Agent Client Collector for Visibility - Content default checks and policies

Release version: Yokohama

Updated January 30, 2025

6 minutes to read

Summarize

Summarized using AI

Summary of Agent Client Collector for Visibility - Content default checks and policies

The Agent Client Collector for Visibility - Content (ACC-VC) in the Yokohama release provides a comprehensive suite of checks, policies, and a business rule to collect detailed endpoint and software data. These policies run primarily on a daily schedule and support discovery, software asset management (SAM), file-based discovery, and application usage monitoring across Windows, macOS, Linux, and other devices.

Show full answer Show less

Key Features

Policies: ACC-VC includes multiple policies such as Enhanced Discovery, SAM Discovery, SAM Background jobs, Installed Software discovery, and several File-Based Discovery (FBD) policies. These policies collect data on installed software, running processes, software usage, files on devices, and SWID tags, enabling deep visibility into endpoint environments.
Scheduling and Configuration: Most policies run every 24 hours by default, but intervals can be customized (e.g., Enhanced Discovery can run every 4 hours). Some policies are inactive by default and require manual activation via the Discovery Definition Configuration Console (notably the File-Based Discovery policies and web usage monitoring).
File-Based Discovery: Supports scanning files based on customer-defined rules and maintains an allowlist of known software files. It also supports SWID tag scanning and delta scanning to optimize data collection by only sending changed files after the initial full scan.
Checks: Three main check types—Enhanced Discovery, SAM Advanced Discovery, and Installed Software—invoke specific script includes to process data collected by the agent.
Business Rule: The Enhanced Discovery – On CI Delete business rule triggers an endpoint discovery check when a CI is deleted, ensuring data consistency.

Practical Considerations for ServiceNow Customers

Data Volume: Typical daily data ingestion is approximately 572KB per machine, considering about 1500 installed applications and 500 running processes.
System Requirements: For Linux systems, sudo access to certain commands (e.g., dmidecode and ss) is required for full data collection like OS serial numbers and TCP connections.
Activation of Features: File-Based Discovery and web usage monitoring features are disabled by default and require enabling in the Configuration Console to take effect.
Resource Impact: The SAM background log check runs frequently (every 8 minutes) and may cause spikes in system resource consumption due to aggregation of Osqueryd logs.

Expected Outcomes

By implementing ACC-VC's default checks and policies, ServiceNow customers gain automated, scheduled, and detailed visibility into endpoint software installations, usage metrics, file inventories, and device configurations. This supports accurate Configuration Management Database (CMDB) updates, software asset management, and security posture enhancement through continuous endpoint data collection and discovery.

Agent Client Collector for Visibility - Content (ACC-VC) provides various checks and policies as well as a business rule.

Policies

Note:

ACC-VC policies execute at a frequency of once per day. The total data ingested would be approximately 572KB. This takes into consideration an average of approximately 1500 installed software applications and approximately 500 running processes other than CI data per machine.

