Parascope Docs

Probe Setup Guide

Deploy a Parascope Probe appliance in your network to collect infrastructure data from on-premises systems

A Parascope Probe is a lightweight virtual machine that runs inside your network. It collects configuration data from your infrastructure and sends it securely to your Parascope tenant. All credentials stay on-premises — the probe connects outbound to Parascope, never inbound.

How It Works

The probe runs as a Rocky Linux 9 VM with containerized collectors managed by Podman. After pairing with your Parascope tenant, it establishes an encrypted NATS connection to the Parascope ingestion endpoint. Data flows one way: from your infrastructure, through the probe, to your tenant.

Your Infrastructure --> Probe VM --> NATS (TLS) --> Parascope Cloud --> Your Tenant

VM Requirements

Minimum Specifications

ResourceMinimumRecommended
CPU2 vCPU (x86-64)4 vCPU
RAM4 GB8 GB
Disk20 GB40 GB
Network1 NIC with DHCP or static IPDedicated management VLAN

RAM and CPU requirements scale with the number of active collectors. Each collector runs as a separate container consuming approximately 100-200 MB RAM.

Supported Hypervisors

HypervisorImage FormatImport Method
Proxmox VEQCOW2qm importdisk or UI upload
VMware vSphere / ESXiOVADeploy OVF Template
KVM / libvirtQCOW2virt-install --import
Hyper-VQCOW2Convert with qemu-img convert -O vhdx

Network Requirements

The probe requires outbound connectivity to two endpoints. No inbound ports need to be opened in your firewall.

DestinationPortProtocolPurpose
ingest.parascope.io7422TCP (TLS)Data ingestion and management (NATS LeafNode)
registry.parascope.io443HTTPSContainer image updates

The probe also needs access to the infrastructure systems it will collect from (e.g., Kubernetes API servers, database endpoints, SNMP targets). These are configured per-source after pairing.

DNS: The probe needs DNS resolution for the above hostnames. If your network uses an internal DNS server, ensure it can resolve public hostnames or configure a forwarder.

Proxy: HTTP proxies are not currently supported for the NATS connection. If your network requires a proxy for outbound traffic, the probe needs a direct path to ingest.parascope.io:7422.

Deployment

Step 1: Download the Image

From your Parascope dashboard, navigate to Collectors and click Pair Probe. The first step provides download links for QCOW2 and OVA formats with SHA-256 checksums.

Alternatively, download directly from the distribution bucket:

https://hel1.your-objectstorage.com/appliance/v{version}/parascope-appliance-{version}.qcow2
https://hel1.your-objectstorage.com/appliance/v{version}/parascope-appliance-{version}.ova

Step 2: Create the VM

Proxmox VE

# Upload QCOW2 to Proxmox storage
scp parascope-appliance-*.qcow2 root@proxmox:/tmp/

# Create VM (adjust VMID and storage as needed)
qm create 200 --name parascope-probe --memory 8192 --cores 4 \
  --cpu x86-64-v3 --net0 virtio,bridge=vmbr0
qm importdisk 200 /tmp/parascope-appliance-*.qcow2 local-lvm
qm set 200 --scsi0 local-lvm:vm-200-disk-0 --boot order=scsi0
qm start 200

VMware vSphere

  1. In vSphere Client, select Deploy OVF Template.
  2. Browse to the downloaded OVA file.
  3. Assign at least 4 vCPU and 8 GB RAM.
  4. Select the appropriate network and datastore.
  5. Power on the VM.

KVM / libvirt

virt-install --name parascope-probe \
  --memory 8192 --vcpus 4 \
  --disk path=parascope-appliance-*.qcow2,format=qcow2 \
  --import --os-variant rocky9 \
  --network bridge=br0

Step 3: First Boot

On first boot the probe:

  1. Generates a unique appliance ID.
  2. Starts NATS in standalone mode (no external connections yet).
  3. Starts the agent API on ports 80 (landing page) and 8080 (API).
  4. Displays a console welcome screen with the probe's IP address.

Open a browser and navigate to http://{probe-ip}/ to access the onboarding wizard.

Step 4: Pair the Probe

  1. In your Parascope dashboard, go to Collectors and click Pair Probe.
  2. Copy the pairing token (valid for 24 hours).
  3. Paste the token into the probe's onboarding wizard.
  4. The probe establishes an encrypted NATS LeafNode connection to ingest.parascope.io:7422.
  5. Within 60 seconds the probe appears in your fleet dashboard.

After pairing, the probe API requires an API key for all requests. The key is generated during pairing and displayed once — store it securely.

Step 5: Configure Sources

With the probe paired, add data sources through the Parascope dashboard:

  1. Navigate to Collectors and select your probe.
  2. Click Add Source and choose the collector type (e.g., Kubernetes, PostgreSQL).
  3. Enter connection details and credentials. Credentials are encrypted at rest on the probe using AES-256-GCM.
  4. The collector starts automatically and begins its first collection cycle.

Security

The probe is hardened following CIS Level 1 benchmarks for Rocky Linux 9:

  • SELinux enforcing mode
  • Firewall default-deny (drop zone), only ports 22, 80, 8080 open
  • SSH key-only authentication, no root login, no password auth
  • Credentials encrypted at rest (AES-256-GCM with Argon2id key derivation)
  • Audit logging for privileged commands and configuration access
  • Unnecessary services disabled (avahi, cups, rpcbind, NFS, etc.)

Break-Glass Access

An ops user with SSH key access is available for emergency diagnostics. This user has restricted sudo permissions limited to read-only diagnostic commands (journalctl, systemctl status, podman logs, etc.).

Operational Notes

Boot Time

The probe boots and reaches a healthy agent state in under 90 seconds.

Disk Usage

The base image is approximately 2 GB compressed. Each collector container image adds 50-200 MB. Log retention is 24 hours with a 10 MB cap. Plan for 20-40 GB total disk depending on the number of active collectors.

Reboot Recovery

On restart, the probe automatically:

  • Unlocks the credential vault (via escrowed key from the control plane)
  • Restarts all enabled collectors
  • Resumes heartbeat reporting

If the control plane is unreachable, the vault remains locked. Use the emergency passphrase (provided during initial setup) to unlock manually via the agent API.

Re-Pairing

To reset a probe and pair it with a different tenant:

  1. SSH into the probe as ops.
  2. Call curl -X POST http://localhost:8080/api/agent/settings/repair -H "X-API-Key: $(curl -s http://localhost:8080/api/agent/key | jq -r .agent_api_key)".
  3. Reboot the VM. Previous credentials are purged.
  4. Pair again with a new token.

OS Collection

Agentless operating system discovery across your Linux fleet via SSH

Managing Collectors and Sources

Monitor collector health, configure data sources, trigger manual collections, and understand the circuit breaker pattern that keeps discovery resilient

On this page

How It WorksVM RequirementsMinimum SpecificationsSupported HypervisorsNetwork RequirementsDeploymentStep 1: Download the ImageStep 2: Create the VMProxmox VEVMware vSphereKVM / libvirtStep 3: First BootStep 4: Pair the ProbeStep 5: Configure SourcesSecurityBreak-Glass AccessOperational NotesBoot TimeDisk UsageReboot RecoveryRe-Pairing