Skip to main content

Host Agents

Lumetry agents collect host-local metrics from Windows and Linux systems. They are useful when a central metric source cannot reach operating-system signals directly.

Connectivity

When a collector address is configured, the agent tries the collector first. If the collector cannot be reached and the Lumetry endpoint is reachable, the agent sends directly to Lumetry.

If neither path is available, the agent keeps metrics in a local disk buffer. The default limit is 500 MB. Once the limit is reached, the oldest data is removed to make room for new measurements.

Fleet controls

Agents are visible as hosts in the Lumetry Deployment Status page with:

  • operating system, version, and relative last-seen age;
  • direct or collector-relayed transport;
  • queue depth and dropped-data count;
  • current series count and samples dropped by the series limit;
  • the rule packs currently active on that host;
  • host-detail CPU, memory, disk, and network history charts;
  • discovered process inventory with expandable per-process CPU, memory, and RSS charts;
  • an optional topology Cluster placement;
  • any number of tags.

An agent can be placed in one topology Cluster. That placement is reflected on the topology map and provides the host-group label used for fleet scopes. Tags are many-to-many and can be shared by any number of agents.

Enable and disable

Disabling an agent stops host collection and metric upload. It does not remove the agent or disconnect its control channel. The agent continues checking its desired state every minute, so it can be enabled again from Lumetry without accessing the host.

Revocation is a separate identity-security operation and is not the same as disabling data collection.

Rule packs

Agents collect by rule packs: versioned collection profiles that map a host's operating system and detected software to a fixed metric set. Packs are delivered to agents automatically through the same configuration channel used for fleet controls, so a pack update reaches the whole fleet without reinstalling anything. Each agent reports the configuration revision it has applied, and the Deployment Status page shows whether every host is in sync.

Each pack declares simple, deterministic match rules — operating system family and, where relevant, the presence of specific services or processes. The agent re-checks these rules continuously, so installing or stopping a service activates or deactivates the matching pack on its own.

Per pack, administrators can:

  • enable or disable the pack for the whole fleet;
  • override the collection interval (10 seconds to 1 hour);
  • for the process pack, list executables that must always be collected.

The Linux host pack covers CPU, memory/swap, load, directory mount capacity/inodes, block IO, network interfaces, and bounded systemd state. File bind mounts, synthetic block devices, loopback interfaces, tunnel placeholders, and common container bridge interfaces are skipped so disk and network charts stay focused on real host resources. The Windows host pack covers PerfMon/WMI CPU and queue, memory, disk capacity/IO, network interfaces, and matched Windows services. The process pack adds executable-keyed CPU, memory, thread/handle, and presence metrics with the same bounded selection behavior on both operating systems. Windows IIS and .NET packs add sites, application pools, workers, requests, queues, recycles, and CLR counters.

IIS sites and application pools are registered with host-specific deterministic identities. Lumetry also creates application-to-host topology dependencies; it does not infer that same-named pools on different hosts are one logical application.

For automatic topology discovery, the owning systemd unit or Windows Service defines a service identity before the executable name is considered. This keeps two independently managed services that share one runtime or binary separate, while the same managed service across several hosts converges to one Component with several host placements. Unmanaged Java, Python, Node.js, and .NET processes use command-line application signals before falling back to the executable name.

The Linux package grants the agent limited process-inspection permission so it can observe processes owned by other operating-system users without running the whole service as root. If the host security policy still hides a process's file descriptors, Lumetry omits that FD sample rather than reporting a misleading zero.

Process metrics and cardinality protection

The process pack identifies workloads by executable name, never by process ID, so a service that restarts keeps one continuous series. Per host, the collected set is the administrator's always-collect list plus the current top consumers by CPU and memory; every other process is aggregated into a single other member. Always-collected executables also report a presence metric even while stopped, which powers the process-down default alert.

Collection volume is bounded on the agent itself: each agent enforces a configurable series limit, and anything beyond the limit is dropped and counted rather than uploaded. The Deployment Status page shows each host's current series count and any drops caused by the limit, so cap pressure is visible instead of silent. The ingest API additionally enforces batch size, payload size, and per-credential rate limits.

Host and process last-seen values are shown as elapsed ages, such as 12 minutes ago, so operators can scan freshness without comparing exact timestamps.

Per-process volume metrics are ingested and browsable but excluded from automatic evaluation by default; the presence metric is evaluated so the process-down default works out of the box. Evaluation for the volume metrics can be enabled per metric in the catalog.

Default alerts

A fresh agent installation produces working alerts without any manual rule setup. Lumetry ships default alert rules bound to the host packs:

  • sustained high CPU;
  • high memory usage;
  • disk usage per mount;
  • load relative to core count;
  • host down (missed agent heartbeats);
  • process down (an always-collected executable stops running);
  • IIS application pool stopped.

Disk and other per-mount or per-host conditions are evaluated per dimension, so one full mount alerts on its own and recovers on its own. Host-down alerts participate in incident correlation and outbound notifications like any other operational alert.

The defaults appear in the Rules page as ordinary editable rules: thresholds can be tuned, levels disabled, or rules deleted, and Lumetry never overrides those changes.

Installation

See Installing Host Agents for Linux and Windows enrollment, service lifecycle, collector routing, and uninstall commands.