Articles in this section

See more

Uninstall the Lacework Agent

Uninstall the Lacework Agent from a Host Machine

Lacework agents are installed as deb or rpm packages named Lacework. To uninstall a Lacework agent, package specific Linux tools like dpkg (Ubuntu-based) or yum (Redhat-based) can be used to uninstall the agent using the following commands:

$ dpkg --remove lacework
$ yum remove lacework

Lacework supports the ‘purge’ or ‘erase’ option to remove all files, including configuration and logs if necessary. To purge all the configuration files and the logs use the following command

$ dpkg --purge lacework

Uninstall the Lacework Agent on CoreOS

To uninstall on CoreOS, remove all Docker images related to Lacework agents, then manually remove directories and saved configuration files with sudo privileges using the following commands:

$ rm /etc/systemd/system/datacollector.service
$ rm –rf /var/log/lacework/
$ rm –rf /var/lib/lacework/

Uninstall the Lacework Agent from Kubernetes

To uninstall the agent from Kubernetes, you must remove the agent daemonset and the configmap (local config) associated with the agent. 

Note: This removes all configuration and logs related to the agent.

Use the following commands to remove the agent:

$ kubectl delete lacework-agent [-n namespace_name]
$ kubectl delete lacework-config

Use the following commands to verify that the agent daemonset was removed:

$ kubectl get pods --all-namespaces | grep lacework-agent
$ kubectl get configmap --all-namespaces | grep lacework-config

Uninstall the Lacework Agent from Docker

If you installed the agent using systemd, follow these steps to uninstall the agent:

  1. List all containers. The status should show that the datacollector container is up. 
    $ docker ps -a
  2. Stop the service.  
    $ systemctl stop datacollector
  3. Verify that the Lacework datacollector container has stopped. The status should show that it has exited. 
    $ docker ps -a | grep "lacework/datacollector"
  4. Disable the service. 
    $ systemctl disable datacollector
  5. Remove the service in systemd.  
    $ rm /etc/systemd/system/datacollector
$ rm /etc/systemd/system/datacollector/[related symlinks]