Deployment Recommendations for Ephemeral Agents

Environments that deploy and decommission agents frequently (for example, auto-scaling groups, CI/CD runners, or containerized workloads) require additional configuration to prevent inactive agent records from accumulating in Tenable Sensor Proxy.

Reduce Agent Accumulation

By default, Tenable Sensor Proxy retains inactive agents for 21 days. If retained agent tokens exceed Tenable Vulnerability Management's 100,000-token limit, bulk polling requests fail and active agents cannot retrieve jobs.

Note: In Tenable Sensor Proxy 1.4.0 and later, agent data is automatically deleted when an agent is unlinked. However, ephemeral agents do not always unlink cleanly—for example, due to a network outage, pod crash, or forced termination. In those cases, the agent record persists until it ages out, so you should still configure a shorter age-out interval.

To reduce this risk, lower the AgentAgeOutDays value in /opt/sensor_proxy/config/sidecar.json. This process requires root access.

To configure agent age-out:

1. In your system file manager, navigate to /opt/sensor_proxy/config/.

2. Open sidecar.json.

3. Set AgentAgeOutDays to a value lower than the default of 21. For example:

   "AgentAgeOutDays": 7

4. Save your file changes.

5. Restart Tenable Sensor Proxy to apply the change.

Unlink Agents Before Decommissioning

For best performance, unlink agents before decommissioning them. When an agent unlinks cleanly, Tenable Sensor Proxy 1.4.0 and later automatically deletes the agent data immediately rather than waiting for the age-out interval to expire.

To unlink an agent as part of your teardown process, run the following command on the agent host before shutting it down:

If you manage ephemeral infrastructure with orchestration tools (such as Kubernetes, Terraform, or auto-scaling groups), add the unlink command to your pre-stop or shutdown hook.