Table 1. ACC-VC policies
Name	Description	Checks definitions
Enhanced Discovery	Runs on a schedule, by default every 24 hours (86400 seconds). The policy interval can be adjusted, for example to run every 4 hours (set the interval to 14400). The ACC-VC policy configuration is synced to all agents based on the policy filter defined by ACC-VC. Update the following ACC-F system properties, if needed: sn_agent.disco_minimum_threshold_for_rediscovery_minutes: to avoid discovering the system too frequently. sn_agent.disco_disable_ci_clobber_of_agentless_disco: to avoid Discovery conflicts. sn_agent.disco_ci_clobber_of_agentless_disco_threshold_days: to avoid Discovery conflicts.	Enhanced Discovery
SAM Discovery	Responsible for capturing the software installed on any endpoint device, such as Windows desktops or macOS servers.	Software installations and usage metrics
SAM background	Enables a background job for processing the Osqueryd logs for SAM on Windows and macOS endpoint devices.	SAM background log check
SAM background (Non OsqueryD)	Enables a background job to collect SAM information using osqueryi instead of osqueryd.	SAM Background Policy (Non OsqueryD)
Software installed	Responsible for capturing the software installed on all devices except for Windows endpoint devices. The data collected is stored in the [cmdb_sam_sw_install] table. Scheduled to run every 24 hours.	installed software
File-based Discovery background policy	Takes the config file as input from the instance to an agent. Scans the system using config file parameters and stores the output in two separate files on the agent. FBDSAMOutput.json: Stores metadata related to the set of file names generated from the samp_file_name table. FBDFileOutput.json: Stores metadata related to files scanned by a wildcard extension. Runs on the agent when file-based discovery is invoked. For details, see Agent Client Collector File-Based Discovery. Default: false. To activate, navigate to All > Discovery Definition > Configuration Console and in the File Based Discovery section, activate the Enable File Based Discovery toggle switch.	File-based discovery background
File-based Discovery - SAM	Discovers known software files on the endpoint. Uses an allowlist of recognized software filenames maintained by ServiceNow. When a file on disk matches an allowlist entry, FBD uses the FileBasedDiscovery API to identify the collected software metadata (file name, path, size, and version), identifies the software package it belongs to and records the installation on the instance. Unrecognized files are tracked in the unidentified file records table (cmdb_unidentified_file_set). Runs daily. Default: false. To activate, navigate to All > Discovery Definition > Configuration Console and in the File Based Discovery section, activate the Enable File Based Discovery toggle switch.	File-based discovery - SAM
File-based Discovery - SWID tag	Enables SWID tag scanning on a Windows, Linux or macOS platform. When enabled, the scanner looks for .swid, .swidtag, and .cmptag files in the configured scan directories. Stores results in the following tables: cmdb_swid_tag: Parsed SWID tag records cmdb_file_information: Individual file records cmdb_sam_sw_install: Individual software records Default: false. To activate, navigate to All > Discovery Definition > Configuration Console and in the File Based Discovery section, activate the Enable File Based Discovery toggle switch.
File-based Discovery - File management	Discovers files based on customer-defined rules. Administrators configure which file extensions to look for and define filename matching rules such as exact match, starts with, ends with, or contains. This policy builds a device-level file inventory based on the organization's specific needs. Results are stored in the sn_acc_vis_content_device_file_information table. Configure rules in the File Matching rules (sn_acc_vis_contet_file_config) and File extensions (sn_acc_vis_content_file_extension) properties. For details on these properties, see Agent Client Collector File-Based Discovery properties. File Management supports delta scanning; after the initial full scan, only added, modified, and deleted files are sent on subsequent runs. For details on delta scanning, see Agent Client Collector File-Based Discovery. Default: false. To activate, navigate to All > Discovery Definition > Configuration Console and in the File Based Discovery section, activate the Enable File Based Discovery toggle switch.	File-based discovery - File management
VISC Get application metric	Retrieves the SaaS application metrics from the agents. For details on enabling SaaS usage monitoring with ACC-VC, see the SaaS Usage Monitoring with Agent Client Collector [KB2320193] article in the Now Support Knowledge Base.	VISC Get application metric
VISC Get browser extension device init	Initializes the DEX browser extension with the host sysID.	VISC Get browser extension device init
VISC Get browser extension init	Initializes the DEX browser extension with logged-in users.	VISC Get browser extension init
VISC Get URL metrics	Controls the collection of web usage data from Windows and macOS managed devices. Runs daily. Default: Inactive. To activate the policy, set the sn_acc_vis_content.enable_full_monitoring property to true. For details on web usage data system properties, see Web usage data collection tables and fields.	VISC Get URL metrics

Note:

Windows endpoint devices include devices that have a Windows operating system and belong to CI class: computer.

See System properties for more details. For more details on policies, see Checks and policies.

Check type

ACC-VC has the following check types: Enhanced Discovery, SAM Advanced Discovery, and Installed Software.

Enhanced Discovery: This check type is responsible for invoking the EnhancedDiscoveryHandler script include that processes the payload produced by endpoint_discovery.rb as executed by ACC.
Used by File-base Discovery.
SAM Advanced Discovery: This check type is for the SAM Discovery policy that invokes the EnhancedDiscoveryHandler script include for processing the SAM data produced by the sam_advanced.rb file.
Installed Software: This check type for the Software installed policy that invokes the EnhancedDiscoveryHandler script include for processing the installed software data produced by the installed_software.rb file.

Check definitions

Table 2. ACC-VC check definitions
Name	Description
Enhanced Discovery	Synced to all agents based on the policy filter defined by ACC-VC. The Check definition is configured to run with certain assets and determines what gets synced between the agent and the MID Server. For more details on policies, see Checks and policies. Note: For the agent to retrieve the OS serial numbers and TCP connections along with associated running processes, sudo access for “dmidecode” and “ss” is required on Linux systems. For example, this content could be added to /etc/sudoers or to an individual file in /etc/sudoers.d/: `Cmnd_Alias AGENT_ACC_V = /usr/sbin/dmidecode -s baseboard-serial-number,/usr/sbin/dmidecode -s chassis-serial-number,/usr/sbin/dmidecode -s system-serial-number,/usr/sbin/dmidecode -s system-uuid,/usr/sbin/ss -tanp servicenow ALL=(root) NOPASSWD:AGENT_ACC_V`
SAM background log check	Runs every 8 minutes and performs inline aggregation of data generated from Osqueryd logs. After collecting the data, it writes all the intermediate data results into a temporary marker file which is reused in the next run. This reuse limits the number of log files and disk space needed on target systems. Note: You may notice a spike in system resource consumption, as the background aggregation check runs every interval.
Software installations and usage metrics	Collects data every 24 hours.
Installed software	Fetches installed software data for all devices other than Windows and macOS endpoint devices.
File-based discovery background	Runs a file scanning background job on the agent.
File-based discovery	Fetches the file data from the agent.

Business rule

The Enhanced Discovery – On CI Delete business rule triggers the Endpoint Discovery Check when the CI associated with a given CI is deleted from sn_agent_cmdb_ci_agent.

ACC-VC default checks and policies

Yokohama IT Operations Management