What is a ControlUp Monitor?
The ControlUp Monitor is a windows service that you install on a Windows Server machine dedicated for running the monitor. The monitor is responsible for continuous monitoring of your virtual environment. The specific number of monitors that you need to deploy in ControlUp varies according to the size of the environment that you need to monitor and manage.
You can use the monitor to:
- Set up automated actions to remediate issues as soon as they appear.
- Analyze historical data in your environment using ControlUp Insights or the Solve web console.
- Monitor and manage your environment using the Solve web console.
Running a ControlUp Monitor offers the following features to enable the continuous monitoring of your environment:
- Monitoring external resources. A continuous process which doesn't require the ControlUp Console to run. Multiple monitor instances automatically provide mutual cluster, load balancing, backup, and high availability for monitoring.
- Incident alerts. You can configure monitors to alert ControlUp users about incidents that can't be detected by the console. For example, only the monitor records Computer Down incidents, since detection of them requires continuous monitoring.
- Export Schedule. You can configure the monitor to export data tables to a disk in CSV format for further analysis. The Export Schedule process runs in the background and ensures continuous logging, which could otherwise be executed using the console.
- Retrieving data from data collectors. The monitor connects to each data collector in your organization at frequent intervals to gather detailed real-time information about the status of each data source. For more information about data collectors, see ControlUp Data Collector.
- Aggregating collected data. The monitor organizes collected data from different sources that relate to the same entities in order to upload the data to Insights and Solve. Similar to the Real-Time Console where data is displayed in the grid, the monitor caches the data locally on the monitor machine.
- Processing aggregated data. The monitor analyzes the aggregated data in order to identify resources under stress and incidents that should trigger notifications or other automated actions. It then activates the relevant triggers and sends the aggregated data, and the information it extracted from that data about stress levels and detected incidents, to all open consoles.
- Uploading collected data to Insights. If your organization uses Insights to store and analyze historical data, the monitor uploads the aggregated data to our cloud-hosted Insights platform and for exporting activity files to Insights On-Premises. Before relaying data to Insights, the monitor reduces it to a manageable size by decreasing the resolution and calculating average values for each data point.
- Using Shared Credentials. The monitor allows you to set a Shared Credential to login to configured hypervisors, virtual desktop infrastructures (VDI), cloud, or Citrix ADC connections.
- Automated Actions. The monitor executes automation features by running Automated Actions. Automated Actions (AAs) are scripts that you configure to run automatically as follow-up actions of triggers. Use AAs to remediate issues as soon as they appear.
How many Monitors should you Deploy in your Organization?
Small or medium organizations with less than the maximum supported capacity per a single monitor node (e.g. less than 400,000 processes organization-wide) of managed machines and other resources typically require only one monitor. This type of deployment is especially useful if all of the managed resources are at the same location. In such organizations, a second monitor can be deployed to serve as a backup for the primary monitor and to ensure high availability.
Large organizations, or those with multiple data centers in different regions, must deploy additional monitors. We recommend to deploy about one monitor node up to the maximum supported volume of 400,000 processes, with an additional node per site for backup and high availability.
To support a large organization, you can use the Monitor Cluster feature to enable multiple ControlUp Monitors to work together to monitor a single organization.
Large organizations with more than 5,000 monitored resources or multiple sites require multiple monitors, with at least one monitor deployed at each site. You can add as many monitors to your organization as necessary, and they will be automatically configured to work together as a cluster.
For more information about deploying multiple monitors, see Introduction to ControlUp Monitor Clusters in v8.
Before you install a monitor, choose a physical or virtual machine that is correctly sized for your organization's needs and the size of your environment. Make sure the machine you choose is dedicated to only running the ControlUp Monitor service and that you have RPC access to the machine.
To view sizing recommendations for your monitor, see Sizing Guidelines.
Installing the Monitor
After you verify the prerequisites of the monitor machine, users with the Manage Monitor permission can install a monitor from the Real-Time Console. You use the ControlUp Monitor Installation Wizard to guide yourself through the process to install and configure the monitor instance. Use the wizard to select a machine from one of your managed domains to serve as your monitor machine.
By default, the monitor service listens on TCP port 40706, which you can customize in the wizard. After you verify the prerequisites, all the files required for the installation are copied to the selected machine and a ControlUp Monitor Windows service appears.
After you install the service, ControlUp opens the Sites and Monitors - Configuration Wizard that collects all the required information to configure and start the monitor service.
The Domain Identity page of the wizard offers to import your currently saved credentials for the monitor service to use. If you agree, your current list of AD Connections and Credentials Store imports. If you connect to more than one AD domain, you must choose one of the connections as the primary connection. If you decline to import your saved credentials, you are prompted to create at least one set of valid AD credentials for the monitor instance to use when connecting to your resources.
Service Account Credentials
The monitor service requires valid credentials to establish connections with all of your managed machines. It is also responsible for deploying ControlUp Agents to the managed machines, in case they have no agent installed. By default, the ControlUp Monitor service is configured to start using the Network Service account, which is not sufficient for administrative connections to your managed machines. In addition, if your organization includes several Active Directory domains, the monitor requires valid administrative credentials to access all these domains.
We recommend that you create a dedicated service account for the monitor in each of your Active Directory domains. This account requires:
- Allow Log on as a Service permission, and for full functionality, should have the Allow log on locally permission (and not the Deny log on locally permission). You should set this permission on all machines running the monitor service under Windows Group Policy Management Settings in Local Policies/User Rights Assignment.
