Products that are designed for operating system level monitoring can be classified as agent-based or agentless. Although it is easy to assume that agentless solutions are superior to their agent-based counterparts, there are some situations in which the use of an agent allows for better all-around functionality. This whitepaper examines the advantages and the disadvantages to the two approaches.
In recent years agentless monitoring has gained popularity because agentless technology frees the administrator from tasks related to agent deployment and maintenance and because the absence of an agent minimizes the size of the code base on monitored systems. Vendors offering agentless monitoring solutions have adopted several different techniques for acquiring monitoring data. Some of the more popular agentless monitoring techniques include wire data monitoring, remote query monitoring, and hypervisor monitoring.
One technique that is sometimes used for agentless monitoring involves monitoring the network rather than monitoring the network endpoints. Wire data monitoring can involve the use of SNMP, but more often it is based on examining packets as they flow across the network. Some examples of products that perform this type of monitoring include Splunk App for Stream and ExtraHop.
In most cases wire data monitoring is completely passive, which means that there is little to no performance impact on the systems that are being monitored. A dedicated monitoring station watches traffic as it flows across the network and compiles a near real time status report based on the contents of the traffic.
The primary disadvantage to relying solely on wire data monitoring is that wire data monitoring alone does not provide a comprehensive picture of the activity on your network. Depending on your network infrastructure and the monitoring product that is being used, the wire data monitoring software might lack the ability to monitor encrypted communications, traffic flowing across VLANs, Traffic flowing across virtual network segments.
Wire data monitoring software by its very nature is incapable of monitoring the processes that are running on virtual desktops. A wire data monitoring based solution might for example, be able to use traffic patterns or even PING or SMTP based tests to confirm that a specific application is running on a virtual desktop, but the software would not be able to determine how much memory or CPU time the application is consuming because wire data monitoring lacks the ability to monitor processes running within the virtual desktop.
Another technique that is commonly used for agentless monitoring is remote query monitoring. The basic concept behind remote query monitoring is relatively simple. A monitoring server uses a protocol that is natively supported by the target operating system to submit queries to the target endpoint in order to derive its status. These queries can be based on RPC, WMI, or a number of other protocols.
Remote query monitoring is quickly becoming the favored approach for agentless monitoring because it can provide a wealth of information about the monitored endpoint. Some of the vendors that use remote query based monitoring include eG Innovations and Nagios.
In spite of its many advantages, there are some disadvantages to using remote query monitoring. Perhaps the biggest disadvantage is that the monitoring capabilities are directly tied to the underlying protocol. This is an especially important consideration for organizations that use a heterogeneous collection of operating systems because a protocol that works for monitoring one vendor’s OS might not work for another vendor’s product. WMI for instance is great for monitoring Windows based systems, but isn’t usually going to be an option for monitoring Linux based systems.
Another disadvantage to remote query based monitoring is that the queries consume system resources such as storage I/O, memory, CPU cycles, and network bandwidth. Although a query is generally lightweight, it may take hundreds of queries to obtain all of the data necessary to assess a computer’s health, and even then protocol limitations might result in a report that lacks the level of granularity that can be achieved through an agent based solution.
Another form of agentless wire data monitoring that has gained popularity in recent years is hypervisor monitoring. Hypervisor monitoring works because hypervisor vendors such as VMware, Microsoft, and Citrix have built various performance metrics into their products. This allows vendors such as Xangati, SolarWinds, and VMTurbo to build products to query the hypervisor and display resource usage statistics.
Hypervisor monitoring products can be very powerful. Such products can usually monitor the resources consumed by every individual virtual machine running on the host. Hypervisor monitoring products may also report on host health and may even include tools for load balancing the virtual machine workload or for reclaiming resources from orphaned VMs.
The primary disadvantage to hypervisor level monitoring tools is that they lack visibility into individual virtual machines. A hypervisor monitoring product can typically report the memory, CPU, and storage resources being consumed by a virtual machine, but it is unlikely to be able to tell you who is logged into an individual virtual machine or which processes within a VM are consuming the most memory.
Although agentless monitoring solutions are more capable than they were even just a few years ago, agentless solutions tend to be extremely limited when compared to an agent based solution. Because agent based monitoring solutions rely on processes that are running inside of the OS that is being monitored they can typically gain a higher degree of insight into the operating system’s health than what would be possible using an agentless solution.
One of the reasons why agent based monitoring solutions can be so powerful is because they can monitor network endpoints at several different levels. Granted, not every product examines every aspect of the endpoint’s operating system, but as a general rule agent based products such UberAgent and ComTrade when speaking about agent based solutions tend to provide a much more granular view of the guest operating system’s health than their agentless counterparts simply because agent based products are not subject to the operational limitations of an agentless solution.
Every monitoring product provides its own unique set of features and capabilities, but as a general rule an agent based product should provide granular insight into individual virtual machines. This might include the ability to examine individual processes that are running on a virtual machine, but an agent might provide additional management capabilities. For example, an administrator might use an agent based solution to remotely execute a script on a set of virtual desktops. An agent based product might even monitor a virtual desktop’s health and either take corrective action or notify an administrator if a problem occurs.
An additional technique that is sometimes used is hybrid monitoring. Since agent-based and agentless solutions each have their advantages and disadvantages, some vendors use a hybrid solution that uses multiple monitoring techniques rather than relying on a single approach. The advantage is that agentless monitoring can be used except for when granular detail about an individual virtual machine is required. Only then does the product rely on the use of agents. At other times hybrid monitoring solutions behave more like an agentless monitoring solution. Some of the vendors that offer hybrid monitoring solutions include Goliath Technologies, Systrack, and ControlUp.
While it is difficult to deny the convenience of agentless monitoring, agent based monitoring tends to produce more granular monitoring data than agentless solutions. Agentless solutions are dependent on data that can be “sniffed” from network segments or obtained from a network endpoint through a query, but these approaches are limited with regard to the type of monitoring data that can be produced. Agent based solutions have direct access to the endpoints that are being monitored and are therefore able to acquire very granular monitoring data.
There are a number of recent studies that have resulted in similar conclusions. According to eG Innovations for example, “The agentless monitoring solution is ideal for small enterprises where security or the network traffic involved in the monitoring are not key criteria in deciding a monitoring approach. For more critical, complex environments where in-depth monitoring, root-cause diagnosis, and problem resolution are key, the agent-based approach is more appropriate. The automatic capability of the eG agents ensures that the eG agent-based monitoring solution requires near zero maintenance, similar to an agentless solution.”
In a separate study, Kaseya states that “The performance degradation of agentless and agent-based IT systems management solutions is essentially the same. However, agent-based solutions provide inherent availability and security benefits, including the ability to manage systems during a network outage and the ability to manage systems around firewalls with no additional configuration.”
A whitepaper from up.time Software reaches a similar conclusion and states that “Agentless SNMP solutions do not provide the same level of expansion and integration that is possible with an agent-based solution; Furthermore, agentless solutions typically do not provide the facilities to interact with the service platform being monitored with the same level of functionality as an agent-based solution.” It goes on to say, “a systems monitoring solution should incorporate both agent based and agentless monitoring options.”
It is easy to fall into the trap of assuming that a monitoring solution must either be agentless or make use of agents. Both agent based and agentless solutions have their merits, so maybe it’s time to think about a hybrid solution.
Manage and monitor your VDI environment from one single dashboard. Read more here.