Contact

Core Operations

Host Management

Deploy agents, manage host inventory, control services and processes, run diagnostics, and organize hosts into groups for policy targeting.

Technical Manual
Status: Available

Prerequisites

  • Role with hosts.view (read-only) and hosts.manage (write) permissions
  • At least one organization configured with an org secret (see Accounts, Orgs & Locations)
  • Agent binary for your target platform (Go agent >= 1.7.0 recommended, Legacy C agent supported for older Windows)

Deploying an agent

The SPOG agent runs on each managed host. It handles registration, heartbeat, host info collection, and job execution.

Step 1: Get the organization secret

  1. Navigate to Settings > Organizations.
  2. Copy the organization secret for the target org. This is needed for agent configuration.

Step 2: Install the agent

Linux (Go agent)

curl -O https://your-server/downloads/spog-agent-linux-amd64
chmod +x spog-agent-linux-amd64
sudo ./spog-agent-linux-amd64 --install \
  --server-url https://your-server \
  --org-secret YOUR_ORG_SECRET

Windows (Go agent)

Run the Inno Setup installer. Enter the server URL and org secret when prompted. The agent installs as a Windows service named SPOGAgent.

macOS (Go agent)

curl -O https://your-server/downloads/spog-agent-darwin-amd64
chmod +x spog-agent-darwin-amd64
sudo ./spog-agent-darwin-amd64 --install \
  --server-url https://your-server \
  --org-secret YOUR_ORG_SECRET

Windows Legacy (C agent)

Run the legacy installer for Server 2003+ / XP SP2+. Service name: SPOGLegacyAgent. Configuration file: config.ini (INI format).

Step 3: Verify registration

After installation, the agent performs the following automatically:

  1. Generates a unique agent_id (stored in /var/lib/spog-agent/agent_id on Linux, %ProgramData%\SPOGAgent\agent_id on Windows).
  2. Registers with the backend, sending hostname, OS info, and network interfaces.
  3. Generates an Ed25519 keypair and registers the public key (Go agent only -- used for cryptographic request signing).
  4. Begins the heartbeat loop (~60s interval) and host info collection (~300s interval).

The host should appear on the Hosts page within 60 seconds of installation.

Viewing and filtering hosts

Navigate to Hosts to see all hosts in your accessible organizations. Use filters to narrow the list.

Organization Dropdown filter to show hosts from a specific organization.
Location Filter within the selected organization by location.
Status online or offline. Based on whether the agent is currently connected.
Health healthy (heartbeat < 5 min), unhealthy (5 min - 7 days), stale (> 7 days), unknown (never reported).
OS Type linux, windows, darwin, or freebsd.

Host detail tabs

Click a host to open the detail page. Information is organized into tabs.

Tab Content
Summary OS info, hardware details (serial, BIOS, CPU speed), agent version, last heartbeat, health status
Network Network interfaces, IP addresses, MAC addresses, DNS configuration
Services Running services with status and startup type. Actions: start, stop, restart, enable, disable
Processes Running processes with PID, CPU%, memory usage. Action: kill process
Users Local user accounts with admin status, last login, password expiry
Groups Local groups with members (useful for SOX audits)
Patches Installed patches with KB/package ID and installation date
Software Installed software inventory with version information
Events System event logs (Windows Event Log / syslog / journald)
Security Firewall status, antivirus detection, disk encryption status
Drives Storage volumes with capacity and usage percentages
Startup Autostart programs (registry entries, systemd units, cron jobs)

Service and process control

Control actions create jobs that are dispatched to the agent and executed on the host. All control actions require hosts.manage permission.

Service control

  1. Open the host detail page and navigate to the Services tab.
  2. Find the target service in the list.
  3. Click the action button: Start, Stop, Restart, Enable, or Disable.
  4. A critical priority job is created and dispatched to the agent.
  5. The agent executes systemctl (Linux) or sc.exe (Windows).
  6. Results appear in the Jobs view. Service status updates on the next host info collection.

Process control

  1. Open the host detail page and navigate to the Processes tab.
  2. Find the target process in the list.
  3. Click Kill.
  4. A critical priority job is created. The agent sends SIGTERM/SIGKILL (Linux) or TerminateProcess (Windows).

User and group management

Manage local user accounts and groups on remote hosts. All actions create critical priority jobs.

Action Description
Create user Create a local account with username, password, and optional admin flag
Delete user Remove a local account from the host
Enable/Disable user Toggle account active status
Reset password Set a new password for a local account
Create/Delete group Manage local groups on the host
Add/Remove member Change group membership for local accounts

Network diagnostics

Run network diagnostics from the host's perspective -- inside the customer network. The backend is cloud-hosted SaaS and cannot reach into customer infrastructure directly. Diagnostics create high priority jobs.

