Welcome to UpGuard!
UpGuard Core is a platform for tracking and managing configuration in your infrastructure.
This document is designed to get you up and running with UpGuard Core. It will introduce some key terminology, walk through the initial setup, and provide guidance on navigating the rest of our support documentation.
There are some terms you should be familiar with before using or administering UpGuard:
Appliance - the software and services required to run the UpGuard platform. UpGuard can host your appliance in our cloud, or it can be deployed as a virtual machine behind your firewall or in your favorite cloud provider.
Connection Manager - a small piece of software that performs agentless node scans. It comes in Windows and Linux/SSH varieties, and each version is intended to scan different kinds of nodes. It can be placed throughout your network to allow for fine-grained network access control. With connection managers, the UpGuard appliance does not need direct access to your entire network.
Agent - like a connection manager, but installed and run locally on the node to be scanned. Agent-based and agentless scans perform the same scan steps.
Node - a system, service, application, or device that is scanned in UpGuard. We support a wide variety of systems and devices out of the box (see our supported device list). If you need something that we don’t cover yet, we’re happy to work with you. (Please visit our guide on Supporting Unsupported Node Types.
Node Group - the basic organizational unit for nodes in UpGuard. Node Groups are used for customizing scan settings, and can also be used for reporting. A node can be a member of an unlimited number of node groups.
Environment - the organizational unit for nodes used in scan scheduling and reporting. A node can only be a member of one environment.
Scan - a snapshot of a node’s configuration state at a point in time. Scans can be compared between nodes, or on the same node over time.
Configuration Item - a piece of configuration data in an UpGuard scan, represented in the scan by a grey box.
STEP ONE: Get an appliance
There are two different deployment methods for the UpGuard appliance:
- UpGuard-hosted Instance
- On-Premises Virtual Appliance Instance (managed by UpGuard)
If you choose an UpGuard-hosted appliance instance, UpGuard will set up your individual appliance in our cloud. Your Technical Account Manager will help you get an account on the system.
Users who opt for the on-premises appliance will need to provision the virtual appliance. An UpGuard support representative will complete the installation with you over a remote session.
STEP TWO: Agentless or agent-based scanning?
UpGuard offers two methods for scanning nodes -
- Agentless (recommended)
The two methods perform the same scans and return the same results, but they have different setup and configuration procedures. Check out our rundown on the pros and cons of each option. You can also look at our list of supported devices to see more about the options available for the devices you’re interested in monitoring.
For agentless scanning, UpGuard relies on connection managers distributed throughout your network. Connection managers poll the appliance for scan work to perform, and then reach out to target nodes over WinRM/remote powershell or SSH. One connection manager can scan up to 2000 nodes, which dramatically reduces the amount of UpGuard software that needs to be deployed and updated in your environment.
If you opt for agentless scanning, you’ll need to provision connection manager virtual machines at key points throughout your network. For more information about provisioning connection managers, check out the following articles: Windows, Linux/Unix
Agents must be installed directly onto the node to be scanned in UpGuard. Agents are only available for Windows and select Linux and Unix-based operating systems. Agent-based scanning increases maintenance overhead in large deployments, but is ideal for systems in DMZs or off-domain Windows systems where remote access by service accounts is not feasible.
STEP THREE: Set up your network
UpGuard requires the various pieces of the system to be able to communicate with each other over the network. The firewall rules you’ll need are pretty simple, and they look like this:
- Connection managers and agents (all kinds) need to be able to reach the appliance on port 443 to poll for scan work and return results.
- Linux connection managers need to be able to reach target nodes - Linux/Unix servers and SSH-capable network devices - on port 22 (or whatever port you’re using for SSH).
- Windows connection managers need to be able to reach Windows nodes on port 5985 (or whatever port you’re using for WinRM).
- If you’re scanning databases, the Windows connection manager needs to be able to reach those, too, on whatever ports you’d connect to with ODBC.
STEP FOUR: Provision service accounts
If you’ve opted for agentless scanning, you’ll need service accounts configured with necessary permissions for the connection managers to use when scanning.
Linux service users can usually be standard users. If you’re planning to do CIS scanning, you’ll need to be able to elevate to root. Contact your Technical Account Manager or UpGuard support engineer for details.
The permissions needed for database node service users are described on our page about adding database nodes.
STEP FIVE: Add nodes, start scanning
Once your connection managers are in place, your firewalls are configured, and your service accounts are provisioned, it’s time to start adding your nodes into the UpGuard platform.
Clicking on “Add nodes” under the Discover UI tab opens a wizard to walk you through adding nodes individually. You can also check out our support articles on adding Windows nodes, Linux nodes, and other device types in the Installation Guides -> Adding Nodes section.
It’s also possible to import nodes in bulk from a variety of sources, including CSV files, Active Directory servers, and CMDBs.
Once you have added nodes to the platform, simply select them with the checkboxes next to their names and click the ‘Scan’ button in the upper right-hand corner of the UpGuard web console to initiate a scan.
STEP SIX: Customize your scans
UpGuard provides a set of default configuration items that will be collected during a scan. If you want to go beyond the defaults, UpGuard scans are highly customizable.
The first step is to organize your nodes into node groups. Node groups are the way that UpGuard organizes nodes, and changes to the contents of scans are configured at the node group level. A node can be a member of as many node groups as it needs to be, so you can make node groups that range from very general to very specific in accordance with your scan customization needs.
Scan contents are modified using scan options. You can add files and directories to the scan, look at registry keys, check ports for listening services, and even configure custom shell or PowerShell scripts.
By default, scans are performed once per day. This schedule can be modified in the Control > Job Schedule section of the web console.
Take it to the next level
Once you’re scanning and collecting data, try diffing and comparing your data to quickly spot differences in configuration between your nodes.
Check out the change report to get a sense of how your whole environment is changing over time.
The UpGuard policy engine provides a toolset for taking control over your configuration by quickly building test suites that run automatically every time your infrastructure is scanned.
UpGuard also provides a sophisticated API for scripting and automation.
This overview is only scratching the surface. Look through the Reference section of our documentation for more advanced topics.
Troubleshooting and support
If your scans aren’t returning the data you expect, you can find more information about what’s going on in the Control > Job History section of the web console. Scan failures and partial scans are accompanied by descriptive error messages.
If you need further assistance, don’t hesitate to reach out by contacting UpGuard Support.