Why a Lightweight Agent Beats Agentless Monitoring

Agentless monitoring sounds great, but isn’t. Learn why a small footprint agent is superior.

The Agentless Myths

Agentless monitoring is the term often used for an architecture where the monitoring software does not require a component on the monitored endpoint. Instead, a centralized monitoring server queries the endpoints over the network.

Myth #1: Agentless Exists

Obviously, the monitoring server needs something to talk to on the monitored endpoint. There must be some kind of agent listening, or the server’s requests would simply be ignored. Typically, the technology used for remote queries is WMI (Windows Management Instrumentation). With WMI, the agent is simply the WMI service, part of the Windows operating system.

So, agentless monitoring, in the true sense of the word, does not exist.

Myth #2: Agentless Monitoring Does Not Generate Load on the Endpoint

It sounds too good to be true, and it is: by remotely querying the monitored endpoints there is no resource utilization on the endpoints, no load generated, zero footprint.

In fact, it may be quite the opposite: WMI is inefficient and resource-hungry. Since remote WMI queries are executed on the endpoint, the footprint of “agentless” monitoring on the endpoint can be significant.

Agentless vs. Agent-Based

The only benefit of an “agentless” architecture is that no software needs to be deployed to the endpoints. However, that does not mean that the endpoints do not need to be touched. Firewall ports may need to be opened, security permissions changed, remote access granted, and so on.

Benefits of an Agent-Based Architecture

The benefits of an agent-based architecture, on the other hand, are manifold:

Better Metrics

Only software running on the endpoint has access to all APIs and data sources. This enables an agent to provide advanced high-quality metrics that go way beyond what is available through performance counters, the event log or WMI.

Less Network Traffic

An intelligent agent can preprocess the collected data and only send relevant results to the backend. This capability dramatically reduces the network traffic between the endpoints and the monitoring servers.

Works Offline

An agent running on the monitored endpoints can collect data even if the backend is not available. This is a must for laptop computers, of course, but it is beneficial for all types of endpoints if a short loss in network connectivity does not result in a loss of data.

Smaller Footprint

A well-written agent can be practically invisible on the endpoint. If it foregoes “expensive” technologies like WMI and queries low-overhead data sources the agent may be small, lightweight and consume only minimal system resources.

Security

In order for a monitoring server to be able to query remote endpoints, the server needs to be granted high privileges on all endpoints. In many cases, domain admin rights are used. This is not required with the agent-based architecture.

uberAgent’s Lightweight Agent

As its name implies uberAgent’s main component is an endpoint agent and a highly optimized one at that. uberAgent is written in modern C++, a language that combines development with runtime efficiency.

uberAgent does not depend on any type of framework. Only the 2.5 MB uberAgent MSI needs to be deployed to the endpoints.

uberAgent’s Small Footprint and Low Resource Utilization

What better way to determine uberAgent’s footprint than to bring up its own Single Application Performance dashboard? This dashboard displays CPU, RAM and disk utilization (as well as a lot of additional data not required for our current purpose):

As you can see in the above screenshot, CPU usage is between 0.1% and 0.2%, RAM utilization is around 20 MB – and no disk IO at all!

Try it yourself! uberAgent can be installed in minutes and works on any relevant version of Windows.