HostAtlas Agent
The lightweight agent that
discovers everything.
A single, statically-compiled Go binary that auto-discovers every service, domain, container, and certificate on your server. Open source. Zero configuration. Install in one command and your infrastructure maps itself within seconds.
<10 MB
Binary size
60s
Collection interval
<1%
CPU overhead
0
Config required
Installation
One command. Fully operational.
Run a single curl command and the agent installs itself. The installer detects your architecture (amd64 or arm64), downloads the correct binary from Cloudflare R2, installs it to /usr/local/bin, creates a systemd service, and starts collecting data immediately.
Architecture Detection
The install script detects your CPU architecture automatically and downloads the matching binary. Supports Linux amd64 and arm64 (AWS Graviton, Raspberry Pi, Ampere).
Systemd Service Setup
A systemd unit file is created and enabled automatically. The agent starts on boot, restarts on failure (5-second delay), and logs to journald for easy debugging.
Immediate Data Collection
Within seconds of installation, the agent performs its first discovery scan and begins reporting metrics. Your server appears on the dashboard instantly.
# Install the HostAtlas agent
curl -sSL https://install.hostatlas.app/install.sh | sudo bash -s -- \
--key=YOUR_SERVER_KEY# Check agent status
$ systemctl status hostatlas-agent
● hostatlas-agent.service - HostAtlas Agent
Loaded: loaded (/etc/systemd/system/hostatlas-agent.service; enabled)
Active: active (running) since Mon 2026-03-31 10:15:22 UTC
Main PID: 1842 (hostatlas-agent)
Tasks: 8 (limit: 4915)
Memory: 18.4M
CPU: 0.4sAuto-Discovery
Eight categories of infrastructure, discovered automatically.
The agent scans your server across eight distinct discovery categories. Each scan runs within seconds, captures detailed metadata, and reports back to the platform. No configuration files. No service definitions. Everything is detected from the running system.
Running Services
Process table scanning detects running services with version numbers and listening ports.
Domains & Vhosts
Web server config files are parsed to extract every domain hosted on the server.
SSL Certificates
Every SSL certificate is read from disk and parsed for issuer, expiration, SANs, and chain validity.
Cron Jobs
User and system crontabs are parsed to inventory every scheduled task running on the server.
Network Interfaces
Every network interface is enumerated with IP addresses, MAC addresses, and link state.
Listening Ports
All TCP and UDP listening ports are mapped to their owning process for a complete network surface view.
Log Files
Log file locations are discovered across 8 sources for centralized log streaming and analysis.
Docker Containers
Running and stopped containers are enumerated with image, ports, volumes, and resource usage.
Metrics Collection
Seven dimensions of server health. Every 60 seconds.
The agent reads directly from /proc and /sys on Linux for kernel-level precision. Every metric is timestamped, compressed, and shipped to the platform via HTTPS. No intermediate storage. No local database.
CPU (Per-Core)
Per-core and aggregated CPU utilization broken down by user, system, iowait, steal, and idle. Reads from /proc/stat for kernel-level granularity.
- check Per-core user / system / iowait / steal / idle
- check Aggregated total CPU percentage
- check Load averages (1m, 5m, 15m)
Memory
Full memory breakdown from /proc/meminfo including buffers, cached, slab, and swap. Detects memory leaks before they cause OOM kills.
- check Used / available / total / cached / buffers
- check Swap used / total / percentage
- check Slab & page cache breakdown
Disk I/O
Per-mount usage and per-device I/O statistics. Tracks IOPS, throughput, queue depth, and latency from /proc/diskstats.
- check Usage per mount (used / total / %)
- check Read & write IOPS
- check Queue depth & I/O latency
Network (Per-Interface)
Bytes in/out, packets, errors, and drops per interface. Reads from /proc/net/dev for zero-overhead collection.
- check RX / TX bytes per interface
- check Packet counts, errors, drops
- check Bandwidth rate calculations
Processes (Top 5)
The top 5 processes by CPU and memory usage are captured every collection cycle for immediate visibility into resource hogs.
- check Top 5 by CPU utilization
- check Top 5 by memory consumption
- check PID, user, command, RSS
TCP States & File Descriptors
TCP connection state distribution (ESTABLISHED, TIME_WAIT, CLOSE_WAIT) and system-wide file descriptor usage for connection leak detection.
- check ESTABLISHED, TIME_WAIT, CLOSE_WAIT counts
- check Open file descriptors / system limit
- check Connection leak alerting
Plugin System
Deep integrations for the services you run.
When the agent discovers a supported service, it activates the corresponding plugin automatically. Each plugin collects service-specific runtime metrics and configuration details that go far beyond process-level monitoring.
