For most deployments, installation requires only a few commands. The following steps are sufficient to get OpenGard running as a production service:
/opt/opengard on Linux, C:\OpenGard on Windows)../OpenGard --config install to initialize directories, the HTTPS certificate, and default accounts.sudo ./OpenGard --config create-service, then sudo ./OpenGard --config start-service.https://localhost:7158 in your browser and log in as admin / admin.Full details — including prerequisites, configuration options, service setup, and troubleshooting — are covered in the sections below.
OpenGard is published as a self-contained executable - no dependencies are required. All you need is:
For any other platform, download the platform-independent package; you'll need to install .NET 10 as a prerequisite.
Linux:
mkdir -p /opt/opengard && cd /opt/opengard tar -xzf opengard-linux-x64.tar.gz
/opt/opengard (or another directory outside /root/).
On distributions with SELinux enabled (RHEL, AlmaLinux, CentOS, Fedora), running from /root/ or other restricted
directories may cause permission errors. The /opt/ directory is accessible to system services by default and avoids these issues.
Windows: Extract the zip to any folder, e.g. C:\OpenGard.
chmod +x ./OpenGard
The install command creates runtime directories, generates a self-signed HTTPS
certificate, and initializes the databases with default users.
Linux:
./OpenGard --config install
Windows:
OpenGard.exe --config install
The install command is idempotent - running it again will skip steps that are already complete.
Linux:
./OpenGard
Windows:
OpenGard.exe
With this method, the server will stop when the terminal session ends. It is recommended to set up OpenGard as a service (see Running as a System Service below).
Navigate to https://localhost:7158.
runtime_data/opengard.pfx with a certificate issued by a trusted CA
and update the password in appsettings.json under Kestrel.Certificates.Default.
If the server is running but you cannot access it from a browser, verify the following:
https:// in the URL
OpenGard listens on HTTPS by default. Make sure the browser address starts with
https:// and not http://. For example:
https://your-server-ip:7158
Most Linux distributions block incoming traffic by default. Allow port 7158 through the firewall:
firewalld (RHEL, CentOS, AlmaLinux, Fedora):
sudo firewall-cmd --add-port=7158/tcp --permanent sudo firewall-cmd --reload
ufw (Ubuntu, Debian):
sudo ufw allow 7158/tcp
If the firewall is open but the site still does not load, SELinux may be blocking the connection.
The most common cause is running OpenGard from a restricted directory such as /root/.
Move it to /opt/opengard instead:
sudo mv /root/opengard /opt/opengard cd /opt/opengard
If moving to /opt/ does not resolve the issue, temporarily set SELinux to permissive mode to verify:
sudo setenforce 0
If this resolves the issue, you can make the change permanent by editing
/etc/selinux/config and setting SELINUX=permissive,
or by creating a targeted SELinux policy to allow OpenGard.
It is essential to run OpenGard as a service so the operating system can manage its execution and ensure continuous availability.
Before starting OpenGard as a service, ensure any running instance that may be using its port is stopped.
Run the create-service command to register OpenGard as a service automatically:
Linux:
# Requires sudo for writing to /etc/systemd/system/ sudo ./OpenGard --config create-service # Start the service sudo ./OpenGard --config start-service # or: sudo systemctl start opengard # Check status sudo systemctl status opengard
Windows (run as Administrator):
OpenGard.exe --config create-service # Start the service OpenGard.exe --config start-service # or: sc.exe start OpenGard
You can also manage the Windows service via services.msc.
The command is idempotent — it will skip creation if the service already exists.
Create /etc/systemd/system/opengard.service (adjust paths and user/group to match your environment):
[Unit] Description=OpenGard Database Audit Server After=network.target [Service] Type=simple User=your-username Group=your-group WorkingDirectory=/opt/opengard ExecStart=/opt/opengard/OpenGard Restart=on-failure RestartSec=10 LimitNOFILE=65536 [Install] WantedBy=multi-user.target
your-username and your-group with the Linux user and group that owns
the OpenGard installation directory. The service must run as a user with read/write access to the
runtime_data/ directory.
