Install Upwind Sensor on Hosts (VMs)
Overview
This topic describes how to install an Upwind Sensor on a Linux host (VM), such as an Amazon EC2 instance, Google Cloud Compute instance, Microsoft Azure VM, Oracle Compute instance or an on-premise VM.
This topic assumes the following criteria are met:
- You have already connected the cloud account where the Host is hosted to Upwind. If you haven't, please follow the Connect a Cloud Account page.
Step 1: Generate Client Credentials
This step is relevant only if you want to create new client credentials. If you already have client credentials, you can skip this step.
Assuming you have already connected your cloud account to Upwind, you will need to generate client credentials to allow the Upwind Sensor to communicate with the Upwind platform. The credentials can be generated as part of the host connection process.
Alternatively, you can generate it in the Upwind Console, under Client Credentials . After you have generated the client credentials, note down the UPWIND_CLIENT_ID and UPWIND_CLIENT_SECRET fields.
Note that once saved you will not be able to view the UPWIND_CLIENT_SECRET again, so make sure to save it in a secure location.
Step 2: Verify the Upwind Sensor Installation Script
Before installing the Upwind Sensor, validate the integrity of the sensor.sh installation script using SHA256 checksum provided by Upwind. This ensures that the script has not been tampered with.
This step is optional, but we recommend doing this to verify the integrity of the installation script and ensure that the downloadable assets have not been altered or corrupted since they were published.
-
Generate the checksum. Read the script and pass it through the
sha256sumutility to create the SHA256 checksum. Alternatively, you can download the file first and then runsha256sumon it.- Command
- Example output
Execute the following command to generate the checksum:
curl -fsSL https://get.upwind.io/sensor.sh | sha256sumThe command will output a checksum similar to the following:
9eaea8877f984b2ff085b4936f82402be59c771f6a44b4aae6fee447022ca200 - -
Compare with the provided checksum. Retrieve the official checksum from the accompanying
.sha256file and compare it with the generated checksum. If the checksums match, then it is safe to run the installation script. If the checksums do not match, do not run the installation script, and contact Upwind Support.- Command
- Example output
Execute the following command to retrieve the official checksum:
curl -fsSL https://get.upwind.io/sensor.sh.sha256The official checksum will look like this:
9eaea8877f984b2ff085b4936f82402be59c771f6a44b4aae6fee447022ca200
Step 3: Install Upwind Sensor
This describes the simplest way to install the Upwind Sensor on a host. For more advanced installation options and configurations, see the Configuration page.
Examples of advanced configurations include requiring a proxy server, turning off or configuring the Scanner, not allowing access to Instance Metadata Service (IMDS), and more...
Provide Client Credentials
There are two ways to provide your client credentials to the Sensor: as environment variables, or in the Sensor configuration file. Note that the Debian and RPM package installations only support the Configuration File approach.
- Environment Variables
- Configuration File
Export the credentials from Step 1 on the host before running the installer. The install command below will pick them up automatically.
The leading space before each export keeps the credentials out of shell history, but only when the shell is configured to ignore space-prefixed commands — HISTCONTROL=ignorespace (bash; default on most distros) or HIST_IGNORE_SPACE (zsh). If neither applies, use the Configuration File approach instead.
# Upwind Client Credentials
export UPWIND_CLIENT_ID="<redacted>"
export UPWIND_CLIENT_SECRET="<redacted>"
Create the Sensor configuration directory and add your credentials before running the installer:
sudo mkdir -p /etc/upwind
sudo vi /etc/upwind/agent.yaml
# Upwind Agent Configuration
log-level: info
platform: host
auth-client-id: "<CLIENT_ID>"
auth-client-secret: "<CLIENT_SECRET>"
The file contains your client secret, so restrict it to root only:
sudo chmod 600 /etc/upwind/agent.yaml
Run the Installer
- Automatic (Recommended)
- Debian
- RPM
- Standard
- BYOC
Execute the following command on the host to download and install the Upwind Sensor:
curl -fsSL https://get.upwind.io/sensor.sh | bash -s
For a BYOC deployment, also export the cloud account details before running the installer:
# BYOC Configuration
export UPWIND_AGENT_CLOUD_PROVIDER="byoc"
export UPWIND_AGENT_CLOUD_ACCOUNT_ID="byoc-${ACCOUNT_ID}"
export UPWIND_AGENT_ZONE="byoc-${LOCATION}"
Then execute the install command:
curl -fsSL https://get.upwind.io/sensor.sh | bash -s
UPWIND_AGENT_CLOUD_PROVIDER, UPWIND_AGENT_CLOUD_ACCOUNT_ID, and UPWIND_AGENT_ZONE will be specific to the BYOC cloud account you configured when connecting your BYOC account in the Upwind console. It's essential to set these accurately to reflect your specific setup and ensure the sensor's correct operation within your cloud environment.
These three values can alternatively be placed in /etc/upwind/agent.yaml as cloud-provider, cloud-account-id, and zone — the same keys shown in the Debian and RPM tabs.
The Debian package requires credentials to be set via the Configuration File approach in Provide Client Credentials above.
Download and install the package:
curl -fsSL https://get.upwind.io/scripts/get-package.sh | bash -s deb
sudo dpkg -i upwind-agent_${version}_amd64.deb
For a BYOC deployment, add the cloud account details to /etc/upwind/agent.yaml before starting the Sensor:
cloud-provider: byoc
cloud-account-id: byoc-${ACCOUNT_ID}
zone: byoc-${LOCATION}
Replace ${ACCOUNT_ID} and ${LOCATION} with the Account ID and Location you provided when connecting your BYOC account.
Start the Sensor service:
sudo systemctl enable upwind-agent.service
sudo systemctl start upwind-agent.service
sudo systemctl enable upwind-agent-scanner.timer
sudo systemctl start upwind-agent-scanner.timer
The deb package enables the scanner service by default. To disable the scanner, run:
sudo systemctl disable upwind-agent-scanner.timer
The RPM package requires credentials to be set via the Configuration File approach in Provide Client Credentials above.
Download and install the package:
curl -fsSL https://get.upwind.io/scripts/get-package.sh | bash -s rpm
sudo rpm -i upwind-agent-${version}-1.x86_64.rpm
For a BYOC deployment, add the cloud account details to /etc/upwind/agent.yaml before starting the Sensor:
cloud-provider: byoc
cloud-account-id: byoc-${ACCOUNT_ID}
zone: byoc-${LOCATION}
Replace ${ACCOUNT_ID} and ${LOCATION} with the Account ID and Location you provided when connecting your BYOC account.
Start the Sensor service:
sudo systemctl enable upwind-agent.service
sudo systemctl start upwind-agent.service
sudo systemctl enable upwind-agent-scanner.timer
sudo systemctl start upwind-agent-scanner.timer
The RPM package enables the scanner service by default. To disable the scanner, run:
sudo systemctl disable upwind-agent-scanner.timer
It is possible to deploy the Upwind Sensor on a host using the cloud deployment tools, such as Azure Run Command, AWS Systems Manager, or Google Cloud Patch Manager. For more information, see the Cloud Deployment Tools page.
Step 4: Validate the Installation
It is recommended to validate that the Upwind Sensor is running correctly on the host.
Run the following command to check the Sensor status:
sudo systemctl status upwind-agent
The output should show that the Upwind Sensor is active and running.
Troubleshooting
Read the Troubleshooting guide for more information on how to troubleshoot the Upwind Sensor installation.