From 5d87d3729f1ce27abe4e0b36977710bb28700d12 Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Tue, 25 Nov 2025 15:19:51 +0100 Subject: [PATCH 1/7] add wazuh purge playbook and update docs --- doc/source/configuration/wazuh.rst | 7 ++ etc/kayobe/ansible/tools/wazuh-purge.yml | 89 ++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 etc/kayobe/ansible/tools/wazuh-purge.yml diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst index dd1a7615dc..6551d96f1f 100644 --- a/doc/source/configuration/wazuh.rst +++ b/doc/source/configuration/wazuh.rst @@ -424,6 +424,13 @@ Verification The Wazuh agents should register with the Wazuh manager. This can be verified via the agents page in Wazuh Portal. Check CIS benchmark output in agent section. +Removal +------- +In cases where the Wazuh server needs to be purged and it is not hosted on an infra-vm you can use the +following playbook to remove all Wazuh components from the host. + +``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/tools/wazuh-purge.yml`` + Additional resources -------------------- diff --git a/etc/kayobe/ansible/tools/wazuh-purge.yml b/etc/kayobe/ansible/tools/wazuh-purge.yml new file mode 100644 index 0000000000..40b82c8160 --- /dev/null +++ b/etc/kayobe/ansible/tools/wazuh-purge.yml @@ -0,0 +1,89 @@ +--- +# This is the playbook version of the wazuh purge tool from: +# https://github.com/stackhpc/wazuh-server-purge + +- name: Purge Wazuh Server Components + hosts: wazuh-manager + become: true + become_user: root + tasks: +# Dashboard + - name: Disable and stop wazuh-dashboard service + ansible.builtin.systemd_service: + name: wazuh-dashboard + state: stopped + enabled: no + daemon_reload: true + + - name: Remove wazuh-dashboard and files + package: + name: wazuh-dashboard + state: absent + + - name: Remove wazuh-dashboard directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/lib/wazuh-dashboard + - /usr/share/wazuh-dashboard + - /etc/wazuh-dashboard +# Manager + - name: Remove wazuh-manager service + ansible.builtin.systemd_service: + name: wazuh-manager + state: stopped + enabled: no + daemon_reload: true + + - name: Remove wazuh-manager and files + package: + name: wazuh-manager + state: absent + + - name: Remove wazuh-manager directories + ansible.builtin.file: + path: /var/ossec + state: absent +# Filebeat + - name: Disable and stop filebeat service + ansible.builtin.systemd_service: + name: filebeat + state: stopped + enabled: no + daemon_reload: true + + - name: Remove filebeat and files + package: + name: filebeat + state: absent + + - name: Remove filebeat directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/lib/filebeat + - /usr/share/filebeat + - /etc/filebeat +# Indexer + - name: Disable and stop wazuh-indexer service + ansible.builtin.systemd_service: + name: wazuh-indexer + state: stopped + enabled: no + daemon_reload: true + + - name: Remove wazuh-indexer and files + package: + name: wazuh-indexer + state: absent + + - name: Remove wazuh-indexer directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/lib/wazuh-indexer + - /usr/share/wazuh-indexer + - /etc/wazuh-indexer From cb7f4eae91a85a336c58571218aeab71ac824841 Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski <52123760+g0rgamesh@users.noreply.github.com> Date: Tue, 25 Nov 2025 15:24:20 +0100 Subject: [PATCH 2/7] Update doc/source/configuration/wazuh.rst Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- doc/source/configuration/wazuh.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst index 6551d96f1f..a4a003fd41 100644 --- a/doc/source/configuration/wazuh.rst +++ b/doc/source/configuration/wazuh.rst @@ -426,8 +426,7 @@ Check CIS benchmark output in agent section. Removal ------- -In cases where the Wazuh server needs to be purged and it is not hosted on an infra-vm you can use the -following playbook to remove all Wazuh components from the host. +The following playbook can be used to purge all Wazuh components from a host. This is particularly useful for Wazuh servers that are not hosted on an infra-vm. ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/tools/wazuh-purge.yml`` From 60ece59bef4ef1f8608d1bc78bbceb0ef1dc6ef0 Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Tue, 25 Nov 2025 15:35:59 +0100 Subject: [PATCH 3/7] add idempotence --- etc/kayobe/ansible/tools/wazuh-purge.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/kayobe/ansible/tools/wazuh-purge.yml b/etc/kayobe/ansible/tools/wazuh-purge.yml index 40b82c8160..afbac6c956 100644 --- a/etc/kayobe/ansible/tools/wazuh-purge.yml +++ b/etc/kayobe/ansible/tools/wazuh-purge.yml @@ -14,6 +14,7 @@ state: stopped enabled: no daemon_reload: true + ignore_errors: true - name: Remove wazuh-dashboard and files package: @@ -35,6 +36,7 @@ state: stopped enabled: no daemon_reload: true + ignore_errors: true - name: Remove wazuh-manager and files package: @@ -52,6 +54,7 @@ state: stopped enabled: no daemon_reload: true + ignore_errors: true - name: Remove filebeat and files package: @@ -73,6 +76,7 @@ state: stopped enabled: no daemon_reload: true + ignore_errors: true - name: Remove wazuh-indexer and files package: From 28e3f8e34e5cecb16d7adb88072d9cec4bbb3e6c Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Tue, 25 Nov 2025 15:37:40 +0100 Subject: [PATCH 4/7] change module name for consistency --- etc/kayobe/ansible/tools/wazuh-purge.