Skip to content

add wazuh purge playbook #2001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Alex-Welsh merged 9 commits into from
Nov 27, 2025
Merged

add wazuh purge playbook #2001

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5d87d37
add wazuh purge playbook and update docs
g0rgamesh Nov 25, 2025
cb7f4ea
Update doc/source/configuration/wazuh.rst
g0rgamesh Nov 25, 2025
60ece59
add idempotence
g0rgamesh Nov 25, 2025
28e3f8e
change module name for consistency
g0rgamesh Nov 25, 2025
7362850
improve code idempotency
g0rgamesh Nov 25, 2025
5195b08
renamed playbook file, clarified the documentation
g0rgamesh Nov 26, 2025
aa720fb
typo fix
g0rgamesh Nov 26, 2025
0385dc9
Merge branch 'stackhpc/2025.1' into wazuh_purge
g0rgamesh Nov 26, 2025
53b0289
Merge branch 'stackhpc/2025.1' into wazuh_purge
g0rgamesh Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions doc/source/configuration/wazuh.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,13 @@ Verification
The Wazuh agents should register with the Wazuh manager. This can be verified via the agents page in Wazuh Portal.
Check CIS benchmark output in agent section.

Removal
-------
In cases where the Wazuh server needs to be purged and it is not hosted on an infra-vm you can use the
following playbook to remove all Wazuh components from the host.

``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/tools/wazuh-purge.yml``

Additional resources
--------------------

Expand Down
89 changes: 89 additions & 0 deletions etc/kayobe/ansible/tools/wazuh-purge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
---
# This is the playbook version of the wazuh purge tool from:
# https://github.com/stackhpc/wazuh-server-purge

- name: Purge Wazuh Server Components
hosts: wazuh-manager
become: true
become_user: root
tasks:
# Dashboard
- name: Disable and stop wazuh-dashboard service
ansible.builtin.systemd_service:
name: wazuh-dashboard
state: stopped
enabled: no
daemon_reload: true

- name: Remove wazuh-dashboard and files
package:

Check failure on line 19 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.18 lint with Python 3.12

fqcn[action-core] 

Use FQCN for builtin module actions (package).

Check failure on line 19 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.17 lint with Python 3.10

fqcn[action-core] 

Use FQCN for builtin module actions (package).
name: wazuh-dashboard
state: absent

- name: Remove wazuh-dashboard directories
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /var/lib/wazuh-dashboard
- /usr/share/wazuh-dashboard
- /etc/wazuh-dashboard
# Manager
- name: Remove wazuh-manager service
ansible.builtin.systemd_service:
name: wazuh-manager
state: stopped
enabled: no
daemon_reload: true

- name: Remove wazuh-manager and files
package:

Check failure on line 40 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.18 lint with Python 3.12

fqcn[action-core] 

Use FQCN for builtin module actions (package).

Check failure on line 40 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.17 lint with Python 3.10

fqcn[action-core] 

Use FQCN for builtin module actions (package).
name: wazuh-manager
state: absent

- name: Remove wazuh-manager directories
ansible.builtin.file:
path: /var/ossec
state: absent
# Filebeat
- name: Disable and stop filebeat service
ansible.builtin.systemd_service:
name: filebeat
state: stopped
enabled: no
daemon_reload: true

- name: Remove filebeat and files
package:

Check failure on line 57 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.18 lint with Python 3.12

fqcn[action-core] 

Use FQCN for builtin module actions (package).

Check failure on line 57 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.17 lint with Python 3.10

fqcn[action-core] 

Use FQCN for builtin module actions (package).
name: filebeat
state: absent

- name: Remove filebeat directories
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /var/lib/filebeat
- /usr/share/filebeat
- /etc/filebeat
# Indexer
- name: Disable and stop wazuh-indexer service
ansible.builtin.systemd_service:
name: wazuh-indexer
state: stopped
enabled: no
daemon_reload: true

- name: Remove wazuh-indexer and files
package:

Check failure on line 78 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.18 lint with Python 3.12

fqcn[action-core] 

Use FQCN for builtin module actions (package).

Check failure on line 78 in etc/kayobe/ansible/tools/wazuh-purge.yml

View workflow job for this annotation

GitHub Actions / Ansible 2.17 lint with Python 3.10

fqcn[action-core] 

Use FQCN for builtin module actions (package).
name: wazuh-indexer
state: absent

- name: Remove wazuh-indexer directories
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /var/lib/wazuh-indexer
- /usr/share/wazuh-indexer
- /etc/wazuh-indexer
Loading