The Allow log on locally option is needed for the following tasks that require impersonation (local logon) when writing to the disk (local or remote):
- To use the Export Schedule feature which writes a CSV file to disk.
- To deploy agents to machines if the Deploy agents automatically option is selected in Agent Deployment Settings. This is because the monitor acts as a UI-less console when deploying agents automatically.
- For on-prem environments to write activity files to the disk.
If you are sure that you won't use any of these features and prefer not to allow log on locally, you can assign Allow Log on as a Service. If you aren't sure, set as recommended or contact firstname.lastname@example.org.
- Local administrator permissions on all managed machines. Required only if your monitor is expected to deploy agents to systems.
- Modify permissions on the directory to schedule data exports. For more details, see below.
- Shared Credentials Store. ControlUp allows managing credentials centrally so all authorized users can use shared credentials sets. This enables for more streamlined management of credentials, and a quicker onboarding process for new users that doesn't require them to know the service usernames and passwords.
Note that the Shared Credentials permission is set by the roles in the Security Policy Panel.
Local Admins and Organization Members roles aren't allowed to manage the Shared Credentials store, you must create a new role.
The bottom of the Domain Identity page hosts the credentials saved with the monitor instance in order to enable it to connect to your virtualization infrastructure. To monitor virtualization hosts, ControlUp requires consoles and monitors to use the same credentials. Optionally, to enable continuous monitoring of the virtualization hosts using the monitor, use the page to save the same service account credentials used by other ControlUp users in your organization to connect to your hosts.
However, if you don't provide credentials for hypervisor connections, the monitor can't connect to the hypervisor infrastructure. For more information on monitoring virtualization hosts with ControlUp, see Connect to Your Hypervisors.
If you have multiple domains, you can add them all to your monitor and use a monitor service account in each domain. Note that you must set a primary domain. The primary domain is the domain that was used to create your ControlUp organization.
You can select the type of ControlUp login for your monitor instance. If your organization logs in to ControlUp online, leave the default online option selected. In this case, ControlUp will automatically create a new ControlUp user account for your monitor instance.
If your organization uses ControlUp On-Premises (COP), your ControlUp Monitor requires a COP license file, just like a regular ControlUp user.
Optionally, in the Proxy tab, you can configure the proxy settings that the monitor requires to connect to login online. Note that if the monitor is installed in a network subnet that differs from your administrative workstation, the required proxy settings might be different from the ones used on your machine. You can use different proxy settings for each site.
NTLM-based authentication to proxy servers isn't supported.
If you face connectivity issues to our cloud servers, or lost historical data, see Communication Ports Used By ControlUp: Hybrid Cloud.
Optionally, in the Export Schedule tab, you can configure the Export Schedule feature to allow ControlUp to record any activity displayed in the My Organization pane. Add export rules if you need your monitor export real-time data in comma-delimited logfiles that you can use to create reports.
If your ControlUp Console is already configured to export data on a scheduled basis, the Monitor Configuration Wizard will offer you to move your export rules from your personal settings to the ControlUp Monitor. If you choose to agree, the monitor service starts exporting the data instead of your console, eliminating the need to keep a console open in order to produce data reports. You can configure additional export rules for the monitor.
In order to use the Export Schedule feature, you must configure the export path for the CSV files, as well as a credentials set that is sufficient for the monitor to write files to that directory. The export path can be either a local or a UNC path. If you configure the Delete files older than… option to delete old files, the configured account also requires permission to delete files in the directory.
Solve uses the ControlUp Monitor to retrieve data from your data sources. This dialog links to the Solve web interface where you can configure SAML SSO. To learn how to setup Solve SAML SSO, see SAML SSO for Solve.
On-Premises Monitor Backup
In an on-premises environment, the ControlUp Monitor creates Activity Files for the Insights On-Premises (IOP) appliance. This screen allows you to define intervals for backing up IOP activity files on the monitor machine's local hard drive, simplifying the update process of Insights On-Premises.
ControlUp supports sending email alerts using a user-provided SMTP server, which is useful for customers who can't or prefer not to utilize the built-in cloud alerting service. To route alert messages to a custom SMTP server, you must configure the monitor service with the server name or IP, sender details, and credentials.
If you don't enter any information in the SMTP Settings tab of the wizard, incident triggers using the Send an email alert using a local SMTP server follow-up action will fail to generate email alerts.
You can configure the monitor to regulate information updates from the agents. Use the Advanced Settings tab of the wizard to optimize resource consumption by the monitor machines.
For more information about regulating information updates and its impact on the performance of ControlUp, see Advanced Monitor Settings.
After you initially install and configure a monitor, the Choose Servers tab is available in the ControlUp Monitor Installation Wizard. You can use it to configure a TCP listening port for the ControlUp Monitor service. The default port is 40706.
The monitor is similar to the console, acting like a client that connects to a listening TCP port (40705 by default) on the managed machines. The monitor listens on port 40706 only to allow other installed consoles in your organization to receive status updates and to display the status of the monitor in the Real-Time Console.
The monitor doesn't use port 40706 to communicate with managed machines.
For more information about communication ports used by ControlUp, see Communication Ports Used By ControlUp: Hybrid Cloud for hybrid cloud environments, or Communication Ports Used by ControlUp On-Premises Mode for on-premises deployments.