Sensor Performance
    • 03 Jul 2024
    • 2 Minutes to read
    • PDF

    Sensor Performance

    • PDF

    Article summary

    The Linux Endpoint Detection and Response (EDR) agent was built to be safe, performant and reliable, irrespective of workload size on the endpoint.

    Red Canary has made specific investments in health and performance to ensure you're getting the best threat detection capabilities possible, without compromising on endpoint performance and stability.

    Performance metrics

    We continuously collect performance metrics for the agent, including CPU and memory utilization. We also collect detailed information about overall system performance utilization.

    Here is an example of raw data collected and sent to our engine:

      {
       "ResourceUtilization": {
         "timestamp": "2019-08-26T16:34:20.125630Z",
         "cpu_usage": 0.6107562168318557,
         "mem_private_bytes": 10412032,
         "mem_working_set_bytes": 21295104,
         "load_avg": ...
       }
     },
     {
       "SystemMemoryUsageProfile": {
         "timestamp": "2019-08-26T16:34:20.125640Z",
         "info": {
            "total": 0,
            "free": 0,
            "available": 0,
            "buffers": 0,
            "cached": 0,
            "kernel_total": 0,
            "kernel_reclaimable": 0,
            "kernel_unreclaimable": 0,
            ...
         }
       }
     },
    ...

    As a result:

    • We’re able to proactively identify performance issues in your environment.

    • We don’t rely on you to detect an issue and file a support ticket.

    • We can determine whether performance issues are caused by existing system performance degradation issues.

    Robust error handling

    We continuously collect any errors or warnings that occur during runtime.  

    Here is an example of raw data collected and sent to our engine:

     {
       "Warning": {
       "timestamp": "2019-08-26T16:34:45.685172Z",
       "failure": {
         "IoFailure": {
           "context": "DNS parser fail: dns_message parse: Incomplete(Size(556)), first four bytes of header: [\"00\", \"00\", \"84\"]"
         }
       },
       "context": "Error parsing PcapDns from PcapDnsSubscriber"
       }
     },

    As a result:

    • We’re able to proactively identify bugs in the agent in your environment.

    • We don’t rely on you to detect an issue and file a support ticket.

    • Consequently, issues are quickly identified and addressed.

    Transparent, granular & flexible reporting

    We don’t hide behind artificial performance benchmarks. We provide executive reporting of performance metrics and errors for your environment to best empower you and your team.

    You can view aggregate health and performance details for all of your endpoints.

    From the navigation menu, click Endpoints, and then click on Sensor Performance

    CPU and RAM are graphed using percentiles. If you're unfamiliar with percentiles, P50 represents the median (50% of endpoints were better, 50% were worse), whereas P99 denotes the greatest utilization level (99% of endpoints performed better).

    Sensor_performance.png

    For more details, please go to Memory and CPU usage.


    Was this article helpful?