Agent Architecture

The BindPlane OP collector supports operating in two modes: Agent and aggregator. The mode is not configurable, it is implicit based on the sources configured. For example, a collector configured with the Nginx source is running in agent mode, while a collector configured with the OTLP source (receiving telemetry from multiple collectors) is running in aggregation mode.

Agent

Agent mode is used for collecting telemetry from an individual system (e.g. Database host, API server). Agents are used for collecting, processing, and shipping telemetry from an individual host to a destination. This destination may be your monitoring backend or an additional set of collectors (Aggregators) which may perform additional processing and routing.

Collectors running in agent mode do not require additional configuration. Once a collector is installed, you can attach a configuration which gathers local logs, metrics, and traces from the system.

Use Cases

A collector is running in agent mode anytime it is deployed to an endpoint system. The following are examples, and do not cover all use cases.

  • NGINX web server
  • PostgreSQL database server

Aggregator

Aggregator mode is used for receiving telemetry from one or more collectors over the network, optionally performing additional processing, and routing to a destination. Aggregator collectors are optional, as agent collectors can ship telemetry directly to your telemetry backend.

Use Cases

1. Isolating Backend Credentials

Instead of deploying credentials to all of your agent systems, you can keep credentials exclusively on the aggregator collectors. This simplifies credential rotation and reduces the security attack surface as credentials are deployed to a subset of your systems.

2. Offloading Processing Overhead

Generally, you want your agent collectors to perform as little work as possible. If you have heavy processing requirements, it can be useful to offload that processing to a fleet of aggregator collectors.

For example, instead of filtering telemetry with an expensive regex operation, you can have the aggregator collectors perform that task. Generally, aggregator collectors are running on a dedicated system. The processing overhead can be justified because it does not rob the compute power of other services running on the same system, unlike an agent collector that may be running on a database server.

3. Network Security

Aggregator collectors could be located within a DMZ, firewalled from the internal network. You can configure your network to allow your agent collectors to forward to the aggregator collectors while blocking the aggregator collectors from reaching into your application network. This will allow you to send telemetry to a cloud-based backend without granting your endpoints access to the internet.

Supported Source Types

Collectors are running in aggregator mode when they are configured with a source type that receives telemetry from multiple remote systems.

Aggregator source examples:

  • OTLP
  • Syslog
  • TCP / UDP

Any source type which handles telemetry from one or more remote agents is considered to be an aggregator.