Components
Luumen agent
A lightweight executable installed on your Patch server. Connects to each managed host on a schedule, collects system data, and pushes it to the Luumen API.
Patch server
A single host inside your environment that runs the agent. Must have network access to every managed host and outbound HTTPS access to the Luumen API.
Monitored hosts
The Linux and Windows hosts the agent connects to. Each host is added through the Luumen UI with its own credentials, or uses a default credential set you configure once.
Luumen API and web app
Hosted by Apiphani (Apiphani-managed deployment) or inside your environment (self-hosted). Receives data from the agent, evaluates compliance checks, ingests vulnerability data from the NVD (and SAP Security Notes when SAP is in scope), and renders the UI.
How data flows
Agent reads its configuration
On each scheduled run, the agent loads its local
config.yaml (API endpoint, API key, optional Vault settings) and pulls its remote configuration from the Luumen API. The remote configuration includes the host list, default credentials, and schedule settings — see Agent configuration.Agent connects to each host
The agent opens an SSH session (Linux) or WinRM session (Windows) to each host in its list using the configured credentials. Connections originate from the Patch server.
Agent collects properties
For each host, the agent runs a fixed set of read commands and queries to collect OS data, hardware data, installed packages, and any application-specific properties configured for your workspace. See What the agent collects.
Agent reports to the Luumen API
Collected properties are sent to the Luumen API over HTTPS using the API key in the local config. Each host’s data is timestamped and persisted.
Network direction
All traffic originates from inside your environment:- Patch server → hosts — outbound SSH (port 22) or WinRM (port 5985/5986) to each managed host.
- Patch server → Luumen API — outbound HTTPS to the API base URL configured in
config.yaml. No inbound connectivity to the Patch server is required from Luumen’s infrastructure.
Deployment topology
- Apiphani-managed
- Self-hosted
- Agent + Patch server: inside your environment, managed by you.
- Luumen API + web app: hosted by Apiphani.
https://ns2-api.apiphani.io/v2/api/v1), and your team accesses the web app at a Luumen-managed URL.Where the agent fits in your operations
The agent is intentionally separate from the systems it monitors. It runs as a service on a single Patch server, queries hosts over the same protocols your team already uses for remote access, and writes nothing back to those hosts. This means:- No additional agent installs on production hosts.
- No changes to firewall rules on the systems being monitored.
- No write access required from the agent’s service user — the permissions it needs are read-only (with a small set of
sudoexceptions documented in Prerequisites).