Hi there,

Agent Client Collector can be confusing because the relationships between the components are not all that obvious.

First, most of the agent behavior is controlled by policies.

A policy links a collection of agents to a collection of check instances.

A check instance is a copy of a check definition.  Check instances are configured (via parameters) as needed for the task at hand; check definitions provide the "master" definition that is the starting point for each check instance.

There are several ways to stop a check from running, but each method has a different scope:

1. Disable a check instance in a policy, and republish the policy.  This will stop the check for all agents associated with that policy, but the check will still be available to other policies (if any) that reference it.

2. Disable a policy -- this will stop all of the check instances in the policy for all agents associated with the policy.

3. Disable a check definition -- this will stop the check from running regardless of which policy is using it.

I had trouble with the ACC Visibility content, and I found that the easiest way to stop it was to disable the check definitions that were not working correctly.  I also disabled the discovery policy, so I put it in Park AND I set the parking brake.

There are a few checks that the agents can run even if they are not in any policy.  Some examples:

• check-read-log -- reads the agent log file
• config file reader -- reads the acc.yml file
• Restart agent -- request the agent to restart itself

These checks are run when an admin initiates the corresponding UI actions on an agent information page.

Regarding intervals:

• You can set an interval in the check definition record
• You can set an interval in the policy
• You can set an interval in the check instance

I do not know how the hierarchy works, except that the interval in the check instance is used if defined, otherwise one of the other intervals is used.

Until recently, the MID server scheduled each and every check instance for each agent.  This is how "interval" scheduling works.  The "cron" schedule type was added a couple of releases ago, and I think that if you use this then the agent handles its own scheduling for the associated service checks, reducing the load on your MID servers.  The "cron" schedule enables you to use cron-style definitions if you know how to configure them -- for instance, you can run certain checks at a higher rate during business hours and maybe at a different rate during off hours, etc.

The 24 hour interval thing might be a corner case -- it appears that each agent does "something" every 24 hours.  For instance, if you have a check that persistently returns a bad status, the agent will issue a new event for that check every 24 hours (or 24 hours + 1 poll cycle).

You might have found a bug (or feature?) -- if an agent is linked to a policy that has no check interval defined, and the policy contains a check instance that has no interval defined, and the check definition has no interval defined -- does the agent run the check anyway when it goes through its daily refresh?

I am sorry that this was a ramble, but I hope it helps you get a handle on the agent < policy > check instance < check definition thing.

Regards,

Greg Hubbard