There are two methods to scan nodes with UpGuard Core. This page documents the differences between these methods, the pros and cons, and how to decide which method you should use in your deployment.


UpGuard performs its node configuration scanning by running commands on the node to gather configuration data. The commands can be run by an agent installed on the node or through a remote connection performed by a connection manager. While a node can only be collected using one method (agent or agentless), your environment can use any combination of agent and agentless collection methods.


A service is installed on a specific node, and can only perform a scan on the node where it is installed. The agent connects back to the UpGuard Appliance over port 443 to communicate work.


  • Troubleshooting can be easier since a single node can be isolated (for example, when a timeout needs to be changed)
  • No extra VMs are required (besides the UpGuard appliance) to use as connection managers
  • Windows: No service account is required, the UpGuard service can run as Local System
  • Linux: For scanning files as root, no connections need to be made to the system as root (the agent can run as root)

Potential Issues

  • Deploying and updating the agents can be time consuming
  • Updating the configuration file (such as changing a timeout) can be time consuming


A connection manager, either onboard the UpGuard Appliance or deployed as a satellite connection manager, is used to connect to a node, either via an SSH connection, a WinRM connection or via an API, depending on the node type.


  • Configuration changes happen in one location (on the connection manager)
  • No software deployment or configuration on your nodes
  • The UpGuard Appliance comes with a built in Default connection manager - no setup required.

Potential Issues

  • Requires a connection manager (Windows and Linux require separate connection managers) that can access the nodes
  • Windows: A service account is required that has local administrator rights on all nodes
  • Linux: For scanning files as root, you will need to use the remote helper, which allows connections from the connection manager as root. This is only used during scans (generally once a day), so the risk is limited

What should I use?

While it mostly depends on your environment and deployment methods, most UpGuard users go with the agentless scanning. In general, this is because:

  • There is less management overhead in deploying and maintaining nodes in UpGuard
  • Configuration changes are trivial
  • New nodes can easily be added, without the need to install any software on the node

However, you may want to use the agent when:

  • You have a node that cannot be accessed remotely (but can communicate to the appliance on port 443)
  • If you have a node with an unreliable connection to the appliance or connection manager, scans may not run as expected
  • You are unable to deploy a connection manager that can reach a node

For further discussion on which method to choose, please contact your Account Manager or UpGuard Support.