← Back to blog
Observability Apr 16, 2026 · 6 min read

What a 30 MB agent can tell you about your fleet

Live CPU, memory, disk, processes and network — and how we keep the footprint tiny.

Observability has a weight problem. The typical monitoring stack ships a heavyweight agent that pulls in a runtime, a pile of plugins, and a memory footprint that makes capacity planners wince. On a fleet of thousands of hosts, an agent that eats hundreds of megabytes isn't a tool — it's a tax.

We built the Subnomic agent with a different constraint: it should be small enough that you never think about it. Around 30 MB on disk, a flat memory profile, and negligible CPU at idle. Here's what that buys you, and how we keep it lean.

What it sees

Despite the size, the agent surfaces the metrics that matter for understanding a host in real time:

  • CPU — per-core utilization, load average, and the processes driving it.
  • Memory — used, cached, available, and swap pressure.
  • Disk — capacity, I/O throughput and the filesystems approaching full.
  • Processes — a live process table you can sort by resource usage.
  • Network — throughput, connection counts and interface health.

All of it streams live to the control plane over the same outbound tunnel the agent already maintains — no extra ports, no separate metrics pipeline to stand up.

Why small matters

A monitoring agent that degrades the thing it monitors is a contradiction.

Every megabyte the agent consumes is a megabyte your workload can't. On dense fleets and constrained edge hardware, footprint isn't a vanity metric — it's the difference between an agent you deploy everywhere and one you deploy reluctantly. Small footprint means universal coverage, and universal coverage is what makes the data trustworthy.

How we keep it lean

  1. Compiled, not interpreted. A single static binary with no runtime to drag along.
  2. Read from the kernel directly. Metrics come from /proc and /sys — the source of truth — instead of shelling out to a dozen utilities.
  3. Sample, don't busy-loop. The collector wakes on an interval, does its work, and goes back to sleep. Idle CPU stays near zero.
  4. Stream over the existing channel. Reusing the access tunnel means no second connection, no duplicate TLS handshakes, no extra sockets.

Access and observability, together

The real advantage is that metrics and access live in the same agent. When a host spikes, you don't jump between a dashboard and a separate SSH tool — you see the problem and connect to investigate from the same place, with the session recorded automatically. Observability tells you where to look; brokered access lets you act on it without leaving the workflow.

Tiny by design, complete by intent

Thirty megabytes isn't a limitation we apologize for — it's a feature. It means you can run the agent on every host without negotiation, get a live picture of your entire fleet, and keep your resources where they belong: on your workloads.

Want live metrics across your fleet? Book a demo or join the waitlist.

Enjoyed this? Read more on the Subnomic blog.