Agent Client Collector for Visibility default checks and policies

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Agent Client Collector for Visibility Default Checks and Policies

    The Agent Client Collector for Visibility (ACC-V) provides several policies and checks to monitor software and processes across various endpoint devices. The policies execute daily, with a total data ingestion of approximately 572KB, covering around 1500 installed software applications and 500 running processes per machine.

    Show full answer Show less

    Key Features

    • Policies: There are four main policies:
      • Enhanced Discovery
      • Windows SAM Discovery
      • Windows SAM Background
      • Software Installed
    • Check Types: ACC-V includes three check types:
      • EnhancedDiscovery
      • SAM Advanced Discovery
      • Installed Software
    • Check Definitions: Each policy has a corresponding check definition that is synced to agents based on policy filters.

    Key Outcomes

    Implementing ACC-V enables ServiceNow customers to effectively capture and manage software installations and running processes across their systems. By utilizing these default checks and policies, organizations can avoid discovery conflicts, manage system resources efficiently, and ensure accurate data collection for both Windows and non-Windows devices.

    For optimal performance, customers should ensure proper configurations, including setting system properties to adjust the frequency of discovery and maintaining necessary permissions for data retrieval on Linux systems.

    Agent Client Collector for Visibility provides various checks and policies as well as a business rule.

    Policy

    There are four policies for ACC-V: Enhanced Discovery, Windows SAM Discovery, Windows SAM background, and Software installed.
    Note:
    ACC-V policies execute at a frequency of once per day. The total data ingested would be approximately 572KB. This takes into consideration an average of approximately 1500 installed software applications and approximately 500 running processes other than CI data per machine.
    Enhanced Discovery Policy
    This policy runs off a schedule, which is defaulted to 24 hours (86400 seconds). The policy interval can be adjusted, for example to run every 4 hours (set the interval to 14400). The ACC-V policy configuration is synced to all agents based on the policy filter defined by ACC-V. Update the following ACC-F system properties if needed:
    • [sn_agent.disco_minimum_threshold_for_rediscovery_minutes]: to avoid discovering the system too frequently.
    • [sn_agent.disco_disable_ci_clobber_of_agentless_disco]: to avoid Discovery conflicts.
    • [sn_agent.disco_ci_clobber_of_agentless_disco_threshold_days]: to avoid Discovery conflicts.
    Windows SAM Discovery policy
    This policy is responsible for capturing the software installed on any Windows endpoint device, such as Windows desktops or Linux and Windows servers.
    Windows SAM background policy
    This policy enables a background job for processing the Osqueryd logs for SAM on Windows endpoint devices.
    Software installed policy
    This policy is responsible for capturing the software installed on all devices except for Windows endpoint devices. The data collected is stored in the [cmdb_sam_sw_install] table. The software installed policy is scheduled to run every 24 hours.
    Note:
    Windows endpoint devices include devices that have a Windows operating system and belong to class computer.

    See System properties for more details. For more detail on policies, see Checks and policies.

    Check type

    ACC-V has three Check Types: EnhancedDiscovery, SAM Advanced Discovery, and Installed Software.
    EnhancedDiscovery
    This check type is responsible for invoking the EnhancedDiscoveryHandler script include that processes the payload produced by endpoint_discovery.rb as executed by ACC.
    SAM Advanced Discovery
    This check type is for the Windows SAM Discovery policy that invokes the EnhancedDiscoveryHandler script include for processing the SAM data produced by the sam_advanced.rb file.
    Installed Software
    This check type for the Software installed policy that invokes the EnhancedDiscoveryHandler script include for processing the installed software data produced by the installed_software.rb file.

    Check definition

    There are four Check definitions which are used by the four ACC-V Policies.
    Enhanced Discovery
    This policy configuration is synced to all agents based on the policy filter defined by ACC-V. The Check definition is configured to run with certain assets and determines what gets synced between the Agent and the MID Server. For more detail on policies, see Checks and policies.
    Note:
    In order for the Agent to retrieve the OS serial numbers and TCP connections along with associated running processes, sudo access for “dmidecode” and “ss” is required on Linux systems. For example, this content could be added to /etc/sudoers or to an individual file in /etc/sudoers.d/: 
    Cmnd_Alias AGENT_ACC_V = /usr/sbin/dmidecode,/usr/sbin/ss
servicenow ALL=(root) NOPASSWD:AGENT_ACC_V
    Windows – SAM background log check
    The check definition log runs every 8 minutes and performs inline aggregation of data generated from Osqueryd logs. After collecting the data, it writes all the intermediate data results into a temporary marker file which is reused in the next run. This reuse limits the number of log files and disk space needed on target systems.
    Note:
    You may notice a spike in system resource consumption as the background aggregation check runs every interval.
    Windows – Software installations and usage metrics

    This check definition collects the data every 24 hours.

    Installed software
    This check definition fetches installed software data for all devices other than Windows endpoint devices.

    Business rule

    The Enhanced Discovery – On CI Delete business rule triggers the Endpoint Discovery Check when the CI associated with a given CI is deleted from sn_agent_cmdb_ci_agent.