Skip to content

ServiceNow Agent Client Collector: Automate your IT Operations

ServiceNow Agent Client Collector: Automate your IT Operations

IT Operations is a difficult discipline, that’s what people involved have no doubts about. What does IT of today have to fulfil?

Monitor systems health, scan to detect security and other issues, orchestrate and automate various systems in order to deploy software, updates, apply fixes and remediate incidents. All this has to be done as soon as possible – now is too late – because IT needs to be ready to match the business demands and services have to be highly available and performant, otherwise, it costs the business money. IT Operations are mainly about cost, the typical IT department is perceived as a cost centre with the outcomes behind schedule and there is still something non-functioning or slow. On top of this, IT Operations must find a balance between business needs and corresponding new technologies on the market, to stay modern and still fit into this fiscal year budget.

All the above represents a challenge, where IT is facing this reality:

Enterprise environments are super-large, there is a need to keep multitool disciplines, functional areas are overlapping, and license costs are growing. There are large initiatives to unify and simplify, with the goal for IT to become an optimized collaboration and performance-driven organization across the team and partner ecosystems. And here comes ServiceNow with Unified Agent Client Collector – ACC.

What is a Unified Agent Client Collector (ACC)

IT Operations teams are dealing with greater complexity every day, especially since the pandemic has enforced companies to let more people work remotely. BYOD (Bring Your Own Device) might be just one example of new challenges for IT teams. We all have also increased our expectations about the performance and availability of the IT, both HW and SW. On the other hand, there are new and stronger regulations for customers, infrastructure and data taking place. For some of the needs, a traditional centralized and agent-less monitoring and discovery of the IT infrastructure is still sufficient, but what do you do with systems which are part-time online, have only outbound communication allowed, have a hardened security setup, or live in an air-gapped, completely isolated environment?

So, the question is: what can we do to keep an eye on those systems to protect your physical and intellectual property? A locally installed Agent is most probably the best and only answer today.

What key requirements does such an Agent has to fulfil?

It must be able to cover multiple requirements, not limited to just one function. Functional, flexible and extendable – like the ServiceNow platform. With a small footprint on the installed system in terms of CPU, Memory and Disk. Secure communication between Agent and MID server.

The outcome is the agent framework, installed as a foundation where the customer can build an agent according to their current needs.

Today, as of the Rome release of ServiceNow, you can find the following apps for the ACC Framework in the store:

  • Agent Client Collector Framework – as the name suggests, the framework; with the other apps that are using the framework:
  • Agent Client Collector Monitoring (ACC-M)
  • Agent Client Collector for Visibility (ACC-V)
  • Agent Client Collector Log Analytics (ACC-L)
  • Agent Client Collector Collector Spoke (Workflow extensions)
  • Agent Client Collector Playbook Content (ready-made ITSM workflows)

A bit of architecture

This is how the agent is done.

The agent’s focus is on 3 key operating systems: Windows, Linux and Mac (which comes in Q4/21).

In terms of security, in order to monitor and discover a secured server, ACC only needs an outbound connection to the MID server. If the system is “air-gapped” from the outer world, then ACC can collect information locally and store them in a local file. Manually, this can then get copied over to an external media (e.g. USB stick) and uploaded into the Now platform.

Depending on the check type, the MID server is sending its data either as an Event or a Metric into the instance. The communication goes over Websocket.

Checks and Policies

A Check is a combination of a command and its configuration. The check is then executed on the servers as a Ruby script.

Natively, a wide range of Checks are provided with the base installation of the system, and their commands execute scripts which provide monitoring data for your operating systems and applications.

Agent Client Collector is built on a Sensu framework – this enables you to adopt and extend monitoring and visibility with additional checks from the Sensu community, as well as with any Nagios-compatible plugins.

The following check types are provided with the Event Management base system:

  • Event: The check’s result is transformed into an Event Management event.
  • Metric: The values from the check result are transformed into metrics.

With Policies, we “link” the monitored CIs and the Checks the ACC has to run.

A brief history of the Agent Client Collector

The ACC agent has been here for already some time. About 1 year back, the agent was born with the Paris release of ServiceNow, designed for Health monitoring. The next release, Quebec, dated March 2021, saw more capabilities in Discovery and Log monitoring. Along with the recent Rome release, Spoke and Playbook contents were added.

Currently, the ACC framework represents a mature solution for many needs in the market segment of direct monitoring (where ServiceNow has never been before), and other use cases that will be discussed more in detail in the next chapter.

Obviously, ServiceNow does not stop here and is investing its energy into developing the ACC framework, adding more and more features, and making ACC even more of an invaluable hard worker for many needs. We will be watching ACC as it evolves, stay tuned!

Agent Client Collector use cases

So far, we have seen that the ACC is a nice piece of technology, but what to do with it? Let’s now turn the discussion over to the use cases to see the real value of using the Agent Client Collector framework and the benefits it may bring to IT Operations.

Use cases: Monitoring

Agent Client Collector can be used for direct monitoring of specific hosts from the perspective of service availability and performance, to examine the health of your environment, and ensure that your infrastructure and its applications are running properly.

Once the agent is installed on endpoint computers, it can also be used for end-user experience monitoring.

