Agent communicates not to the next collector

Hi guys!
We have many collectors around the world. But I noticed that (too) many agents are connecting not to the nearest collector. We have not configured a static collector within the installation routine.

How does that come? I thought, that the agents always connect to the nearest collector.

Its not based on physical closeness per se, rather it uses a metric which is computed based on Round Trip time as well as the number of hops, then the collector with the lowest metric is used. You can view these metrics values in the smartsocket.json file which is included in the log package if you hit Collect Logs for a specific online agent, then download and unzip the logs once available.

David

1 Like

Its also worth noting that every agent will attempt to test the connection to every collector and the endpoint (as well as any proxies) every 5-10 minutes by default, this polling interval is optionally configurable by Rapid7 support if this frequency is too high.

We also have a jailing interval, by default it is also 5-10 minutes, but it can be adjusted independently, the purpose of jailing is to instruct the agent to not try the unreachable/unresolvable collectors again until x minutes. However since both polling and jailing are equal by default there is no functional difference.

We have had some customers request to increase their jailing interval to avoid excessive failed DNS lookups or firewall hits for purposefully blocked connections.

David

1 Like