How do the Evolven agents work (CPU overhead, impact on network, security risks, etc.)?

Evolven uses intelligent technology to collect granular information in detail and in a way that is not overpowering the server.

Collection

Evolven Agents collect configuration information by querying various environment components through the interfaces provided by the relevant technologies. For example the Windows Operating System is collected by parsing files, querying WMI, querying the Windows registry, etc. Information collection for each component is driven by its configuration model (referred to as an application definition, or appDef, in Evolven’s language). The models include a set of dynamic rules describing the architecture of the component configuration. An example of such rule could be that an application stores its configuration in XML files under its installation folder. Following this rule the Evolven Agent will scan the installation folder of the application recursively searching for XML files and parsing them, except in cases when these files do not look like configuration (e.g. an XML file larger than 10MB in size).

All of the parsed information is consolidated, normalized and then transferred to a central Evolven repository. Evolven provides out-of-the-box models for many commonly used technologies such as operating systems, databases, application servers, web servers etc. Starting with common technologies supported by Evolven out-of-the-box allows the organization to understand Evolven quickly and generate operational value from the first day of setup.

Intelligent Collection

Evolven Agent has an intelligent collection mechanism which was designed to smartly capture dynamic configuration information. Some features of the intelligent collection:
  • Only files which have been changed are parsed for more detailed changes
  • Only schema objects which have been added or modified since the last scan are re-queried for changes to the details
  • Agents throttle their collection to use less than a prescribed CPU% (by default 5%)
  • Agents utilize minimum memory (initially 128MB and configurable) to use as little memory resource as possible
  • Agents are schedule-able, both for times when collections can take place (on-demand, nights&weekends, 24/7, etc.) and how frequently they collect (Once per hour by default). Rules can be specified by type of collection or by specific collections.
  • Agents can be configured to use a "good citizen" feature and shut down when the overall CPU exceeds a certain percentage (example: 90%), ensuring business systems receive priority
All these capabilities make the Agent an intelligent mechanism, highly aware that it is functioning in a landscape where the business systems have the highest priority.

Network Consideration

With Evolven collecting tens and hundreds of thousands of parameters on every system, sending every single parameter each time over the network would certainly impact network operations.

Instead the Evolven Agents act intelligently with limited impact to the network by applying a piecemeal approach. After an original collection is taken each subsequent collection is done incrementally. Evolven agents only collect new information when a higher level environment object is different. Then deltas only are collected and sent to an Evolven Server over the network. For example if a configuration file hasn't changed there's no reason for the Agent to parse it again. The benefit of such incremental approach is speed of collection and minimum overhead.

The Evolven Agent collects environment information in two stages:
  • Initial collection: Initially the Agent collects and parses all of the configuration data on each monitored server. The amounts of data vary in accordance to the applications installed on that machine but in general Evolven collects between 10Mb to 50Mb of configuration information from each machine. This information is transmitted to the Evolven Server by chunks over the course of the initial scan. Such a scan can take from several minutes to several hours depending on the size of configuration and CPU threshold.
  • Incremental change detection: After the initial scan the Agent only sends to the Server the parameters that have changed. This means that usually only a few KB of information are sent during each scan. This keeps the impact of incremental scans very low.

Security Consideration

From a security perspective, the Evolven Agent collects information in ‘read-only’ mode. It doesn’t change, write to or remediate any files. Evolven is focused on providing information and does not update any of the components in monitored IT environments. Agents use a system account provided by the Evolven Administrator; this account can be given limited permissions for security purposes.

The Agents communicate with the Evolven Server using the HTTP or HTTPS protocol; HTTPS can be used for added security. Customers can provide their own SSL certificates to control Agent to Server authentication. In addition credential based Agent authentication could be configured -- either at registration time (initial handshake) or for additional operations. This flexibility allows administrators to authorize agents once they have reviewed them in the Evolven GUI (web). In addition to the description above there is an option for additional encryption of sensitive configuration information once it is collected.

For handling complex networks where segments are physically separated, Evolven can collect information locally. The Agent generates an XML file with the collected results that can be transferred and uploaded to an Evolven Server using any communication method defined by the customer.