Diagnostic Description
Ping ICMP ping to a target host or IP address
Traceroute Network path trace to a target
DNS Lookup nslookup/dig for hostname resolution
Netstat List listening ports and established connections
Port Check TCP connection test to a specific host:port
  1. Open the host detail page and locate the diagnostic panel.
  2. Select the diagnostic type (ping, traceroute, etc.).
  3. Enter the target address or hostname.
  4. Click Run. A high-priority job is dispatched to the agent.
  5. View the result in the Jobs tab once the agent completes execution.

Host groups

Host groups organize hosts for policy targeting, maintenance windows, patch ring sets, and script execution. Groups are org-scoped and support parent-child hierarchy.

Creating a group

  1. Navigate to Host Groups > Create Group.
  2. Enter the group name and select the organization.
  3. Optionally select a parent group for hierarchical organization.
  4. Click Save.

Adding members

  1. Open the group detail page.
  2. Click Add Members and select hosts from the available list.
  3. Alternatively, use bulk operations on the Hosts page to assign multiple hosts to a group at once.

Where groups are used

  • Maintenance windows — schedule patching and automation within specific time windows
  • Patch ring sets — define canary, early adopter, and broad deployment rings
  • Policy overrides — apply specific configurations to a subset of hosts
  • Script execution — target script runs to specific groups
  • Service group tiers — each tier in a service group IS a host group

Service groups

Service groups enable coordinated, tier-ordered patching of dependent servers. Use them when you need to patch infrastructure in a specific order (e.g. web servers before app servers before databases).

Creating a service group

  1. Navigate to Service Groups > Create Group.
  2. Enter a name and description for the service group.
  3. Click Save.

Adding tiers

Tiers process in order: Tier 0 patches first, then Tier 1, then Tier 2, and so on.

  1. Open the service group detail page.
  2. Click Add Tier.
  3. Select an existing host group to assign to this tier (each tier IS a host group).
  4. Configure tier settings: max concurrent hosts, success gate percentage, and optional pre/post scripts.
  5. Repeat for additional tiers in dependency order.
Success gate Percentage of tier hosts that must succeed before the next tier starts. Set to 100% for strict ordering.
Max concurrent How many hosts can patch simultaneously within the tier.
Pre-script Drain or shutdown script that runs before patching. Overrides the deployment-level pre-script for hosts in this tier.
Post-script Startup or health-check script that runs after patching. Overrides the deployment-level post-script.
Service groups in deployments When added to a patch deployment ring, service group hosts are never used as canary hosts -- the tier ordering IS the validation mechanism. If a tier fails its success gate, the deployment pauses.

Feature flags (kill switch)

Remotely enable or disable specific agent features for compliance and security. Requires settings.manage permission.

Feature Controls
terminal Remote console / SSH access
file_browser Remote file browsing and operations
remote_desktop Remote desktop sessions
script_execution Script and command execution via jobs
  • Account-wide: Leave the organization field empty to disable a feature for all orgs in the account.
  • Org-specific: Select a specific organization to target the flag. Org-specific flags override account-wide flags.
  • Default: No flag means the feature is enabled. Delete a flag to revert to default behavior.
  • Agent enforcement: Disabled features are communicated to the agent during heartbeat. The platform also blocks connections for disabled features.

Bulk operations

On the Hosts page, select multiple hosts via checkboxes to perform bulk actions.

  • Run Script — execute a script on all selected hosts
  • Assign Group — add selected hosts to a host group
  • Assign Fingerprint Policy — set the fingerprint policy for selected hosts

Permissions

Permission Allows
hosts.view View hosts, host details, host groups, service groups, agent stats, certificates
hosts.manage Create/update/delete hosts. Service, process, user, and group control. Network diagnostics. Manage host groups and service groups. Agent unregistration. Certificate sync.

Troubleshooting

Symptom Cause Fix
Agent not appearing after install Registration failed Check org secret in agent config. Check agent logs. Verify server URL is reachable from the host.
422 error on registration Duplicate agent_id Delete /var/lib/spog-agent/agent_id (Linux) or %ProgramData%\SPOGAgent\agent_id (Windows) and restart the agent.
401 on agent requests Bad org secret Verify organization_secret in agent config matches the org secret in Settings.
Host shows "unknown" health Never received heartbeat Check agent is running (systemctl status spog-agent). Verify firewall allows HTTPS to the server.
Host shows "stale" No heartbeat for > 7 days Agent likely stopped or host powered off. Check agent process and network connectivity.
Host info not updating Category hashes unchanged Agent only sends changed data (differential sync). If data truly changed, check agent version.
Service control fails Agent offline or insufficient privileges Verify agent heartbeat is recent. Check agent runs as root/SYSTEM.
500 DB error on agent registration Missing database migration Contact your platform administrator to apply pending database migrations.