Skip to content

ServiceNow Agent Client Collector: Automate your IT Operations

Servicenow

IT Operations is a difficult discipline, that’s what people involved have no doubts about. What IT of today has to fulfil?

Monitor systems health, scan to detect security and other issues, orchestrate and automate various systems in order to deploy software, updates, apply fixes and remediate incidents. All this has to be done as soon as possible – now is too late – because IT needs to be ready to match the business demands and services have to be highly available and performant, otherwise it costs the business money. IT Operations is mainly about cost, the typical IT department is perceived as a cost center with the outcomes behind in schedule and there is still something non-functioning or slow. On top of this, IT Operations must find a balance between business needs and corresponding new technologies on the market, to stay modern and still fit into this fiscal year budget.

All the above represents a challenge, where IT is facing this reality:

Enterprise environments are super-large, there is a need to keep multitool disciplines, functional areas are overlapping, license costs are growing. There are large initiatives to unify and simplify, with the goal for the IT to become an optimized collaboration and performance-driven organization across team and partner ecosystem. And here comes ServiceNow with Unified Agent Client Collector – ACC.

What is Unified Agent Client Collector (ACC)

IT Operations teams are dealing with greater complexity every day, especially since the pandemic has enforced companies to let more people work remotely. BYOD (Bring Your Own Device) might be just one example of a new challenges for the IT teams. We all have also increased our expectations about performance and availability of the IT, both HW and SW. On the other hand, there are new and stronger regulations for customers, infrastructure and data taking place. For some of the needs, a traditional centralized and agent-less monitoring and discovery of the IT infrastructure is still sufficient, but what do you do with systems which are part-time online, or have only outbound communication allowed, have a hardened security setup, or live in an air-gapped, completely isolated environment ?

So, the questions is: what can we do to keep an eye on those systems to protect your physical and intellectual property? A local installed Agent is most probably the best and only answer today.

What key requirements such an Agent has to fulfil?

It must be able to cover multiple requirements, not limited to just one function. Functional, flexible and extendable – like the ServiceNow platform. With a small footprint on the installed system in terms of CPU, Memory and Disk. Secure communication between Agent and MID server.

The outcome is the agent framework, installed as a foundation where the customer can build an agent according to their current needs.

Today, as of the Rome release of ServiceNow, you can find the following apps for the ACC Framework in the store:

  • Agent Client Collector Framework – as the name suggests, the framework; with the other apps that are using the framework:
  • Agent Client Collector Monitoring (ACC-M)
  • Agent Client Collector for Visibility (ACC-V)
  • Agent Client Collector Log Analytics (ACC-L)
  • Agent Client Collector Collector Spoke (Workflow extensions)
  • Agent Client Collector Playbook Content (ready-made ITSM workflows)

A bit of architecture

This is how the agent is done.

The agent’s focus is on 3 key operating systems: Windows, Linux and Mac (which comes in Q4/21).

In terms of security, in order to monitor and discover a secured server, ACC only needs an outbound connection to the MID server. If system is “air gapped” from the outer world, then ACC can collect information locally and store them into a local file. Manually, this can then get copied over to an external media (e.g. USB stick) and uploaded into the Now platform.

Depending on the check type, the MID server is sending its data either as an Event or a Metric into the instance. The communication goes over Websocket.

Checks and Policies

A Check is a combination of a command and its configuration. The check is then executed on the servers as a Ruby script.

Natively, a wide range of Checks are provided with the base installation of system, and their commands execute scripts which provide monitoring data for your operating systems and applications.

Agent Client Collector is built on a Sensu framework – this enables you to adopt and extend monitoring and visibility with additional checks from the Sensu community, as well as with any Nagios-compatible plugins.

The following check types are provided with the Event Management base system:

  • Event: The check’s result is transformed into an Event Management event.
  • Metric: The values from the check result are transformed to metrics.

With Policies, we “link” the monitored CIs and the Checks the ACC has to run.

Brief history of the Agent Client Collector

ACC agent has been here for already some time. About 1 year back, the agent was born with the Paris release of ServiceNow, designed for Health monitoring. Next release, Quebec, dated March 2021, saw more capabilities in Discovery and Log monitoring. Along with the recent Rome release, Spoke and Playbook contents were added.

Currently, the ACC framework represents a mature solution for many needs in the market segment of direct monitoring (where ServiceNow has never been before), and other use cases that will be discussed more in detail in the next chapter.

Obviously, ServiceNow does not stop here and is investing its energy into developing ACC framework, adding more and more features, making ACC into even more of an invaluable hard worker for many needs. We will be watching ACC as it evolves, stay tuned!

Agent Client Collector use cases

So far, we have seen that the ACC is a nice piece of technology, but what to do with it? Let’s now turn the discussion over to the use cases to see the real value from using Agent Client Collector framework and benefits it may bring to the IT Operations.

Use cases: Monitoring

Agent Client Collector can be used for direct monitoring of specific hosts from the perspective of service availability and performance, to examine the health of your environment, and ensure that your infrastructure and its applications are running properly.

Once the agent is installed on endpoint computers, it can also be used for end-user experience monitoring.

