Remove agents using the Wazuh server API

This section includes examples of using the DELETE /agents request to delete a list of agents or agents disconnected for a given period. This action is performed on the Wazuh server or on an authorized endpoint.

The examples use an authentication token. To get your token, replace <USER>:<PASSWORD> with your Wazuh server API credentials, <WAZUH_MANAGER_IP> with the Wazuh manager IP address or FQDN (Fully Qualified Domain Name), and run the following command:

# TOKEN=$(curl -u <USER>:<PASSWORD> -k -X GET "https://<WAZUH_MANAGER_IP>:55000/security/user/authenticate?raw=true")

Note

You can locate your Wazuh server API user password in the wazuh-install-files.tar file generated during the installation process of the Wazuh server. You can also reset the password for the Wazuh server API user if you have forgotten it.

Removing agents in a list

You can remove specific Wazuh agents using a list. Use the parameter agents_list to set a list of agent IDs separated by commas. For example, to remove agents ID 005, 006, and 007, run the following query:

# curl -k -X DELETE "https://<WAZUH_MANAGER_IP>:55000/agents?pretty=true&older_than=0s&agents_list=005,006,007&status=all" -H  "Authorization: Bearer $TOKEN"

Replace <WAZUH_MANAGER_IP> with the IP address or FQDN of the Wazuh server.

{
    "data": {
        "affected_items": [
            "005",
            "006",
            "007"
        ],
        "total_affected_items": 3,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents were deleted",
    "error": 0,
}

Removing disconnected agents

You can remove Wazuh agents that never connected or agents that have been disconnected for a given period. Use the parameter older_than to set a period of no known activity. Use status to select the never connected and disconnected Wazuh agents. For example, to remove Wazuh agents inactive for more than 21 days, execute the following query:

# curl -k -X DELETE "https://<WAZUH_MANAGER_IP>:55000/agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected" -H  "Authorization: Bearer $TOKEN"

Replace <WAZUH_MANAGER_IP> with the IP address or FQDN of the Wazuh server.

{
   "data": {
      "affected_items": [
         "003"
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents were deleted",
   "error": 0
}