MySQL
SHOW GLOBAL STATUS & VARIABLES. Queries/sec, slow queries, connections, buffer pool, replication lag, InnoDB metrics.
PostgreSQL
pg_stat_activity, pg_stat_database, pg_stat_user_tables. Connections, TX rates, cache hit ratio, dead tuples, replication.
Redis
INFO ALL — memory usage, hit/miss ratio, connected clients, keyspace stats, eviction counts, RDB/AOF persistence.
Nginx
stub_status endpoint — active connections, accepts, requests, reading/writing/waiting workers. Full config tree parsing.
Docker
Docker daemon socket — enumerate containers, per-container CPU/memory/network stats, Compose detection, image updates.
Auto-Activated
Plugins activate automatically when their service is discovered. No manual configuration. If a service is stopped, the plugin deactivates gracefully until the service returns.
Security
Hardened by default. Zero trust by design.
The agent opens no inbound ports, signs every request with HMAC-SHA256, enforces TLS 1.3, and filters sensitive data before transmission. Every command it executes is whitelisted in the source code.
HMAC-SHA256 Request Signing
Every API request includes an HMAC-SHA256 signature computed from the request body and a per-server secret key. The platform verifies the signature before processing any data. Replay attacks are prevented with timestamp-based nonce validation.
TLS 1.3 Enforced
All communication between the agent and platform uses TLS 1.3 exclusively. Older protocol versions are rejected. Certificate pinning ensures the agent only communicates with the genuine HostAtlas API endpoint.
Whitelisted Commands Only
The agent can only execute commands that are explicitly whitelisted in the source code. No arbitrary shell execution. No eval. No user-supplied command strings. The whitelist is auditable in the open-source repository.
No Inbound Ports
The agent makes outbound HTTPS connections only. It never listens on any port, never accepts incoming connections, and never exposes an HTTP endpoint. Your firewall rules remain unchanged.
Sensitive Data Filtering
Passwords, tokens, and private keys are stripped from configuration data before transmission. Environment variables matching sensitive patterns (PASSWORD, SECRET, TOKEN, KEY) are redacted automatically.
// Every request is signed with HMAC-SHA256
POST /api/v1/agent/metrics HTTP/1.1
Host: api.hostatlas.app
Content-Type: application/json
X-Agent-Signature: sha256=a1b2c3d4e5f6...
X-Agent-Timestamp: 1711872000
X-Agent-Version: 1.4.2
// Signature computation
signature = HMAC-SHA256(
key: server_secret,
data: timestamp + "." + body
)
// Server verifies signature + timestamp
// Requests older than 30s are rejected// Only these commands can be executed
// Source: internal/command/whitelist.go
"systemctl restart nginx"
"systemctl restart mysql"
"systemctl restart postgresql"
"systemctl restart redis-server"
"systemctl restart php8.2-fpm"
"ufw deny from {ip}"
"iptables -A INPUT -s {ip} -j DROP"
// ... 21 total whitelisted commands
// Arbitrary execution: BLOCKEDRemote Management
Control your servers without SSH.
The agent receives commands from the platform via secure polling. Restart services, stream logs, run recipes, perform network diagnostics, and provision domains — all from the HostAtlas dashboard.
Service Restart
Restart any of the 21 whitelisted services directly from the dashboard. The agent executes the systemctl command and reports the result within seconds.
Log Streaming
Tail log files in real time from the dashboard. The agent streams the last N lines and continues tailing new entries. No SSH session required.
Recipe Execution
Execute predefined recipes (multi-step command sequences) for common operations like SSL renewal, config reload, or cache clearing.
Network Diagnostics
Run ping, traceroute, dig, and curl from the server's perspective. Diagnose connectivity issues without logging in.
Domain Provisioning
Create vhost configurations, request SSL certificates via Let's Encrypt, and reload the web server — all triggered from the platform.
Self-Update
Trigger agent updates remotely from the platform. The agent downloads the new binary, replaces itself, and restarts under systemd. Zero downtime.
Config File Monitoring
18 default paths. SHA-256 change detection.
The agent monitors critical configuration files for changes. When a file is modified, the agent computes a new SHA-256 hash and reports the change to the platform. You see exactly which files changed and when — without setting up inotify watches or cron jobs.
