Uninstall Elastic Agents from edge hosts


Uninstall Elastic Agents from edge hostsedit

Uninstall on macOS, Linux, and Windowsedit

To uninstall Elastic Agent, run the uninstall command from the directory where Elastic Agent is running.

Be sure to run the uninstall command from the directory where Elastic Agent is running, as shown in the example below, and not from the directory where you previously ran the install command. Running the command from the wrong directory can leave the agent in an inconsistent state.

You must run this command as the root user.

sudo /Library/Elastic/Agent/elastic-agent uninstall

Follow the prompts to confirm that you want to uninstall Elastic Agent. The command stops and uninstalls any managed programs, such as Beats and Elastic Endpoint, before it stops and uninstalls Elastic Agent.

If you run into problems, refer to Troubleshoot common problems.

If you are using DEB or RPM, you can use the package manager to remove the installed package.

For hosts enrolled in the Elastic Defend integration with Agent tamper protection enabled, you’ll need to include the uninstall token in the command, using the --uninstall-token flag. Refer to the Agent tamper protection docs for more information.

Remove Elastic Agent files manuallyedit

You might need to remove Elastic Agent files manually if there’s a failure during installation.

To remove Elastic Agent manually from your system:

  1. Unenroll the agent if it’s managed by Fleet.
  2. For standalone agents, back up any configuration files you want to preserve.
  3. On your host, stop the agent. If any Elastic Agent-related processes are still running, stop them too.

    Search for these processes and stop them if they’re still running: filebeat, metricbeat, fleet-server, and elastic-endpoint.

  4. Manually remove the Elastic Agent files from your system. For example, if you’re running Elastic Agent on macOS, delete /Library/Elastic/Agent/*. Not sure where the files are installed? Refer to Installation layout.
  5. If you’ve configured the Elastic Defend integration, also remove the files installed for endpoint protection. The directory structure is similar to Elastic Agent, for example, /Library/Elastic/Endpoint/*.

    When you remove the Elastic Defend integration from a macOS host (10.13, 10.14, or 10.15), the Endpoint System Extension is left on disk intentionally. If you want to remove the extension, refer to the documentation for your operating system.