Need to manually uninstall osquery on macOS? If you no longer want to use osquery on your Mac, or if you need to manually clear out the installation because you're having problems with the endpoint and you want to reinstall from scratch, follow the four steps outlined below. We've also included the terminal command in text format so you can easily copy and paste.
Prefer video? Click here to skip ahead to a three-minute video and all commands required to uninstall osquery from your macOS system using Uptycs.
Note, most of the commands you'll need to run have an elevated privilege because the affected libraries and files are things which are normally restricted only to root or administrative groups. You may also be required to authenticate for your password.
Step 1: Stop the Osquery Service From Running; Unload Plist
Use the launch control command to unload the osquery plist, which is what controls the service when it launches.
Command to unload osquery plist:
sudo launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
Step 2: Remove the Plist
Now that we've stopped the osquery service from running, we can remove the plist that we just told to unload.
Command to remove plist:
sudo rm /Library/LaunchDaemons/com.facebook.osqueryd.plist
Step 3: Remove Log, Config & Binary files
Now we're ready to actually remove the file and directories created by the osquery installer package. This is important if you are having a problem with a corrupt database and haven't been able to come to resolution in any other way. This will remove the local database so a reinstall can create a new one. Now you're ready to remove the log files, then move the configuration files and remove the actual binary files.
Command to remove log files:
sudo rm -rf /private/var/log/osquery
Command to remove config files:
sudo rm -rf /private/var/osquery
Command to remove binary files:
sudo rm /usr/local/bin/osquery*
Step 4: Stop Tracking Osquery Package
The final step or last command to run is to tell the package utility to stop tracking the originally installed osquery package.
Command to stop tracking osquery package:
sudo pkgutil --forget com.facebook.osqueryd
Now that you've issued all of these commands, you have successfully uninstalled osquery on your macOS and returned your Mac to the pre-install state.
Here's a video walk-through of what we've outlined above:
Here's a round-up of all the commands required to uninstall osquery from macOS:
sudo launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
sudo rm /Library/LaunchDaemons/com.facebook.osqueryd.plist
sudo rm -rf /private/var/log/osquery
sudo rm -rf /private/var/osquery
sudo rm /usr/local/bin/osquery*
sudo pkgutil --forget com.facebook.osqueryd
Learn more about osquery: