{"id":1277,"date":"2026-06-24T08:43:48","date_gmt":"2026-06-24T06:43:48","guid":{"rendered":"https:\/\/sven-seeberg.de\/wp\/?p=1277"},"modified":"2026-06-24T08:54:50","modified_gmt":"2026-06-24T06:54:50","slug":"using-llm-agents-to-monitor-managed-server-environments","status":"publish","type":"post","link":"https:\/\/sven-seeberg.de\/wp\/?p=1277","title":{"rendered":"Using LLMs Agents to Audit Managed Servers"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">I recently pondered the question of how self-hosted LLMs can be used to audit servers that I manage with <a href=\"https:\/\/github.com\/saltstack\/salt\">Salt<\/a>. I ended up with vibe coding a <a href=\"https:\/\/github.com\/netzbegruenung\/salt-security-agent\">prototype for an LLM agent<\/a> that runs on the Salt master and compares the server configuration with the definitions in the Salt repository.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Due to obvious security concerns, the number of tools the LLM can use to investigate the Salt minions is rather limited. To start the investigation, it receives a list of all running processes and a task definition of how to investigate. It can then use additional tools like listing files or directories, listing programs listening on network sockets, or getting information about file types. The LLM cannot read the content of files or change anything on the Salt minions. At the same time, the LLM can list, read and grep files in the Salt repository to compare the configuration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The findings are collected in a report Markdown file per minion along with a summary. Additionally, if configured, the LLM can trigger an e-mail alert if it detects any critical issues. In my experience, the LLMs are rather quick to flag items as critical. I therefore deactivated alerts in the first runs and updated the threat models so that the LLM is better at judging the criticality of discovered problems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To my surprise, the results were really helpful, especially compared to the rather small effort that went into creating and configuring the tool. The agent uncovered non-managed Unix users, processes, legacy SSH keys, forgotten SQL dumps, etc. Overall it really helps to keep the server environments clean, reduce config drift and identify potential issues early.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I tried Gemma 4 with 31B parameters and Mistral 3.5 Medium running on my Framework Desktop. Gemma 4 usually stopped after around 20 to 30 tool calls, while Mistral 3.5 Medium frequently used up to 50 tool calls.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently pondered the question of how self-hosted LLMs can be used to audit servers that I manage with Salt. I ended up with vibe coding a prototype for an LLM agent that runs on the Salt master and compares &hellip; <a href=\"https:\/\/sven-seeberg.de\/wp\/?p=1277\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1277","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1277"}],"version-history":[{"count":11,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1277\/revisions"}],"predecessor-version":[{"id":1289,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1277\/revisions\/1289"}],"wp:attachment":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}