Uninstall the Lacework Agent from a Host Machine
Lacework agents are installed as deb or rpm packages named Lacework. To uninstall a Lacework agent, package-specific Linux tools like dpkg (Ubuntu-based) or yum (Redhat-based) can be used to uninstall the agent using the following commands:
$ dpkg --remove lacework $ yum remove lacework
Lacework supports the ‘purge’ or ‘erase’ option to remove all files, including configuration and logs if necessary. To purge all the configuration files and the logs use the following command
$ dpkg --purge lacework
Uninstall the Lacework Agent on CoreOS
To uninstall on CoreOS, remove all Docker images related to Lacework agents, then manually remove directories and saved configuration files with sudo privileges using the following commands:
$ rm /etc/systemd/system/datacollector.service $ rm –rf /var/log/lacework/ $ rm –rf /var/lib/lacework/
Uninstall the Lacework Agent from Kubernetes
To uninstall the agent from Kubernetes, you must remove the agent daemonset and the configmap (local config) associated with the agent.
Note: This removes all configuration and logs related to the agent.
Use the following commands to remove the agent:
$ kubectl delete configmap lacework-config -n YourNameSpaceOrKubeSystem configmap "lacework-config" deleted $ kubectl delete daemonset lacework-agent -n YourNameSpaceOrKubeSystem daemonset.extensions "lacework-agent" deleted
Where YourNameSpaceOrKubeSystem is the either your namespace or your Kubernetes system.
Use the following commands to verify that the agent daemonset was removed:
$ kubectl get pods --all-namespaces | grep lacework-agent $ kubectl get configmap --all-namespaces | grep lacework-config
Uninstall the Lacework Agent from Docker
If you installed the agent using systemd, follow these steps to uninstall the agent:
- List all containers. The status should show that the datacollector container is up.
$ docker ps -a
- Stop the service.
$ systemctl stop datacollector
- Verify that the Lacework datacollector container has stopped. The status should show that it has exited.
$ docker ps -a | grep "lacework/datacollector"
- Disable the service.
$ systemctl disable datacollector
- Remove the service in systemd.
$ rm /etc/systemd/system/datacollector $ rm /etc/systemd/system/datacollector/[related symlinks]