Uninstalling the Host Monitoring App

Uninstalling Host Monitoring Agents

Uninstall the Host Monitoring Agents as follows:

Note

This completely removes the following packages from your system, including any additional configurations you may have added outside of Observe. Please be sure you want to do this before proceeding.

Uninstall on Amazon Linux 2 with the following commands:

sudo service osqueryd stop
sudo yum erase osquery -y
sudo rm /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo rm  /etc/osquery/osquery.conf

sudo service td-agent-bit stop
sudo yum erase td-agent-bit -y
sudo rm /etc/yum.repos.d/td-agent-bit.repo
sudo rm /etc/td-agent-bit/td-agent-bit.conf

sudo service telegraf  stop
sudo yum erase telegraf -y
sudo rm /etc/yum.repos.d/influxdb.repo
sudo rm /etc/telegraf/telegraf.conf

Uninstall on Amazon Linux 2023 with the following commands:

sudo service osqueryd stop
sudo yum erase osquery -y
sudo rm /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo rm  /etc/osquery/osquery.conf

sudo service fluent-bit stop
sudo yum erase fluent-bit -y
sudo rm /etc/yum.repos.d/fluent-bit.repo
sudo rm /etc/fluent-bit/fluent-bit.conf

sudo service telegraf  stop
sudo yum erase telegraf -y
sudo rm /etc/yum.repos.d/influxdb.repo
sudo rm /etc/telegraf/telegraf.conf

Uninstall on Ubuntu 20.04 with the following commands:

sudo service osqueryd stop
sudo apt-get remove osquery -y
sudo rm  /etc/osquery/osquery.conf
sudo rm  /etc/osquery/osquery.flags

sudo service td-agent-bit stop
sudo apt-get remove td-agent-bit -y
sudo rm /etc/td-agent-bit/td-agent-bit.conf

sudo service telegraf stop
sudo apt-get remove telegraf -y
sudo rm /etc/telegraf/telegraf.conf

Uninstall on Debian 11 with the following commands:

sudo service osqueryd stop
sudo apt-get remove osquery -y
sudo rm  /etc/osquery/osquery.conf
sudo rm  /etc/osquery/osquery.flags

sudo service td-agent-bit stop
sudo apt-get remove td-agent-bit -y
sudo rm /etc/td-agent-bit/td-agent-bit.conf

sudo service telegraf stop
sudo apt-get remove telegraf -y
sudo rm /etc/telegraf/telegraf.conf

Uninstall on CentOS with the following commands:

sudo service osqueryd stop
sudo yum erase osquery -y
sudo rm /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo rm /etc/osquery/osquery.conf
sudo rm /etc/osquery/osquery.flags

sudo service td-agent-bit stop
sudo yum erase td-agent-bit -y
sudo rm /etc/yum.repos.d/td-agent-bit.repo

sudo service telegraf stop
sudo yum erase telegraf -y
sudo rm /etc/yum.repos.d/influxdb.repo

To Automatically uninstall all of the components:

To uninstall the configuration and remove the installed services, follow these steps:

Run the uninstall script by using the following command:

[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"
Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/observeinc/windows-host-configuration-scripts/main/uninstall.ps1" -outfile .\uninstall.ps1
.\uninstall.ps1

This script will remove the osquery, fluent-bit, and telegraf services and their associated configuration files. If you would like to remove the services without confirming, you can add the -ForceRemove flag and all services and agents will be removed.

After running the uninstall script, you may need to manually remove any leftover directories. The following directories may need to be manually removed:

C:\Program Files\osquery C:\Program Files\fluent-bit C:\Program Files\InfluxData\telegraf

All config files get backed up to C:\temp\observe\. Please ensure you have administrative privileges when running both the configuration and uninstallation scripts.

To manually uninstall of the components:

Uninstall on Microsoft Windows with the following steps using PowerShell:

Osquery

Stop-Service osqueryd

Under Windows Settings, open Add/Remove Programs. Locate “osquery” and click Uninstall. Click Uninstall again to confirm, and Windows removes osquery from your Windows device.

To remove the osquery install directory from your device:

Remove-Item -Recurse "${Env:Programfiles}\osquery"

Fluent Bit

Stop-Service fluent-bit
sc delete fluent-bit

Under Windows Settings, open Add/Remove Programs. Then find fluent-bit and click Uninstall. Click Uninstall again to confirm. Follow the steps to remove fluent-bit from your Windows device.

To remove the fluent-bit install directory:

Remove-Item -Recurse -Force "${Env:Programfiles}\fluent-bit"

Telegraf

Navigate to the telegraf.exe location, for example, C:\Program Files\InfluxData\telegraf\telegraf-1.26.0 and run the following Powershell command:

Stop-Service telegraf
cd "${Env:Programfiles}\InfluxData\telegraf\telegraf-1.26.0\"
.\telegraf.exe --service uninstall

To remove the telegraf install directory:

cd \; Remove-Item -Recurse -Force "${Env:Programfiles}\InfluxData\telegraf"

If you installed agents using the single sample command without setting the script argument -config_files_clean = TRUE, then you can also delete the following temp folder:

Remove-Item -Recurse -Force "C:\temp\observe"

Uninstall on MacOS with the following commands:

brew services stop telegraf
brew uninstall telegraf

sudo osqueryctl stop
brew uninstall --cask osquery

sudo launchctl unload -w /Library/LaunchDaemons/fluent-bit.plist
brew uninstall fluent-bit

You may also choose to remove configurations: /opt/homebrew/etc/telegraf.conf /var/osquery/osquery.conf /var/osquery/osquery.flags /etc/fluent-bit/fluent-bit.conf /etc/fluent-bit/observe-mac.conf /etc/fluent-bit/parsers-observe.conf

and log files: /opt/homebrew/var/telegraf.log /var/log/osquery/*

You may also need to remove service settings for custom log files or proxies if you added them.

App Uninstall

To uninstall the Host Monitoring app from your Observe workspace, follow the instructions located at Apps page.

If you have another app linked to the Host Monitoring app, then remove that link before deleting the Host Monitoring app.