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/ansible/tools/wazuh-purge.yml b/etc/kayobe/ansible/tools/wazuh-purge.yml index afbac6c956..6b81530c6c 100644 --- a/etc/kayobe/ansible/tools/wazuh-purge.yml +++ b/etc/kayobe/ansible/tools/wazuh-purge.yml @@ -17,7 +17,7 @@ ignore_errors: true - name: Remove wazuh-dashboard and files - package: + ansible.builtin.package: name: wazuh-dashboard state: absent @@ -39,7 +39,7 @@ ignore_errors: true - name: Remove wazuh-manager and files - package: + ansible.builtin.package: name: wazuh-manager state: absent @@ -57,7 +57,7 @@ ignore_errors: true - name: Remove filebeat and files - package: + ansible.builtin.package: name: filebeat state: absent @@ -79,7 +79,7 @@ ignore_errors: true - name: Remove wazuh-indexer and files - package: + ansible.builtin.package: name: wazuh-indexer state: absent From 73628505050310f4ac7d1627e316a5d0027f075b Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Tue, 25 Nov 2025 16:13:22 +0100 Subject: [PATCH 5/7] improve code idempotency --- etc/kayobe/ansible/tools/wazuh-purge.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/ansible/tools/wazuh-purge.yml b/etc/kayobe/ansible/tools/wazuh-purge.yml index 6b81530c6c..5ad7599433 100644 --- a/etc/kayobe/ansible/tools/wazuh-purge.yml +++ b/etc/kayobe/ansible/tools/wazuh-purge.yml @@ -14,7 +14,10 @@ state: stopped enabled: no daemon_reload: true - ignore_errors: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" - name: Remove wazuh-dashboard and files ansible.builtin.package: @@ -36,7 +39,10 @@ state: stopped enabled: no daemon_reload: true - ignore_errors: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" - name: Remove wazuh-manager and files ansible.builtin.package: @@ -54,7 +60,10 @@ state: stopped enabled: no daemon_reload: true - ignore_errors: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" - name: Remove filebeat and files ansible.builtin.package: @@ -76,7 +85,10 @@ state: stopped enabled: no daemon_reload: true - ignore_errors: true + register: svc_result + failed_when: + - svc_result.failed + - "'Could not find the requested service' not in svc_result.msg" - name: Remove wazuh-indexer and files ansible.builtin.package: From 5195b08aa086350923fa1bec4092a561d406ae59 Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Wed, 26 Nov 2025 11:30:16 +0100 Subject: [PATCH 6/7] renamed playbook file, clarified the documentation --- doc/source/configuration/wazuh.rst | 9 +++++---- .../tools/{wazuh-purge.yml => wazuh-manager-purge.yml} | 0 2 files changed, 5 insertions(+), 4 deletions(-) rename etc/kayobe/ansible/tools/{wazuh-purge.yml => wazuh-manager-purge.yml} (100%) diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst index a4a003fd41..0ddee58119 100644 --- a/doc/source/configuration/wazuh.rst +++ b/doc/source/configuration/wazuh.rst @@ -424,11 +424,12 @@ Verification The Wazuh agents should register with the Wazuh manager. This can be verified via the agents page in Wazuh Portal. Check CIS benchmark output in agent section. -Removal -------- -The following playbook can be used to purge all Wazuh components from a host. This is particularly useful for Wazuh servers that are not hosted on an infra-vm. +Wazuh manager Removal +--------------------- + +The following playbook can be used to purge all Wazuh manager components from a host. This is particularly useful for Wazuh manager servers that are not hosted on an infra-vm. -``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/tools/wazuh-purge.yml`` +``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/tools/wazuh-manager-purge.yml`` Additional resources -------------------- diff --git a/etc/kayobe/ansible/tools/wazuh-purge.yml b/etc/kayobe/ansible/tools/wazuh-manager-purge.yml similarity index 100% rename from etc/kayobe/ansible/tools/wazuh-purge.yml rename to etc/kayobe/ansible/tools/wazuh-manager-purge.yml From aa720fb4ea564aa40ee5d02f11737133e8a542fe Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Wed, 26 Nov 2025 12:11:28 +0100 Subject: [PATCH 7/7] typo fix --- doc/source/configuration/wazuh.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst index 0ddee58119..4505570adf 100644 --- a/doc/source/configuration/wazuh.rst +++ b/doc/source/configuration/wazuh.rst @@ -424,7 +424,7 @@ Verification The Wazuh agents should register with the Wazuh manager. This can be verified via the agents page in Wazuh Portal. Check CIS benchmark output in agent section. -Wazuh manager Removal +Wazuh manager removal --------------------- The following playbook can be used to purge all Wazuh manager components from a host. This is particularly useful for Wazuh manager servers that are not hosted on an infra-vm.