Wazuh Agent Removal

Now I have moved from my Wazuh SIEM stack to using the ELK stack in Security Onion (post coming later) I found removing the Wazuh agent wasn't straight forward on Windows Endpoints, Linux and macOS were easy and done via a Shell

Windows

To remove the Wazuh agent off the Windows Endpoints the original MSI installer was needed

Once I had the installer on the machine, I fired up my remote PowerShell console in admin mode and ran msiexec.exe /x wazuh-agent-4.8.0-1.msi /qn ensure the name of the MSI installer in the command matches the installer being used
Need to note that there is not output to show it ran, but you should see the Wazuh agent service removed and in the ossec folder in Program Files there should just be the saved config files left behind if anything and this indicates it's been removed.

macOS

Open your terminal of choice and run the following commands
- sudo /Library/Ossec/bin/wazuh-control stop
- sudo /bin/rm -r /Library/Ossec
- sudo /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
- sudo /bin/rm -rf /Library/StartupItems/WAZUH
- sudo /usr/bin/dscl . -delete "/Users/wazuh"
- sudo /usr/bin/dscl . -delete "/Groups/wazuh"
- sudo /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent

The Wazuh agent is now removed from the macOS endpoint.

Linux

These steps are for Debian based systems, but apt commands can be replaced with the relevant package manager commands for the distribution being used.

Shell into the Linux machine or open your terminal of choice
- sudo apt remove wazuh-agent
- sudo apt remove --purge wazuh-agent
- sudo systemctl disable wazuh-agent
- sudo systemctl daemon-reload

The Wazuh agent is now removed from the Linux endpoint.