Migrating from ossec, running into show stoppers

[J J Sloan]

I set up an ossec server on Debian 10 a few months back and it's working well, and providing email alerts.

But I wanted a web based dashboard,  and decided to look into integrating with the elk stack.  Subsequent reading suggested that migrating ossec to wazuh would be easier than trying to make it work with ossec.

So I followed the migration procedure at https://documentation.wazuh.com/4.0/migrating-from-ossec/ossec-server.html#ossec-server

I upgraded the ossec server from ossec-3.9 to wazuh-4.0 and it started. I registered 2 clients and extracted/imported the keys, but did not see any reporting of client issues. Apparently there is some additional tuning that must be done, which I'll dig into.

I set up a separate centos 8 box for the elk stack, and began by installing elasticsearch from centos8 repos, and it started and ran immediately.

However,  wazuh could not communicate with elk, as the setup called for "certs.tar" from the elasticsearch install. There was no such file, so apparently I have to install the Open Distro version of elastic search.

So we started over, and installed the Open Distro version of elasticsearch by the numbers from this guide: https://documentation.wazuh.com/4.0/installation-guide/open-distro/distributed-deployment/unattended/unattended-elasticsearch-cluster-installation.html

The required certs.tar file was generated.

Unfortunately the Open Distro elasticsearch would not start.

The crash message follows:

[2021-02-11T15:43:54,703][ERROR][o.e.b.Bootstrap          ] [elk] Exception

java.lang.IllegalArgumentException: Could not load codec 'Lucene87'.  Did you forget to add lucene-backward-codecs.jar?

Google searches turned up some cool sounding lucene hacks, but as I'm completely unfamiliar with lucene, the solutions only generated more questions.

Does anyone have a quick fix for the crashing of the brand new lucene install, or even just a link to an install process that works?

Thanks for any light you can shed.

J J 

[Gabriel Wassan]

Hello JJ,
This problem was solved or is in the same situation as this. 

Regards.

[J J Sloan]

Nope, not solved.

My original post got zero response, so I simplified, and reduced the problem description to one simple issue, to avoid confusion. I chose to zero in on the single issue of elasticsearch crashing on startup, in the hope that someone on the list might have seen it and know of a fix.

J J 

[J J Sloan]

I'm happy to report that starting over with a brand new centos VM yielded a successful unattended install.

J J 

[JDW]

Just to add to discussion here I am currently evaluating OSSEC for my small home network and installed with the latest iso file downloaded from the ossec site onto a dedicated computer. It would be very nice to have an automated upgrade method that begins with this installation and finishes where Wazuh becomes fully integrated into this mix. I basically had similar bad experience when trying to follow instructions in your manual. Finally I just gave up and used the VirtualBox example downloaded from your site on another Windows PC. I am certainly achieving my evaluation goal but if I decide to permanently use it then I would eventually still want it all working on the single dedicated computer (no VirtualBox).

[JDW]

In my previous post the iso file I was referring to from securityonion site.

[Gabriel Wassan]

Hello JDW, 
Were you able to solve the problem? Can we help you with anything?
In that case, you could give us more information about the installation you tried to carry out and what problems you had.

Kind regards.

[JDW]

This iso was installed into a computer and working OK:
https://blog.securityonion.net/2020/12/security-onion-160472-iso-image-now.html

With above package I successfully tested the ossec agent example given in their documentation  (auditing file access on Windows computer running the ossec agent). 

Noted that Wazuh had progressed further to have a nice web GUI so attempted to install latest version of Wazuh into this system using the manual install method. At this point ossec related files were automatically uninstalled during the installation of Wazuh. Afterwards I was never able to successfully see the Wazuh GUI or figure out what to do next. My only working solution was to create a Virtualbox VM by downloading the Wazuh OVA file from  your site and then retesting the file audit example with Wazuh’s agent installed on a Windows computer. That works fine.

I don’t think there is anyway for me to personally get this to work correctly on a single computer with security onion (link above) because of my limited knowledge of these inter-related configurations. The only way a person at my level could achieve it is if someone else took time to prepare upgrade package that did specifically what I’m trying to accomplish. I’m sure it would benefit a lot of others going down same evaluation path.

Thanks for asking!

[Gabriel Wassan]

I'm glad I could help you, and thank you for the patience, if everything is resolved I'll close the Issue.
If you have any further questions, please do not hesitate to reopen the Issue or use our [slack channel](https://wazuh.com/community/join-us-on-slack/), our [Google group](https://groups.google.com/forum/#!forum/wazuh)
Regards!!