Uninstalling Wazuh 4.14 - Step-by-Step Guide
This guide describes the procedure for properly removing Wazuh 4.14 components. Removal can be partial (packages only) or complete (packages + data + configuration). The recommended removal order is: agents first, then dashboard, server, and indexer last.
Removing an Assisted Installation
If Wazuh was installed using the wazuh-install.sh script (all-in-one), use the built-in removal command:
sudo bash ./wazuh-install.sh -uThis command removes all central components and cleans up the configuration. For manual removal of individual components, follow the instructions below.
Removing the Wazuh Agent
Linux (DEB - Ubuntu/Debian)
Stop the service:
systemctl stop wazuh-agent
systemctl disable wazuh-agentRemove the package (preserve configuration):
apt-get remove wazuh-agentComplete removal (package + configuration):
apt-get purge wazuh-agentClean up remaining files:
rm -rf /var/ossec
rm -f /etc/apt/sources.list.d/wazuh.list
rm -f /usr/share/keyrings/wazuh.gpgLinux (RPM - CentOS/RHEL)
Stop the service:
systemctl stop wazuh-agent
systemctl disable wazuh-agentRemove the package:
yum remove wazuh-agent # CentOS/RHEL 8 and earlier
dnf remove wazuh-agent # RHEL 9+ / CentOS Stream 10Clean up remaining files:
rm -rf /var/ossec
rm -f /etc/yum.repos.d/wazuh.repoWindows
Stop the service:
NET STOP WazuhSvcSilent removal via command line:
msiexec /x wazuh-agent-4.14.4-1.msi /qAlternatively, use Control Panel: Programs and Features - Wazuh Agent - Uninstall.
Clean up remaining files:
Remove-Item -Recurse -Force "C:\Program Files (x86)\ossec-agent"macOS
Stop the service:
sudo launchctl bootout system /Library/LaunchDaemons/com.wazuh.agent.plistRemove files:
sudo rm -rf /Library/Ossec
sudo rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
sudo rm -rf /Library/StartupItems/WAZUHRemove the pkgutil record:
sudo pkgutil --forget com.wazuh.agentRemoving the Wazuh Dashboard
Ubuntu / Debian
Stop the service:
systemctl stop wazuh-dashboard
systemctl disable wazuh-dashboardRemove the package:
apt-get remove wazuh-dashboardComplete removal:
apt-get purge wazuh-dashboardClean up remaining files:
rm -rf /etc/wazuh-dashboard
rm -rf /usr/share/wazuh-dashboard
rm -rf /var/log/wazuh-dashboardCentOS / RHEL
Stop the service:
systemctl stop wazuh-dashboard
systemctl disable wazuh-dashboardRemove the package:
yum remove wazuh-dashboard # RHEL 8 and earlier
dnf remove wazuh-dashboard # RHEL 9+Clean up remaining files:
rm -rf /etc/wazuh-dashboard
rm -rf /usr/share/wazuh-dashboard
rm -rf /var/log/wazuh-dashboardRemoving the Wazuh Server (Manager + Filebeat)
Ubuntu / Debian
Stop the services:
systemctl stop filebeat
systemctl stop wazuh-manager
systemctl disable filebeat
systemctl disable wazuh-managerRemove the packages:
apt-get remove wazuh-manager filebeatComplete removal:
apt-get purge wazuh-manager filebeatClean up remaining files:
rm -rf /var/ossec
rm -rf /etc/filebeat
rm -rf /var/lib/filebeat
rm -rf /usr/share/filebeatCentOS / RHEL
Stop the services:
systemctl stop filebeat
systemctl stop wazuh-manager
systemctl disable filebeat
systemctl disable wazuh-managerRemove the packages:
yum remove wazuh-manager filebeat # RHEL 8 and earlier
dnf remove wazuh-manager filebeat # RHEL 9+Clean up remaining files:
rm -rf /var/ossec
rm -rf /etc/filebeat
rm -rf /var/lib/filebeat
rm -rf /usr/share/filebeatRemoving the Wazuh Indexer
Ubuntu / Debian
Stop the service:
systemctl stop wazuh-indexer
systemctl disable wazuh-indexerRemove the package:
apt-get remove wazuh-indexerComplete removal:
apt-get purge wazuh-indexerClean up remaining files (including index data):
rm -rf /etc/wazuh-indexer
rm -rf /var/lib/wazuh-indexer
rm -rf /usr/share/wazuh-indexer
rm -rf /var/log/wazuh-indexerCentOS / RHEL
Stop the service:
systemctl stop wazuh-indexer
systemctl disable wazuh-indexerRemove the package:
yum remove wazuh-indexer # RHEL 8 and earlier
dnf remove wazuh-indexer # RHEL 9+Clean up remaining files:
rm -rf /etc/wazuh-indexer
rm -rf /var/lib/wazuh-indexer
rm -rf /usr/share/wazuh-indexer
rm -rf /var/log/wazuh-indexerRepository Cleanup
After removing all components, remove the Wazuh repository:
Ubuntu / Debian
rm -f /etc/apt/sources.list.d/wazuh.list
rm -f /usr/share/keyrings/wazuh.gpg
apt-get updateCentOS / RHEL
rm -f /etc/yum.repos.d/wazuh.repoCertificate Cleanup
Remove the certificate archive and generated files:
rm -f ./wazuh-certificates.tar
rm -f ./wazuh-install-files.tar
rm -rf ./wazuh-certificatesRemoving Users and Groups
After a complete uninstallation, the system users and groups can be removed:
userdel wazuh
groupdel wazuh
userdel wazuh-indexer
groupdel wazuh-indexer
userdel wazuh-dashboard
groupdel wazuh-dashboardPartial Removal
Removing data only (preserving configuration)
To clear indexer data without removing the components:
systemctl stop wazuh-indexer
rm -rf /var/lib/wazuh-indexer/nodes
systemctl start wazuh-indexer
/usr/share/wazuh-indexer/bin/indexer-security-init.shRemoving specific indices
To delete only alert data through the API:
curl -k -u admin:<ADMIN_PASSWORD> \
-X DELETE "https://localhost:9200/wazuh-alerts-*"To delete data for a specific time period:
curl -k -u admin:<ADMIN_PASSWORD> \
-X DELETE "https://localhost:9200/wazuh-alerts-4.x-2025.01.*"Verifying the Removal
After uninstallation, confirm that all components have been fully removed:
# Check that no packages remain
dpkg -l | grep wazuh # Ubuntu/Debian
rpm -qa | grep wazuh # CentOS/RHEL
# Check that no services remain
systemctl list-units | grep wazuh
# Check that no processes remain
ps aux | grep -E "wazuh|ossec" | grep -v grep
# Check that ports are released
ss -tlnp | grep -E "1514|1515|9200|443|55000"Next Steps
- Quickstart - reinstall Wazuh
- Installation Overview - choose a deployment model for a fresh installation