Forum Discussion

Dave_Lee's avatar
Dave_Lee
Icon for Advisor rankAdvisor
21 days ago

Windows agent-based monitoring

By far the most time consuming and difficult parts of onboarding a customer into our managed services is getting servers onboarded.

We advise customers use Group Policy to push out settings for Windows Firewall and add the monitoring users to some groups.  We also advise using it to run a PowerShell script on each server to implement least priv access.  This is based largely on the same code LM uses in the Non-Admin script with a bunch of extra features we've added ourselves.  Getting this GPO implemented though often requires jumping through a lot of change control and security related questions.  In larger organisations, it often requires several levels of approval before it can be implemented.  Then we have the non-domain joined machines, which need this all run manually.

It's often not practical to install collectors in each subnet, so we also need to get a whole host of firewall rules opened up across the network to allow the collectors to reach each server to be monitored.  Again, time consuming to explain the requirements, get approval and get implemented.

In cases where we need to monitor applications, like SQL Server, this requires a more ports being opened - sometimes custom ports depending on how it's been setup and additional permissions for user accounts, which again we always try to do with 'least priv' in mind.

I know LM is all about "agentless" but it would be great if we could have a lightweight agent for Windows (and maybe Linux) that could collect data for a machine then forward it to a local collector for onward transmission to LM.  It would reduce requirements for a lot of network changes.  I'm not sure if this could also reduce the need for running scripts etc for "least priv" access.  Possibly not as I guess running this agent thing as system wouldn't be ideal either.

I'm talking out loud here a little, but wondering if others have similar frustrations with getting servers into monitoring.

2 Replies

  • I completely agree. I don't really like making so many changes to a customer's environment to bring in monitoring. The good thing about being agent-less is not having to touch and modify each system being monitored. And it's good for network and equipment, but in the case of Windows least-priv you end up touching all of them anyway so not getting much benefits from it.

    Having a Windows agent would be a great option. I have used nano collectors in the past in some situations like an agent, but it's not ideal. It's not very light weight and the LM portal isn't really designed with that setup in mind.

    • Dave_Lee's avatar
      Dave_Lee
      Icon for Advisor rankAdvisor

      Agree that installing collector on individual monitored servers aren't the answer.  It does seem too heavy for monitoring just itself - even the nano version.  We've previously used it on Domain Controllers and it was by far the largest consumer of memory on the box.  Customers generally aren't happy to allow outbound Internet access from all their servers (although granted, it is one endpoint and over HTTPS).

      We have a bunch of customers moving over from an old SCOM environment where there is an agent on each box, and a gateway that acts as a collector and forwards the data into SCOM.  That would be a great pattern to be able to follow with LM as it would really simplify windows monitoring.