ACC-M comes with pre-defined monitoring checks and policies that are applied to the agent. The solution is extendable; you can define new checks and monitoring policies. As mentioned earlier, the ACC agents are based on Sensu Go, a widely deployed open-source monitoring framework, so you can use hundreds of plugins that are produced by the Sensu Go community.

Within the framework, we also have log analytics features with the Agent Client Collector Log Analytics, which enable you to retrieve log data from the agent running on a Linux OS. The Agent streams log messages to the instance for further analysis and processing.

Those who know ITOM know about the ServiceNow Operational Intelligence, which provides the ability to capture, explore and analyze operational metrics data, identifying and indicating anomalies that might lead to issues. ACC framework builds on this technology where you can use Metric Intelligence to identify and prevent potential service outages. It is an AI-based feature with ML, that indicates anomalous behaviour of CIs that standard event management might not capture, based on historical metric data.

What benefits does it bring to you? Consolidate monitoring to help cut costs, and extend features to e. g. hardened servers where credentials cannot be placed in the ServiceNow instance, or the firewall is blocking access. In general, ACC helps with the rollout of event management.

Use cases: Discovery

In ITOM, ServiceNow has the Discovery product which is agent-less and works through the MID servers, which are pushing commands to interrogate the targets and fetch data to CMDB. This is a very good concept, but agent-less discovery is not appropriate for every scenario. For example, the customer may not want the MID Server to be able to initiate a connection to some servers. Another issue is that agent-less discovery of End User Computers does not work with mobile and remote worker scenarios.

The benefit here is that having an agent installed on the machines helps manage security demands or policies that cannot be fulfilled with the agent-less approach. In other words, with agent-less discovery, there could be some blind spots in data centres that the agent is able to remove. Also, the ability to discover End User Computers in untrusted environments provides data for many needs.

Use cases: IT Asset Management

Agents can be installed on end-user devices to perform inventory and software metering, which is used by SAM in addition to the normal list of installed software. The agent can be also used to perform some of the automation during the asset lifecycle.

For example, you can auto-update ownership of endpoint devices based on the last logged-in user data. Another example, we can set up a sort of Asset watchdog for laptop assets which has not been reported by any discovery or other data sources. When the laptop comes online, we can notify the person administering ITAM to validate that the asset is secure. We can also configure workflows for stolen laptops, where ACC can run a self-destruction program which removes confidential files.

Benefits? ACC contributes to the Inventory management of all software and also reclaims unused software licenses. It brings automation for complete asset management from the perspective of governance and compliance.

Use cases: ITSM

With installed agents, you can debug incidents, to enrich incident information by collecting additional relevant information. You can run remediations on endpoints with Integration Hub spokes. In Change Management, you can also collect data for verification after implementing a change.

How can this be done – there are two SN Store apps: Agent Client Collector Spoke, which is a toolset to run flows, and Agent Client Collector Playbook Content – which contains a set of commands and pre-defined OS queries that can be used to collect data on systems to analyze, troubleshoot, and resolve incidents. For example, by running a playbook you can have data fetched in real-time during the resolution of an incident and visualize them in the “Live CI data” tab in the Operator Workspace UI. Playbooks can be automated and tracked in the ticket history for an overview of what has been done during the ticket resolution.

While ACC does not have an exhaustive list of remediations, you can obviously use Flow to create your own runbooks. Also, ACC brings you here delegated administration features without sharing passwords, which is always a great idea.

Use cases: SecOps

With the ACC framework, you can automate monitoring, improve your malware detection capabilities and run remediations to manage compliance and security on endpoints.

Here we can use the ACC Spoke again, and it is worth mentioning two bundled sample flows:

Flow for detection of SigHealth CyberAttack, which was one of the most serious breaches of public data to date, saw a total of 1.5 million patient records. Well, this flow will identify the tactics and techniques that were used in that attack.

The second flow is for Managing Compliance for Remote Workers for the monitoring of the end-user device’s compliance. There are checks to see whether disk encryption is turned on if the firewall is enabled, whether are updates enabled and being kept up-to-date, or whether anti-virus is enabled and its definitions are up-to-date.

Benefits of ACC in SecOps? Time matters most in the security response, that’s why it is good to have an agent for real-time monitoring and time management that is technically easier with the agent.

A bit of what’s behind

I mentioned two concepts in this article.

ACC spoke, which is an IntegrationHub component, that provides a way for customers to automate monitoring, and manage compliance, security, and applications of endpoints, in order to make work more efficient.

The Agent is bundled with the OSQuery plugin to access and collect metrics and attributes of the operating system.

OSQuery is an Open source framework that can be used to fetch data from endpoint devices with queries like with a database.

To sum it all up

Unified Agent Client Collector offers an opportunity to improve IT Operations, no smaller than this:

Unify the toolset in functional areas of monitoring, compliance, automation, deployments.

Sounds ambitious, but the potential is here to realize the following benefits.

  • Minimize the complexity of the tools portfolio to cover all IT OPS duties (fewer agents on servers, fewer maintenance costs, higher security) 
  • Save on licensing costs (fewer vendors whose price for the tool is year-to-year growing)
  • Simplify the process of deployment of automated remediation 
  • Realtime data from endpoints (cost savings in reporting, less time needed ie. solving incidents) 
  • One tool for management – simpler organization of support

Want to learn more? We did a webinar on the topic of Agent Client Collector! Check out the webinar recording.