Agent Client Collector for Visibility - Content default checks and policies

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Agent Client Collector for Visibility - Content default checks and policies

    The Agent Client Collector for Visibility - Content (ACC-VC) enables ServiceNow customers to manage and monitor software and processes across various endpoints. It executes daily checks and policies to gather crucial data about installed software and running processes, enhancing visibility into enterprise environments.

    Show full answer Show less

    Key Features

    • Enhanced Discovery Policy: Runs every 24 hours by default, with adjustable intervals to suit operational needs.
    • SAM Discovery Policies: Captures software on Windows devices and processes logs for both Windows and macOS endpoints.
    • Software Installed Policy: Collects data from Linux devices, storing information in the [cmdbsamswinstall] table.
    • Check Types: Includes Enhanced Discovery, SAM Advanced Discovery, and Installed Software, each invoking specific scripts for data processing.
    • Background Log Check: Executes every 8 minutes to aggregate data from Osqueryd logs, optimizing disk space usage.

    Key Outcomes

    By utilizing ACC-VC, ServiceNow customers can expect:

    • Enhanced visibility of installed applications and system processes across all endpoint devices.
    • Improved data management through scheduled checks and policies, reducing the risk of discovery conflicts.
    • Efficient system resource usage with optimized log aggregation and reduced file storage requirements.

    Customers should ensure appropriate system properties are configured to prevent excessive discovery and conflicts, and manage access permissions for necessary commands on Linux systems.

    Agent Client Collector for Visibility - Content (ACC-VC) provides various checks and policies as well as a business rule.

    Policies

    Note:
    ACC-VC policies execute at a frequency of once per day. The total data ingested would be approximately 572KB prior to file-based discovery, which runs once per week. This takes into consideration an average of approximately 1500 installed software applications and approximately 500 running processes other than CI data per machine.
    Enhanced Discovery Policy
    Runs off a schedule, which is defaulted to 24 hours (86400 seconds). The policy interval can be adjusted, for example to run every 4 hours (set the interval to 14400). The ACC-V policy configuration is synced to all agents based on the policy filter defined by ACC-V. Update the following ACC-F system properties if needed:
    • [sn_agent.disco_minimum_threshold_for_rediscovery_minutes]: to avoid discovering the system too frequently.
    • [sn_agent.disco_disable_ci_clobber_of_agentless_disco]: to avoid Discovery conflicts.
    • [sn_agent.disco_ci_clobber_of_agentless_disco_threshold_days]: to avoid Discovery conflicts.
    SAM Discovery policy
    Responsible for capturing the software installed on any Windows endpoint device, such as desktops or servers.
    SAM background policy
    Enables a background job for processing the Osqueryd logs for SAM on Windows and macOS endpoint devices.
    SAM background policy (Non OsqueryD)
    Enables a background job to collect SAM information using osqueryi instead of osqueryd.
    Software installed policy
    Responsible for capturing the software installed on all Linux devices and instance CIs. The data collected is stored in the [cmdb_sam_sw_install] table. The software installed policy is scheduled to run every 24 hours.
    Note:
    Windows endpoint devices include devices that have a Windows operating system and belong to CI class: computer.

    See System properties for more details. For more details on policies, see Checks and policies.

    Check type

    ACC-VC has the following check types: Enhanced Discovery, SAM Advanced Discovery, and Installed Software.
    Enhanced Discovery
    This check type is responsible for invoking the EnhancedDiscoveryHandler script include that processes the payload produced by endpoint_discovery.rb as executed by ACC.
    SAM Advanced Discovery
    This check type is for the Windows SAM Discovery policy that invokes the EnhancedDiscoveryHandler script include for processing the SAM data produced by the sam_advanced.rb file.
    Installed Software
    This check type for the Software installed policy that invokes the EnhancedDiscoveryHandler script include for processing the installed software data produced by the installed_software.rb file.

    Check definitions

    There are four Check definitions which are used by the four ACC-V Policies.
    Enhanced Discovery
    This policy configuration is synced to all agents based on the policy filter defined by ACC-V. The Check definition is configured to run with certain assets and determines what gets synced between the Agent and the MID Server. For more detail on policies, see Checks and policies.
    Note:
    For the Agent to retrieve the OS serial numbers and TCP connections along with associated running processes, sudo access for “dmidecode” and “ss” is required on Linux systems. For example, this content could be added to /etc/sudoers or to an individual file in /etc/sudoers.d/: 
    Cmnd_Alias AGENT_ACC_V = /usr/sbin/dmidecode -s baseboard-serial-number,/usr/sbin/dmidecode -s chassis-serial-number,/usr/sbin/dmidecode -s system-serial-number,/usr/sbin/dmidecode -s system-uuid,/usr/sbin/ss -tanp
servicenow ALL=(root) NOPASSWD:AGENT_ACC_V
    SAM background log check
    The check definition log runs every 8 minutes and performs inline aggregation of data generated from Osqueryd logs. After collecting the data, it writes all the intermediate data results into a temporary marker file which is reused in the next run. This reuse limits the number of log files and disk space needed on target systems.
    Note:
    You may notice a spike in system resource consumption as the background aggregation check runs every interval.
    Software installations and usage metrics

    This check definition collects the data every 24 hours.

    Installed software
    This check definition fetches installed software data for all devices other than Windows and macOS endpoint devices.

    Business rule

    The Enhanced Discovery – On Host CI Delete business rule triggers the Endpoint Discovery Check when the CI associated with a given CI is deleted from sn_agent_cmdb_ci_agent.