Tuesday, December 16, 2014

Agent-based vs. Agent-less Monitoring

Frequently, I have been asked by customers regarding the difference between agent-based and agent-less monitoring solutions. There is a lot of confusion in this area, so this blog attempts to provide an explanation for each of these solution types, focusing mainly on the "paid" solutions. Open source solutions may be covered in a future article.

A bit of history

Since the early 90s, when the client-server architecture became very dominant in the market,
IT managers started to look for a solution to monitor these new assets. New type of tools had
to be introduced as the old monitoring tools suitable to the age of central computing (mainframe) were completely useless now.

Network Equipment

At that time, network equipment was monitored by various solutions that were based on the SNMP standard. Monitoring software from vendors such as Sun (Sunnet Manager), HP (OpenView) and IBM (Netview) used the early versions of SNMP agents incorporated into the network devices. 
Click to enlarge sample view of Correlated Network Resources
IBM Netview 6000

Such agents were called "monolithic". As the SNMP standard was further developed, more sophisticated agents were introduced. These agents were more flexible and allowed to be extended according to customer needs. These agents were called "extensible".

Servers and Applications

Servers (mostly versions of UNIX) had some minimal SNMP implementations that were quite limited in their capabilities. Since each server had its own resources (CPU, memory, disks, network interfaces etc.) it was critical to understand what is the status of each component of the architecture in order to identify possible faults and performance bottlenecks. Additional requirements such as real-time reading of system logs, running automatic actions either scheduled or as response to an issue, were also of great interest.

Windows servers had their own implementation of SNMP (limited as with UNIX servers). But interestingly enough, Microsoft had came up with a new proprietary protocol  (WMI) to allow agent-less remote management of Windows servers.

Oddly enough, using SNMP agents or WMI to manage servers and applications is still considered "Agent-less"


The introduction of proprietary system-based Agents

Following the increased market demand, software vendors such as CA, IBM and HP have quickly developed combinations of monitoring consoles and agents. Due to the weakness of the SNMP standards to provide a more comprehensive monitoring of operating systems and applications, these vendors introduced proprietary software for agents instead of relying on SNMP. 
HP Operations for Unix
Obviously, the major drawback for customers was that they must use the agent and console from a single vendor and cannot mix and match them. 

Agent-less Monitoring systems

During the early 2000s it was quite obvious that there is a place for cheaper/simpler monitoring solutions for mid-market customers. Smaller vendors have emerged and provided suites of products that utilized agent-less technologies such as SolarWinds, Paessler, Freshwater (later become HP SiteScope) and many others.
PRTG Enterprise Console

When vendors say "Agent-less" they actually mean: Native SNMP agent or protocols such as WMI, RSH, SSH or some other API the use to collect data from the server. Situations where you don't need to install other proprietary software.

When vendors say "Agent-based" they mean that you need to install their own software and use their console to manage your IT assets.  

Comparing Agent-less vs. Agent-based features 

Agent-based Agent-less Feature
No Yes Built-in to OS
$$$ Free
No Yes
Open protocols
Yes YesIn depth OS/App
LowLow-Medium Network Load imposed by monitoring
Medium-High Low
Impact on host OS
Medium-High Low
Deployment Effort
SNMP Only Yes Use 3rd Party Mgmt Console


  1. HP claims agentless in their gen8 systems. They install agents into the OS on their hardware that feed data over a local PCI connection back to their ILO4 which is then remotely accessible via SNMP, etc.

  2. Thanks for the comment! Yes, it's true that HP ILO and HP Insight play together quite well. It allows management systems to monitor the OS and hardware issues of the server transparently via the ILO. Having said that, you would still need access to system and application logs, processes and services for complete picture of the system. And this is the part where you would need a proprietary agent from one of the big vendors.

  3. It depends, mostly for this purpose uses agent less monitoring, because the performance on the monitored machine.
    A log monitor type is suggested, HP SiteScope comes with this kind of monitoring and is interesting.

    1. Diego, thank you for the comment. I agree that SiteScope is capable of reading logs, however it is worthwhile to note that this puts some burden on the network and it is not as optimal as local agent. Also with HPOM agent for instance you can watch the log almost in real time and securely (secured by SSL) while keeping the network traffic extremely low when there are no issues detected.

  4. This comment has been removed by a blog administrator.

  5. Look at this interesting little article on flexispy review.

  6. Long Description Riskonnect is the trusted, preferred source of Integrated Risk Management technology, offering a growing suite of solutions on a world-class cloud computing model that enable clients to elevate their programs for management of all risks across the enterprise. Riskonnect allows organizations to holistically understand, manage and control risks, positively affecting shareholder value GRC software