Then enable and start:
sudo systemctl daemon-reload sudo systemctl enable opengard sudo systemctl start opengard
Open an Administrator command prompt and run:
sc.exe create OpenGard binPath="C:\OpenGard\OpenGard.exe" start=auto sc.exe start OpenGard
Upon a fresh installation, OpenGard is configured with the following default credentials:
| Username | Password | Role | Description |
|---|---|---|---|
admin | admin | Admin | Full access to all features: configuration, monitoring, system health, and user management. |
viewer | viewer | Viewer | Read-only access to monitoring dashboards (Discover, Violations, Analytics). Cannot modify configuration. |
OpenGard runs without a license for evaluation purposes. During this period the audit database is limited to 10 MB. Once the limit is reached, new audit events, violations, and system alarms will be blocked until storage is freed.
To unlock full storage capacity, place a valid LICENSE file in the OpenGard
working directory (the same directory as the executable) and restart the server,
or upload it via Configure → License.
Edit appsettings.json to change the host, port, or protocol:
{
"Server": {
"Host": "localhost", // Use "0.0.0.0" to listen on all interfaces
"Port": 7158, // Change to any available port
"Protocol": "https" // Use "http" to disable TLS (not recommended)
}
}
The install command adds a Kestrel section to appsettings.json pointing to the
self-signed runtime_data/opengard.pfx. To use your own certificate, replace the
PFX file and update the password:
{
"Kestrel": {
"Certificates": {
"Default": {
"Path": "runtime_data/opengard.pfx",
"Password": "your-certificate-password"
}
}
}
}
All runtime data is stored in the runtime_data/ directory:
| File / Directory | Purpose |
|---|---|
runtime_data/opengard.db | Main database (users, configuration, policies, collectors) |
runtime_data/opengard_audit.db | Audit database (events, violations, alarms) |
runtime_data/opengard.pfx | HTTPS certificate |
runtime_data/logs/ | Application log files (auto-rotated) |
og_server.json | Server runtime config (API keys, storage limits, data retention) |
OpenGard provides several command-line tools for server administration.
Run them with OpenGard --config <command> (or OpenGard.exe on Windows) while the server is stopped.
| Command | Description |
|---|---|
install | First-time setup. Creates directories, generates HTTPS certificate, initializes databases, and seeds default users. Safe to run multiple times. |
create-service | Registers OpenGard as a system service (systemd on Linux, Windows Service on Windows). Requires root/Administrator. |
start-service | Starts the OpenGard system service. If the service is not registered, prompts you to run create-service first. |
delete-service | Stops and removes the OpenGard system service. |
reset-admin | Resets the admin account password back to admin. Use this if you are locked out. |
enable-config-apis | Enables all configuration management REST API endpoints (disabled by default for security). |
enable-query-apis | Enables the query REST APIs for events, violations, counters, action executions, and system alarms. |
enable-push-events-apis | Enables the Push Events and Write Parsed Events REST API endpoints. |
export [file] | Exports all configuration (users, policies, collectors, etc.) to a JSON file. Default filename: config-export.json. |
import <file> | Imports configuration from a previously exported JSON file. Existing entries are updated; new entries are created. |
# Reset admin password ./OpenGard --config reset-admin # Register as a system service sudo ./OpenGard --config create-service # Start the service sudo ./OpenGard --config start-service # Enable all APIs ./OpenGard --config enable-config-apis ./OpenGard --config enable-query-apis ./OpenGard --config enable-push-events-apis # Backup and restore configuration ./OpenGard --config export my-backup.json ./OpenGard --config import my-backup.json
--config install.admin / admin and change the password.LICENSE file in the working directory to remove the 10 MB storage limit.| Problem | Solution |
|---|---|
| Port 7158 already in use | Change Server.Port in appsettings.json to an available port. |
| Permission denied on Linux | Run chmod +x ./OpenGard to set execute permissions. Use a port above 1024 to avoid needing root. |
| SELinux permission errors | Move OpenGard to /opt/opengard instead of /root/. See the Troubleshooting: Site Not Loading on Linux section above for details. |
| Certificate error in browser | The self-signed certificate is expected to trigger warnings. Click through or replace with a trusted certificate. |
| Locked out of admin | Stop the server and run ./OpenGard --config reset-admin. |
| 10 MB storage limit | This is the evaluation limit. Place a valid LICENSE file in the working directory and restart. |
| Server won't start after crash | Check runtime_data/logs/ for error details. SQLite WAL files are self-healing on next startup. |
The official OpenGard documentation is included with the downloaded package and is version-specific. If you prefer to review the full documentation without downloading OpenGard, it is available in the online demo.