18 default monitored paths
nginx.conf, my.cnf, postgresql.conf, redis.conf, sshd_config, php.ini, and more
Glob pattern support
Monitor entire directories with patterns like /etc/nginx/sites-enabled/*.conf
SHA-256 hash comparison
Cryptographic hashing detects even single-byte changes with zero false positives
Change timeline
Full history of every config change with timestamps for audit and troubleshooting
# Web servers
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/*.conf
/etc/apache2/apache2.conf
/etc/apache2/sites-enabled/*.conf
/etc/caddy/Caddyfile
# Databases
/etc/mysql/my.cnf
/etc/mysql/mysql.conf.d/mysqld.cnf
/etc/postgresql/*/main/postgresql.conf
/etc/redis/redis.conf
# System
/etc/ssh/sshd_config
/etc/sysctl.conf
/etc/fstab
/etc/hosts
/etc/crontab
# PHP
/etc/php/*/fpm/php.ini
/etc/php/*/fpm/pool.d/www.conf
# Firewall
/etc/ufw/user.rules
/etc/iptables/rules.v4Attack Mode
When your server is under attack, the agent fights back.
Attack mode is a high-frequency collection state triggered remotely from the platform. The agent switches from 60-second intervals to 5-second intervals, begins tailing access logs in real time, and can execute IP bans via ufw or iptables.
High-Frequency Collection (5s)
Metrics collection interval drops from 60 seconds to 5 seconds. CPU, memory, network, and disk metrics stream at 12x the normal rate for granular visibility during incidents.
Access Log Tailing
The agent begins tailing nginx and Apache access logs in real time, streaming entries to the platform for pattern analysis. Identify attacking IPs, request patterns, and target URLs as they happen.
IP Banning via ufw / iptables
Block attacking IP addresses directly from the dashboard. The agent executes whitelisted ufw or iptables commands to drop traffic from specified IPs immediately.
# Collection interval: 5 seconds
# Access log tailing: ENABLED
# Metrics rate: 12x normal
ATTACK 203.0.113.42 → GET /wp-login.php
ATTACK 203.0.113.42 → POST /xmlrpc.php
ATTACK 198.51.100.7 → GET /.env
ATTACK 198.51.100.7 → GET /wp-config.php.bak
# Remote IP ban executed:
$ ufw deny from 203.0.113.42
Rule added
$ ufw deny from 198.51.100.7
Rule added
BLOCKED 2 IPs via ufw
METRICS cpu=34% mem=68% net_rx=482MB/sComparison
How HostAtlas Agent compares.
The HostAtlas agent is purpose-built for infrastructure monitoring with auto-discovery, remote management, and zero configuration. Here's how it stacks up against popular alternatives.
| Feature | HostAtlas | node_exporter | Telegraf | Datadog Agent |
|---|---|---|---|---|
| Auto-discovery | check_circle | cancel | cancel | check_circle |
| Zero configuration | check_circle | cancel | cancel | cancel |
| Domain / vhost discovery | check_circle | cancel | cancel | cancel |
| SSL certificate tracking | check_circle | cancel | check_circle | check_circle |
| Remote service restart | check_circle | cancel | cancel | cancel |
| Log streaming | check_circle | cancel | check_circle | check_circle |
| Config file monitoring | check_circle | cancel | cancel | cancel |
| Attack mode | check_circle | cancel | cancel | cancel |
| Open source | check_circle | check_circle | check_circle | cancel |
| Binary size | <10 MB | ~20 MB | ~200 MB | ~800 MB |
| CPU overhead | <1% | ~1% | ~2-5% | ~5-15% |
| Configuration | None | Flags + Prometheus | TOML config | YAML config |
| Pricing | Included | Free (BYO stack) | Free (BYO stack) | $15/host/mo |
Distribution
Built for Linux. Distributed globally.
The agent is compiled as a static Go binary with no external dependencies. No runtime. No package manager. No shared libraries. It runs on any Linux distribution from Ubuntu 18.04 to the latest Fedora.
Linux amd64
Intel and AMD 64-bit processors. Covers the vast majority of cloud VMs, dedicated servers, and on-premise infrastructure.
Linux arm64
ARM 64-bit processors including AWS Graviton, Ampere Altra, Raspberry Pi 4/5, and Oracle Cloud ARM instances.
Cloudflare R2
Binaries are distributed via Cloudflare R2 with global edge caching. Downloads are fast regardless of server location. Zero egress fees.
install.hostatlas.app
The installer script is hosted on a dedicated subdomain. One curl command handles architecture detection, download, verification, and systemd setup.
Get started
Install the agent. Watch your infrastructure map itself.
One command installs the agent. Within seconds, your server's services, domains, containers, certificates, and cron jobs appear on your dashboard. Metrics start flowing at 60-second intervals. No YAML. No Prometheus. No Grafana. Everything works out of the box.
curl -sSL https://install.hostatlas.app/install.sh | sudo bash -s -- --key=YOUR_SERVER_KEY