When running a node scan, a number of custom scan options can be specified to give extra visibility into items of particular interest. Scan options are always applied at the node group level to ensure valid comparisons between nodes.

Setting Scan Options from the Node Page

To view and edit the scan options applied to a node, click the gear icon at the top of the node visualization. It will pop up the scan options interface. Here you can see the groups to which the node belongs and what scan options it inherits from each. This will ensure that Nodes will be scanned consistently so that whenever you want to compare two Nodes you can be confident that the important config items will be available. You can add or edit scan options here and they will be saved and applied to the parent group the next time those nodes are scanned.



Setting Scan Options from the Node Group Page

You can also view and edit a group’s scan options from the Node Group page. Click the blue “edit” button in the top right to view all the information associated with the group. Expanding the “scan options” section will show you the scan options and provide the interface to edit them.

Files and Directories

This section allows you to specify which files, or groups of files, are collected up under the “Files” section of the node scan. Multiple files, or patterns representing groups of files, can be specified one per line.


Absolute Syntax

To specify a specific file, simply include the absolute path to that file. For example, to scan the UpGuard Agent binary you could include this line:

C:\Program Files\Upguard\bin\upguard.exe

To request all files within a folder to be scanned, simply include the absolute path to the folder. For example, to include all files in the “C:\Windows\System32” folder use:


Wildcard Syntax

To request a particular type of file in a given folder you can use the wildcard “*” character. For example, to include all .exe files in “C:\Windows\System32” folder use the following line:


Greedy-star Syntax

To request a particular type of file in a given folder and its subfolders, use the greedy “**” wildcard pattern. For example, to include all .exe files in “C:\Windows\System32” and all subdirectories use the following line:


To include all files, regardless of file extension in “C:\Windows\System32” and all of its subdirectories, use the following line:


File Path Negation

You can prepend a scan directory option with ! in order to cause files that match the pattern to not be returned as a part of the scan. All forms of globbing for the exclude option will still be supported with file path negation.

If you were to use !C:\Folder\*.log, then C:\Folder\Folder2\sample.log will be excluded from the scan as well.

Etcd Keys

This section allows you to specify which etcd key, or groups of etcd keys, will be collected under the “Etcd Keys” section of the node scan. Multiple keys, or patterns representing groups of keys, can be specified one per line.


NMAP Scanning

This section allows you to perform external port scanning on nodes on Non-Windows based nodes. NMAP scanning is found under the Categories section of Scan Options. Ports for this scan can be designated in the following ways:

  • A single port (5985)
  • A set of ports (5985, 5986, 1433)
  • A range of ports (1-1024)

After specifying the ports needed for NMAP scanning, click the check box to save your preferences.


Custom Scripts (Linux Only)

This section allows you to specify custom scripts that can be used to return data that you would like to see included in the scan. The description field is used to distinguish your query. Queries are interpreted to be bash scripts by default, but it is recommended to specify the shell explicitly at the top of your script (for example #!/bin/bash).

Returned scripts are displayed as flat files under a Scripts section of the visualization. This allows you to return back data that may not have a strictly defined structure.


If you would like to display configuration as seperate configuration item squares, refer to the scan.d options method.

SQL Queries (Database Nodes Only)

Adding SQL queries to your scan options allows you to easily detect changes to database table schemas, triggers, stored procedures or indexes. For example, to detect column or attribute changes you can select on your databases schema table. Here we set the schema first for our Microsoft SQL Server database and select our sales column data:

use sales select * from information_schema.columns

PowerShell Queries (Windows Only)

Custom PowerShell queries can be used to return data you would like to see included in the scan.

Field Description
Description The label given to the results in the scan.
Key Name If the query returns multiple values, Key Name is used to specify which field uniquely identifies the row.
Query The actual PowerShell query to be run.

Single Object Example

Field Description
Description Host
Key Name  
Query Get-Host | Select CurrentCulture, Name, Version

Multiple Objects Example

NB: Try/Catch used due to a PowerShell bug.

Field Description
Description Websites
Key Name PhysicalPath
Query Import-Module WebAdministration; Try{ $sites = Get-WebSite | Select Name, State, PhysicalPath, ApplicationPool } Catch [System.IO.FileNotFoundException]{ $site = Get-WebSite | Select Name, State, PhysicalPath, ApplicationPool } $sites

Registry Keys (Windows Only)

Specify registry keys to be scanned. Valid options are full paths to a key value name or parent key path. Abbreviations such as HKLM are supported.

Key Value


Parent Key Value


Scanning Multiple Keys

UpGuard’s registry scanning supports glob syntax for scanning multiple registry sub keys. For sub keys, utilizing * will function as an wildcard, and utilizing ** will function as a recursive wildcard.


Group Policy Objects (Windows Only)

Group Policy Objects (GPOs) can be scanned by entering the name of the GPO as it appears in the Windows Group Policy Management Console (GPMC).


Instructions for getting started with the GPMC can be found here.

Resultant Set of Policy (RSoP) (Windows Only)

Resultant Set of Policy (RSoP) reports can be used to identify the GPO’s that are in actuality governing a machine.

RSoP reports can be accessed by adding “RSOP” as a scan option under the “Sections” category.


The results of the RSoP report are visualized as a configuration group in the node visualization.

By treating RSoP results as configuration items in UpGuard, users can generate policies, compare differences, identify governance inconsistencies, and integrate information with additional platforms.


IIS Settings (Windows Only)

Adding IIS settings can be done through Scan Options. While logged in as an Administrator, go to the Discover tab, and choose Monitored. For the node or node group you would like to monitor IIS settings on, click on the dropdown menu next to the Edit button near the top right hand corner and select Scan Options.

Navigate to the Sections tab and enter “IIS” (case sensitive) as a section and click the check box to save the newly added option.


Exit out of Scan Options and run a scan on the node or node group. IIS settings will be listed after a successful scan.



By default, active local TCP and UDP ports from 1-1024 are scanned. To specify a particular range of ports, simply use the M-N syntax. For example, to scan all ports between 20 and 30 (inclusive), then use 20-30. You can also specify a number of individual ports, or ranges of ports, by separating them by a comma. For example, to scan ports 22, 80, 443 and all ports in the 8000s use 22,80,443,8000-8999.


The connectivity tests allow you to determine if a node is able to establish a remote connection on the specified port. The host may be specified using either IP address or FQDN.



The Web scan option allows you to verify that a node can connect to a web endpoint, and optionally retrieve the contents of the response body. The label field is used to identify the check within the scan output.


Excluded Text

The “Excluded Text” scan option allows users define a set of textual patterns that will be excluded from differencing operations. These patterns are defined using regular expressions, and are applied to the scan data at comparison time, so no data is lost. Both attributes and raw files will be considered for text exclusion operations; regardless of the place of application, if applying exclusion rules results in no difference, no difference will be surfaced visually or as part of the event system.


Scan Option Variables

The following variables can be used in the scan options page to help parameter-ise queries. Variables can be used at the node and node group levels and must be used using liquid syntax.

  • node_name
  • node_environment
  • hostname
  • ipaddess
  • operatingsystem
  • osfamily