Skip to main content

Uninstall the Linux Agent

Uninstall the Linux Agent from a Host Machine

Lacework agents are installed as deb or rpm packages named Lacework. To uninstall a Lacework agent, use package-specific Linux tools like apt, dpkg (Ubuntu-based), rpm, yum (Red Hat-based), and zypper (SUSE-based) and their corresponding commands:

apt remove lacework
dpkg --remove lacework
rpm remove lacework
yum remove lacework
zypper remove lacework

You can use the following package-specific commands to remove all files, including the configuration and log files created by the agent. 

apt purge lacework
dpkg --purge lacework
rpm remove lacework
yum remove lacework

Uninstall the Linux Agent on CoreOS

To uninstall on CoreOS, remove all Docker images related to Lacework agents, then manually remove directories and saved configuration files with sudo privileges using the following commands:

rm /etc/systemd/system/datacollector.service
rm –rf /var/log/lacework/
rm –rf /var/lib/lacework/

Uninstall the Linux Agent from Kubernetes

To uninstall the agent from Kubernetes, you must remove the agent daemonset and the configmap (local config) associated with the agent.

note

This removes all configuration and logs related to the agent.

Use the following commands to remove the agent:

kubectl delete configmap lacework-config -n YourNameSpaceOrKubeSystem
kubectl delete daemonset lacework-agent -n YourNameSpaceOrKubeSystem

Where YourNameSpaceOrKubeSystem is either your namespace or your Kubernetes system.

Use the following commands to verify that the agent daemonset was removed:

kubectl get pods --all-namespaces | grep lacework-agent
kubectl get configmap --all-namespaces | grep lacework-config

Uninstall the Linux Agent from Docker

If you installed the agent using systemd, follow these steps to uninstall the agent:

  1. List all containers. The status should show that the datacollector container is up.
    docker ps -a
  2. Stop the service.
    systemctl stop datacollector
  3. Verify that the Lacework datacollector container has stopped. The status should show that it has exited.
    docker ps -a | grep "lacework/datacollector"
  4. Disable the service.
    systemctl disable datacollector
  5. Remove the service in systemd.
    rm /etc/systemd/system/datacollector
    rm /etc/systemd/system/datacollector/[related symlinks]