Exabeam Site Collector for SaaSExabeam Site Collector

Table of Contents

How to Uninstall Exabeam Site Collector

There may be need to remove the pre-existing Exabeam Site Collector (SC) deployment entirely. To uninstall the SC, SSH to the host and apply the following command:

sudo ./site-collector-installer.sh -v --uninstall

# Or, uninstall in silent mode
sudo ./site-collector-installer.sh -v --uninstall -a

How to Uninstall a Legacy Site Collector

Once your Exabeam Site Collector has been established, you can uninstall legacy site collectors. During the uninstall process, there is a risk of data loss if ingest queues are not empty. Stop sending logs to site collectors being removed. The following steps will mitigate data loss and uninstall your legacy SC:

  1. Verify that the queues do not have data. If the queues are empty, the LAG column will show 0 . If there is data, wait a few minutes for remainder logs to clear the queue. Re-verify that ingestion queues are empty of data. Do not proceed to the next step until the queues are empty.

    sudo -u kafka /opt/kafka/bin/kafka-consumer-groups.sh --bootstrap-server localhost:9092 --describe --group gcs | awk '{s+=$5}END{print s}'
  2. Use the following commands to stop services. Services must be fully stopped before proceeding to the next uninstall steps.

    systemctl stop kafka 
    systemctl stop logstash 
    systemctl stop zookeeper
  3. Remove Kafka.

    yum remove kafka
  4. Remove Logstash.

    yum remove logstash
  5. Remove Zookeeper.

    yum remove zookeeper
  6. Check remaining folders for Logstash and Kafka (if they still exist).

    rm -rf /opt/kafka
    rm -rf /opt/logstash
  7. Remove common packages.

    yum remove java-1.8.0-openjdk logrotate iperf3
  8. Remove Logstash and Kafka users.

    userdel kafka 
    userdel logstash
  9. Remove Openvpn.

    yum remove openvpn 
    rm -rf /etc/openvpn
  10. Remove /tmp Logstash files.

    # Check logstash folders in /tmp 
    mkdir logstash-files 
    mv logstash* logstash-files
  11. Remove offline repository definitions.

    rm /etc/yum.repos.d/
  12. Remove the /opt/exabeam folder.

    rm -rf /opt/exabeam
  13. Remove firewall rules.

    1. Check existing firewall rules.

      firewall-cmd --list-all
    2. Remove ports and forwarding rules.

      firewall-cmd --zone=public --remove-port=9093/tcp --permanent 
      firewall-cmd --zone=public --remove-port=514/tcp --permanent 
      firewall-cmd --zone=public --remove-port=515/tcp --permanent 
      firewall-cmd --zone=public --remove-port=9300/tcp --permanent 
      firewall-cmd --remove-forward-port=port=514:proto=udp:toport=5514 --permanent 
      firewall-cmd --remove-forward-port=port=514:proto=tcp:toport=5514 --permanent 
      firewall-cmd --remove-forward-port=port=515:proto=tcp:toport=5515 --permanent 
      firewall-cmd --zone="public" --remove-forward-port=port=443:proto=tcp:toport=443:toaddr= --permanent 
      firewall-cmd --reload
    3. Verify firewall rules have been removed. The list returned from the following command should not show rules removed in the previous step.

      firewall-cmd --list-all
  14. Remove sysctl forwarding configuration in the file /etc/sysctl.conf.

    # Remove the line 
    net.ipv4.ip_forward = 1