Remove agents using the Wazuh API
This section includes examples of how to use the DELETE /agents request to either delete a list of agents or agents that have been disconnected for a given period of time.
The examples use an authentication token. To get your token, replace <USER>:<PASSWORD>
with your Wazuh API credentials and run the following command:
# TOKEN=$(curl -u <USER>:<PASSWORD> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
Removing agents in a list
You can remove specific agents using a list. Use the parameter agents_list
to set a list of agent IDs separated by commas. For example, to remove agents ID 005
, 006
, and 007
, run a query like the following one.
# curl -k -X DELETE "https://localhost:55000/agents?pretty=true&older_than=0s&agents_list=005,006,007&status=all" -H "Authorization: Bearer $TOKEN"
{
"data": {
"affected_items": [
"005",
"006",
"007"
],
"total_affected_items": 3,
"total_failed_items": 0,
"failed_items": [],
},
"message": "All selected agents were deleted",
"error": 0,
}
Removing disconnected agents
You can remove agents which never connected or which have been disconnected for a given period of time. Use the parameter older_than
to set a period of no known activity. Use status
to select the Never connected and Disconnected agents. For example, to remove agents inactive for more than 21 days, run a query like the following one.
# curl -k -X DELETE "https://localhost:55000/agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected" -H "Authorization: Bearer $TOKEN"
{
"data": {
"affected_items": [
"003"
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "All selected agents were deleted",
"error": 0
}