CR-2026-02-26: Wazuh SIEM Integration — Rollback

Rollback Plan

Syslog integration is additive and non-destructive. To rollback:

  1. Remove syslog targets from network devices

  2. Disable Wazuh agents on servers/workstations

  3. No data loss — existing logs remain in OpenSearch indices

# Remove syslog from WLC
netapi wlc config "no logging host 10.50.1.134" --save

# Disable Wazuh agent on a server
ssh <server> "sudo systemctl stop wazuh-agent && sudo systemctl disable wazuh-agent"