Deployment Recommendations for Ephemeral Agents

Environments that deploy and decommission agents frequently (for example, auto-scaling groups, CI/CD runners, or containerized workloads) require additional configuration to prevent inactive agent records from accumulating in Tenable Sensor Proxy.

Reduce Agent Accumulation

By default, Tenable Sensor Proxy retains inactive agents for 21 days. If retained agent tokens exceed Tenable Vulnerability Management's 100,000-token limit, bulk polling requests fail and active agents cannot retrieve jobs.

Note: In Tenable Sensor Proxy 1.4.0 and later, agent data is automatically deleted when an agent is unlinked. However, ephemeral agents do not always unlink cleanly—for example, due to a network outage, pod crash, or forced termination. In those cases, the agent record persists until it ages out, so you should still configure a shorter age-out interval.

To reduce this risk, lower the AgentAgeOutDays value in /opt/sensor_proxy/config/sidecar.json. This process requires root access.

To configure agent age-out:

  1. In your system file manager, navigate to /opt/sensor_proxy/config/.

  2. Open sidecar.json.

  3. Set AgentAgeOutDays to a value lower than the default of 21. For example:

    "AgentAgeOutDays": 7

  4. Save your file changes.

  5. Restart Tenable Sensor Proxy to apply the change.

Unlink Agents Before Decommissioning

For best performance, unlink agents before decommissioning them. When an agent unlinks cleanly, Tenable Sensor Proxy 1.4.0 and later automatically deletes the agent data immediately rather than waiting for the age-out interval to expire.

To unlink an agent as part of your teardown process, run the following command on the agent host before shutting it down:

/opt/nessus_agent/sbin/nessuscli agent unlink

If you manage ephemeral infrastructure with orchestration tools (such as Kubernetes, Terraform, or auto-scaling groups), add the unlink command to your pre-stop or shutdown hook.

Note: If an agent cannot unlink cleanly (for example, due to a crash or network partition), the agent record remains in Tenable Sensor Proxy until the AgentAgeOutDays interval expires. Configure a shorter age-out value to handle these cases.

Check Linked Agent Count

To verify the number of retained agent records in Tenable Sensor Proxy, run the following command:

/opt/sensor_proxy/sbin/configure -agent-ca-report

Tip: Run this command periodically to confirm that your age-out configuration prevents agent accumulation. If the count continues to grow despite a short age-out interval, verify that agents are unlinking before decommissioning.

  • (Optional) To export details of all agents, use the -export-all-agents flag. By default, this flag exports data in JSON format.

  • (Optional) If you set the -export-all-agents flag, you can append -force-pull-agentdata to force an immediate data pull from Tenable Vulnerability Management instead of waiting for the standard 12-hour interval.

  • (Optional) If you set the -export-all-agents flag, you can append -csv to export the report data to a CSV file instead of the default JSON format.