Logs vs Agents vs Network Traffic: Which Performance Monitoring Approach Wins?

Performance monitoring is achieved through data collection, analysis, visualization, and alerting, with data collection being the crucial first step.

How the Log, Agent, and Network Traffic Analysis Streams Collect Data

Log stream: Logs come from two sources: traditional device log files, whose format and granularity are predefined by vendors, and application‑generated logs created during or after development to capture runtime information. Log systems passively emit machine or application state data without actively querying the application.

Agent stream: Agents are deployed as plugins on servers or embedded code within applications, actively pulling data. Because they run inside the server, agents can capture low‑level, code‑level metrics reflecting the program’s internal behavior.

Network traffic analysis stream: This method mirrors traffic on switches to capture packets exchanged between components in a data center. The mirrored packets are sent to an analysis server, where parsing enables business‑level performance monitoring.

Comprehensive Comparison of the Three Streams

Deployment cycle: Log and agent solutions require long deployment periods (months to years), whereas network packet capture can be set up within weeks.

Data completeness:

Agents cannot be installed on traditional network devices, limiting coverage.

Log systems are relatively comprehensive but have blind spots (e.g., middleware that does not write logs).

Network traffic analysis offers the broadest coverage across all devices.

Impact and risk:

Log and agent solutions consume host resources and may introduce compatibility risks.

Network mirroring is non‑intrusive, requiring no changes to existing architecture, thus posing near‑zero risk.

Scalability: Extending log or agent systems often demands custom development, while adding new packet streams to a network‑mirroring setup is straightforward and forward‑compatible.

Gartner Insight: Network Data Will Drive IT Availability and Performance Management

Gartner predicts that over the next five years network data will play a critical role in IT availability and performance management. TianDan’s performance‑monitoring product leverages this approach.

TianDan has pioneered converting raw network data into high‑value interconnected data for business and network performance monitoring.

In 2017, TianDan became the only Chinese company listed in Gartner’s "Cool Vendor in Performance Analysis" report.

Case Study: Fault Diagnosis Across the Three Streams

A core server at an insurance company crashed due to excessive concurrent accesses. Logs and agents showed 1 request from the web tier turning into 2‑5 requests at the core, leading the application team to blame the network.

Network engineers consulted TianDan’s BPC tool, which revealed that the web server generated 2‑5 requests, each without a response and spaced 300 seconds apart.

Investigation uncovered that the F5 load balancer’s TCP timeout was set to 300 seconds; after this period, the request was retried.

Further analysis showed a Java HTTP client in the web application automatically retries when a request is interrupted, causing repeated attempts that eventually overwhelmed the core system.

The application server sent a transaction that required 12 minutes, exceeding the 300‑second F5 timeout, causing interruption.

The Java HTTP client retried the transaction.

The retry timed out again.

The client retried once more, and the cycle continued.

By providing end‑to‑end visibility, network‑traffic‑based BPC uncovered the full transaction flow that logs and agents missed, offering reliable evidence for root‑cause analysis.

Based on network traffic analysis, BPC delivers multi‑layer correlation, service‑centric performance management, fault localization, and comprehensive reporting.

Explore the network‑traffic‑based Business Performance Monitoring (BPC) solution – scan the QR code for more details.