Collector
Introduction
The Collector is a lightweight agent based on patented technology. It captures and reports network connections, program executions, web requests, and many other activities and properties from the devices of the end-users on which it runs. It is implemented as a kernel driver and accompanying services, offering remote and automated silent installations with negligible impact on the performance of local desktops while minimizing network traffic.
The following figure depicts the role of the Collector within the Nexthink solution.
Collector components
The capability of the Collector for gathering user activity data is shared by the kernel driver and the helper service (or daemon) components. By running close to the operating system, the kernel driver detects some kinds of user activities that are only visible at this level.
Features
Multi-Platform
The Collector is available for both Windows and macOS operating systems. The present documentation states the platforms to which each feature applies. Likewise, the data model details the individual pieces of information collected for each platform.
Applies to platforms | Windows | macOS |
CrashGuard
Since the Windows Collector driver is a kernel-mode component, any error in its internals or its interaction with a misbehaving third-party driver can lead to system instabilities. Even with Nexthink putting as much attention as possible towards delivering bug-free software, the principle of precaution holds.
Applies to platforms | Windows |
Kernel traffic interception
Some applications may send and receive data to and from the network using kernel-mode components, actually hiding their network traffic from user-space monitoring applications. Being a kernel driver itself, the Windows Collector is nevertheless able to detect and report such traffic.
Applies to platforms | Windows |
Paths aliasing
The Collector identifies commonly used paths (e.g. C:\WINDOWS\, C:\Program Files\) and other special mount locations (removable mount points, network drives) with paths aliases. For example, if the DVD-Rom drive is mounted under D:, the Collector reports an application setup.exe being launched from this media as %RemovableDrive%\setup.exe.
Reliable connectivity via TCP
When configured to send data through TCP, the Collector relies on the connection-oriented features of the protocol to ensure that the information reaches the Engine.
In addition, when the connection between the Collector and the Engine is lost or not established yet, the Collector is able to buffer up to 15 minutes of data (a maximum of 2500 packets not older than 15 minutes) to send to the Engine once the connection is (re-)established.
Network switching
A change of network interface is transparent to the Collector, except when it invalidates the DNS resolution of the Engine. In the latter case, the process of adapting to a different network may take a few minutes and the Collector resends the whole context to the Engine.
Event logging
Connection events to the Nexthink Appliance and main errors are written to either the standard Windows event logs or the macOS system log.
On-the-fly configuration
Code signed software
To be able to load and run on Windows devices, the kernel components of the Windows Collector are signed with an official Microsoft certificate. Likewise, user-space components are signed with a valid Nexthink certificate.
In turn, the Mac Collector is signed with the Developer ID certificate of Nexthink and follows Apple notarization process to ensure that it can be installed and run seamlessly on macOS devices.
RELATED TASKS
RELATED REFERENCES
Last updated