diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst index dd1a7615dc..4505570adf 100644 --- a/doc/source/configuration/wazuh.rst +++ b/doc/source/configuration/wazuh.rst @@ -424,6 +424,13 @@ Verification The Wazuh agents should register with the Wazuh manager. This can be verified via the agents page in Wazuh Portal. Check CIS benchmark output in agent section. +Wazuh manager removal +--------------------- + +The following playbook can be used to purge all Wazuh manager components from a host. This is particularly useful for Wazuh manager servers that are not hosted on an infra-vm. + +``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/tools/wazuh-manager-purge.yml`` + Additional resources -------------------- diff --git a/etc/kayobe/ansible/tools/wazuh-manager-purge.yml b/etc/kayobe/ansible/tools/wazuh-manager-purge.yml new file mode 100644 index 0000000000..5ad7599433 --- /dev/null +++ b/etc/kayobe/ansible/tools/wazuh-manager-purge.yml @@ -0,0 +1,105 @@ +--- +# This is the playbook version of the wazuh purge tool from: +# https://github.com/stackhpc/wazuh-server-purge + +- name: Purge Wazuh Server Components + hosts: wazuh-manager + become: true + become_user: root + tasks: +# Dashboard + - name: Disable and stop wazuh-dashboard service + ansible.builtin.systemd_service: + name: wazuh-dashboard + state: stopped + enabled: no + daemon_reload: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" + + - name: Remove wazuh-dashboard and files + ansible.builtin.package: + name: wazuh-dashboard + state: absent + + - name: Remove wazuh-dashboard directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/lib/wazuh-dashboard + - /usr/share/wazuh-dashboard + - /etc/wazuh-dashboard +# Manager + - name: Remove wazuh-manager service + ansible.builtin.systemd_service: + name: wazuh-manager + state: stopped + enabled: no + daemon_reload: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" + + - name: Remove wazuh-manager and files + ansible.builtin.package: + name: wazuh-manager + state: absent + + - name: Remove wazuh-manager directories + ansible.builtin.file: + path: /var/ossec + state: absent +# Filebeat + - name: Disable and stop filebeat service + ansible.builtin.systemd_service: + name: filebeat + state: stopped + enabled: no + daemon_reload: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" + + - name: Remove filebeat and files + ansible.builtin.package: + name: filebeat + state: absent + + - name: Remove filebeat directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/lib/filebeat + - /usr/share/filebeat + - /etc/filebeat +# Indexer + - name: Disable and stop wazuh-indexer service + ansible.builtin.systemd_service: + name: wazuh-indexer + state: stopped + enabled: no + daemon_reload: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" + + - name: Remove wazuh-indexer and files + ansible.builtin.package: + name: wazuh-indexer + state: absent + + - name: Remove wazuh-indexer directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/lib/wazuh-indexer + - /usr/share/wazuh-indexer + - /etc/wazuh-indexer