ACC-M comes with pre-defined monitoring checks and policies that are applied to the agent. The solution is extendable; you can define new checks and monitoring policies. As mentioned earlier, the ACC agents are based on Sensu Go, a widely deployed open-source monitoring framework, so you can use hundreds of plugins that are produced by the Sensu Go community.

Within the framework, we also have log analytics features with the Agent Client Collector Log Analytics, which enable you to retrieve log data from the agent running on a Linux OS. The Agent streams log messages to the instance for further analysis and processing.

Those who know ITOM know about the ServiceNow Operational Intelligence, which provides the ability to capture, explore and analyze operational metrics data, identifying and indicating anomalies that might lead to issues. ACC framework builds on this technology where you can use Metric Intelligence to identify and prevent potential service outages. It is an AI-based feature with ML, that indicates anomalous behavior of CIs that standard event management might not capture, based on historical metric data.

What benefits does it bring to you? Consolidate monitoring to help cut costs, extend features to e. g. hardened servers where credentials cannot be placed in the ServiceNow instance, or firewall is blocking access. In general, ACC helps with the rollout of event management.

Use cases: Discovery

In ITOM, ServiceNow has the Discovery product which is agent-less, works through the MID servers, which are pushing commands to interrogate the targets and fetching data to CMDB. Which is a very good concept, but agent-less discovery is not appropriate for every scenario. For example, the customer may not want the MID Server to be able to initiate a connection to some servers. Another issue is that agent-less discovery of End User Computers does not work with mobile and remote worker scenarios.

The benefit here is that having an agent installed on the machines helps manage security demands or policies that cannot be fulfilled with the agent-less approach. In other words, with agent-less discovery, there could be some blind spots in data centers that the agent is able to remove. Also, the ability to discover End User Computers in untrusted environments provides data for many needs.

Use cases: IT Asset Management

Agents can be installed on end-user devices to perform inventory and software metering, which is used by SAM in addition to the normal list of installed software. The agent can be also used to perform some of the automations during the asset lifecycle.

For example, you can auto-update ownership of endpoint devices based on the last logged-in user data. Another example, we can setup a sort of an Asset watchdog for laptop assets which has not been reported be any discovery or other data sources. When the laptop comes online, we can notify the person administering ITAM to validate that the asset is secure. We can also configure workflows for stolen laptops, where ACC can run a self-destruction program which removes the confidential files.

Benefits? ACC contributes to the Inventory management of all software and also reclaims unused software licenses. It brings automation for the complete asset management from the perspective of governance and compliance.

Use cases: ITSM

With installed agents, you can debug incidents, to enrich incident information by collecting additional relevant information. You can run remediations on end points with Integration Hub spokes. In Change Management, you can also collect data for verification after implementing a change.

How can this be done – there are two SN Store apps: Agent Client Collector Spoke, which is a toolset to run flows, and Agent Client Collector Playbook Content – which contains set of commands and pre-defined OS queries that can be used to collect data on systems to analyze, troubleshoot, and resolve incidents. For example, by running a playbook you can have data fetched in real-time during resolution of an incident and visualize them in the “Live CI data” tab in the Operator Workspace UI. Playbooks can be automated and tracked in the ticket history for overview of what has been done during the ticket resolution.

While ACC does not have exhaustive list of remediations, you can obviously use Flow to create your own runbooks. Also, ACC brings you here delegated administration features without sharing passwords, which is always a great idea.

Use cases: SecOps

With the ACC framework, you can automate monitoring, improve your malware detection capabilities and run remediations to manage compliance and security on endpoints.

Here we can use the ACC Spoke again, and it is worth mentioning two bundled sample flows:

Flow for detection of SigHealth CyberAttack, which was one of the most serious breach of public data to date, which saw a total of 1.5 million patient records. Well, this flow will identify the tactics and techniques that were used in that attack.

Second flow is for Managing Compliance for Remote Workers for the monitoring of the end user devices compliance. There are checks to see whether disk encryption is turned on, if firewall is enabled, are updates enabled and being kept up-to-date, or whether an anti-virus is enabled and its definitions are up-to-date.

Benefits of ACC in SecOps? Time matters most in the security response, that’s why it is good to have an agent for the real time monitoring and timely management that is technically easier with the agent.

A bit of what’s behind

I mentioned two concepts in this article.

ACC spoke, which is an IntegrationHub component, that provides a way for customers to automate monitoring, manage compliance, security, and applications of endpoints, on order to make work more efficient.

The Agent is bundled with OSQuery plugin to access and collect metrics and attributes of the operating system.

OSQuery is an Open source framework that can be used to fetch data from endpoint devices with queries like with a database.

To sum it all up

Unified Agent Client Collector offers an opportunity to improve IT Operations, no smaller that this:

Unify the toolset in functional areas of monitoring, compliance, automation, deployments.

Sounds ambitious, but the potential is here to realize the following benefits.

  • Minimize the complexity of the tools portfolio to cover all IT OPS duties (less agents on servers, less maintenance costs, higher security) 
  • Save on licensing costs (less vendors whose price for tool is year to year growing)
  • Simplify the process of deployment of automated remediation 
  • Realtime data from endpoints (cost savings in reporting, less time needed ie. solving incidents) 
  • One tool for management – simpler organization of support

Want to learn more? We did a webinar on the topic of Agent Client Collector! Check out our webinar recording.