What is an agent-based approach for monitoring and control solutions?

That question came up in one of my discussions on container security solutions over two weeks ago. Though I gave my perspective and opinion while answering that question, I decided to understand better where that question was coming from, so that I could answer such questions in a more convincing and pointed way in the future. In order to do that, I quickly looked at the various monitoring solutions from the past two decades, the technological approach taken by them, and the marketing claims that went along with them. What I discovered is something that I thought is worth sharing through a blog post.

 

What is an agent?

A computer application designed to automate certain tasks (as gathering information online)

That’s the definition from Webster, at least the one most relevant to our discussion. However, this definition doesn’t throw any light on what is an agent based approach for monitoring solutions: where can the agent application be running? should it run completely outside of the entity it is collecting the information about, or can it run inside the entity being monitored in order to be called an agent? should it be running on the same machine or node as the entity itself, or can it run remotely while still collecting and processing monitoring data about the entity?

Additionally, is a monitoring agent one that collects and processes information about the entity, or is the processing part itself should be referred to as an agent? what should the collection part be referred to as then — probes?

 

It’s all about perspective

As with many things in life, the perspective — and agenda (read marketing :^)) — defines what’s an agent versus what’s not. If we take the messaging for various solutions over the years into account, the consensus (though I don’t quite agree with it) on the high-level definition of the term agent seems to be that: a program which collects and processes information about the entity while running within that entity itself. To be more specific with an example, an SNMP agent runs on the machine about which it collects the information and sends to a server. Similarly, a Virtual Machine (VM) monitoring agent is one that runs within the VM itself. So, interestingly enough, if a program collects information about multiple VMs while being outside those VMs (say, in the hypervisor that facilitates those VMs) it is not referred to as an agent, but as an agentless approach to monitoring the VMs. Same with containers — if the monitoring program runs in the underlying OS (as a kernel module) or alongside the containers being monitored (as a Privileged Container), it’s being defined as an agentless approach to monitoring the containers. These definitions cause confusion among customers who are trying to compare and contrast different solutions that would best suit their requirements.

Hence, before things go out of control with various classifications and definitions in the nascent container ecosystem, I have taken the liberty of defining what an agent is, and other relevant terms.

Agent: An application/code/program that does some processing on the information that is collected from or about the entity being monitored, regardless of whether that program is running within the entity or outside of it. The collection mechanism could be internal or external to the entity.

Proxy: What if the agent doesn’t process the collected information but just bundles and forwards it to some other place for processing? In that scenario, let’s define that program as a proxy, as all its doing is forwarding the collected information.

Probes: How about the collection mechanism? The mechanism or “inserts” in the entity that are used to gather information from various parts of the entity are the probes. Probes are lightweight inserts that collect very fine-grained and specific information from each part, of interest, of the entity and send them to an agent for processing, or to a proxy for forwarding them along to another location for processing.

Of course, probes — and their location and presence deep in the entity — could also be used for enforcing certain policies, and hence behavior, on the entity. But, that’s a topic for another blog :^)

* Picture credit: By http://en.wikipedia.org/wiki/Image:Willem_Einthoven_ECG.jpg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1153294