Agent: Health and Performance – Red Canary help

Overview

The Linux Endpoint Detection and Response (EDR) agent was built to be safe, performant and reliable, irrespective of workload size on the endpoint.

Red Canary has made specific investments in health and performance to ensure you're getting the best threat detection capabilities possible, without compromising on endpoint performance and stability.

Performance metrics

We continuously collect performance metrics for the agent, including CPU and memory utilization. We also collect detailed information about overall system performance utilization.

Here is an example of raw data collected and sent to our engine:

  {
   "ResourceUtilization": {
     "timestamp": "2019-08-26T16:34:20.125630Z",
     "cpu_usage": 0.6107562168318557,
     "mem_private_bytes": 10412032,
     "mem_working_set_bytes": 21295104,
     "load_avg": ...
   }
 },
 {
   "SystemMemoryUsageProfile": {
     "timestamp": "2019-08-26T16:34:20.125640Z",
     "info": {
        "total": 0,
        "free": 0,
        "available": 0,
        "buffers": 0,
        "cached": 0,
        "kernel_total": 0,
        "kernel_reclaimable": 0,
        "kernel_unreclaimable": 0,
        ...
     }
   }
 },
...

This means that...

We're able to proactively identify performance issues in your environment.
We don't rely on you to detect an issue and file a support ticket.
We can determine whether performance issues are caused by existing system performance degradation issues.

Robust error handling

We continuously collect any errors or warnings that occur during runtime.

Here is an example of raw data collected and sent to our engine:

 {
   "Warning": {
   "timestamp": "2019-08-26T16:34:45.685172Z",
   "failure": {
     "IoFailure": {
       "context": "DNS parser fail: dns_message parse: Incomplete(Size(556)), first four bytes of header: [\"00\", \"00\", \"84\"]"
     }
   },
   "context": "Error parsing PcapDns from PcapDnsSubscriber"
   }
 },

This means that...

We're able to proactively identify bugs in the agent in your environment.
We don't rely on you to detect an issue and file a support ticket.
Consequently, issues are quickly identified and addressed.

Transparent, Granular & Flexible Reporting

We don't hide behind artificial performance benchmarks. We provide executive reporting of performance metrics and errors for your environment to best empower you and your team.

You can view aggregate health and performance details for all of your endpoints.

From the navigation menu, click on dropdown arrow next to Endpoints, and then click on Sensor Performance.

CPU and memory are graphed based on percentiles. If you're new to percentiles, P50 represents the median (50% of endpoints were better, 50% were worse) and P99 represents the highest utilization identifies (99% of endpoints were performing better)

For more details, please go to CPU and memory.