processes: - -.. code-block:: console - - $ systemctl stop wazuh-agent - -Now we will restore the following files: - -.. code-block:: console - - $ cp -p /var/ossec_backup/etc/ossec.conf /var/ossec/etc/ossec.conf.orig - $ cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf - $ cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/ - $ cp -p /var/ossec_backup/queue/rids/* /var/ossec/queue/rids/ - -There have been some syntax changes, and new settings, incorporated to ``ossec.conf`` file. Please review this file manually in order to import your previous configuration. More specifically, one of the changes is the configuration stanza for the communication with the manager: - -.. code-block:: xml - - - - MANAGER_IP - -Finally we can start the agent again. Please check ``/var/ossec/logs/ossec.log`` file to ensure there are no errors or warnings related to the settings migration. - -.. code-block:: console - - $ systemctl start wazuh-agent diff --git a/source/migration-guide/migrating-from-ossec/ossec-server.rst b/source/migration-guide/migrating-from-ossec/ossec-server.rst deleted file mode 100644 index 5b4dc36020..0000000000 --- a/source/migration-guide/migrating-from-ossec/ossec-server.rst +++ /dev/null @@ -1,120 +0,0 @@ -.. Copyright (C) 2015, Wazuh, Inc. - -.. meta:: - :description: If you want to know how to migrate from OSSEC to Wazuh, check this section where we explain how to do it without losing configuration data or agent keys. - -.. _ossec_server: - -Migrating OSSEC server -====================== - -Backup your files ------------------ - -To avoid losing any configuration data, or agent keys, we will stop the OSSEC server and make a copy of the directory where it lives. But first, lets check if we have enough space to create a copy of ``/var/ossec``: - -.. code-block:: console - - $ sudo du -h /var/ossec | tail -n1 - $ sudo df -h /var - -Now we copy all files to a separated backup directory: - -.. code-block:: console - - $ sudo /var/ossec/bin/ossec-control stop - $ sudo cp -rp /var/ossec /var/ossec_backup - -Remove your current installation --------------------------------- - -.. list-table:: - :widths: 30 70 - :header-rows: 1 - - * - Installation type - - How to remove OSSEC - - * - Deb packages - - .. code-block:: console - - $ sudo apt-get remove ossec-hids --purge - $ sudo rm -f /etc/ossec-init.conf - $ sudo rm -rf /var/ossec - - * - RPM packages - - .. code-block:: console - - $ sudo yum remove ossec-hids - $ sudo rm -f /etc/ossec-init.conf - $ sudo rm -rf /var/ossec - - * - From sources - - .. code-block:: console - - $ sudo rm -f /etc/ossec-init.conf - $ sudo rm -rf /var/ossec - -Install Wazuh server --------------------- - -Now it's time to install the Wazuh server component. Read the :doc:`Installing Wazuh server ` section for detailed instructions. Read the :doc:`/deployment-options/wazuh-from-sources/wazuh-server/index` section for an alternative to this. - -Restore configuration ---------------------- - -Before restoring our previous settings please note that some configuration options have been deprecated or use a different syntax, what can cause the manager not to start properly. To avoid this, you can manually try to migrate your settings. Same thing happens with rules and decoders. In case of doubt take a look at our :doc:`User manual `. - -The first step is to stop the manager processes: - -.. code-block:: console - - $ sudo systemctl stop wazuh-manager - -Now we will restore the following files: - -.. code-block:: console - - $ cp -p /var/ossec_backup/agentless/.passlist /var/ossec/agentless/ - $ cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/ - $ cp -p /var/ossec_backup/etc/ossec.conf /var/ossec/etc/ossec.conf.orig - $ cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf - $ cp -p /var/ossec_backup/etc/local_decoder.xml /var/ossec/etc/decoders/local_decoder.xml - $ cp -p /var/ossec_backup/etc/shared/agent.conf /var/ossec/etc/shared/default/agent.conf - $ cp -p /var/ossec_backup/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml - $ cp -p /var/ossec_backup/queue/rids/sender_counter /var/ossec/queue/rids/sender_counter - -There have been some syntax changes, and new settings, incorporated to ``ossec.conf`` file. Please review this file manually in order to import parts of your previous configuration from ``ossec.conf.orig``. In addition, if you have existing ossec clients, then you may need to enable receiving UDP on port 1514 by changing the following block in ``ossec.conf``: - -.. code-block:: xml - - - secure - 1514 - tcp - -To: - -.. code-block:: xml - - - secure - 1514 - tcp,udp - -Also note that the ``agent.conf`` file directory has now changed to ``/var/ossec/etc/shared/default``. - -Optionally the following files can be restored to preserve alert log files and syscheck/rootcheck databases: - -.. code-block:: console - - $ cp -rp /var/ossec_backup/logs/archives/* /var/ossec/logs/archives - $ cp -rp /var/ossec_backup/logs/alerts/* /var/ossec/logs/alerts - $ cp -rp /var/ossec_backup/queue/rootcheck/* /var/ossec/queue/rootcheck - $ cp -rp /var/ossec_backup/queue/syscheck/* /var/ossec/queue/syscheck - -Finally we can start the services again. Please check ``/var/ossec/logs/ossec.log`` file to ensure there are no errors or warnings related to the settings migration. - -.. code-block:: console - - $ sudo systemctl start wazuh-manager