The BindPlane OP collector supports operating in two modes: Agent and aggregator. The mode is not configurable, it is implicit based on the sources configured. For example, a collector configured with the Nginx source is running in agent mode, while a collector configured with the OTLP source (receiving telemetry from multiple collectors) is running in aggregation mode.
Agent mode is used for collecting telemetry from an individual system. E.g. Database host, API server. Agents are used for collecting, processing, and shipping telemetry from an individual host to a destination. This destination may be your monitoring backend, or an additional set of collectors (Aggregators) which may perform additional processing and routing.
Collectors running in agent mode do not require additional configuration. Once a collector is installed, you can attach a configuration which gathers local logs, metrics, and traces from the system.
A collector is running in agent mode anytime it is deployed to an endpoint system. The following are examples, and do not cover all use cases.
- NGINX web server
- PostgresSQL database server
Aggregator mode is used for receiving telemetry from one or more collectors over the network, optionally performing additional processing, and routing to a destination. Aggregator collectors are optional, as agent collectors can ship telemetry directly to your telemetry backend.
1. Isolating Backend Credentials
Instead of deploying credentials to all of your agent systems, you can keep credentials exclusively on the aggregator collectors. This simplifies credential rotation and reduces the security attack surface as credentials are deployed to a subset of your systems.
2. Offloading Processing Overhead
Generally, you want your agent collectors to perform as little work as possible. If you have heavy processing requirements, it can be useful to offload that processing to a fleet of aggregator collectors.
For example, instead of filtering telemetry with an expensive regex operation, you can have the aggregator collectors perform that task. Generally, aggregator collectors are running on a dedicated system. The processing overhead can be justified because it is not robbing compute power other services running on the same system, unlike an agent collector which may be running on a database server.
3. Network Security
Aggregator collectors could be located within a DMZ, firewalled from the internal network. You can configure your network to allow your agent collectors to forward to the aggregator collectors, while blocking the aggregator collectors from reaching into your application network. This will allow you to send telemetry to a cloud based backend without granting your endpoints access to the internet.
Supported Source Types
Collectors are running in aggregator mode when they are configured with a source type which receives telemetry from multiple remote systems.
Aggregator source examples:
- TCP / UDP
Any source type which handles telemetry from one or more remote agents is considered to be an aggregator.
Updated about 1 month ago