What is Onicis

Onicis is an autonomous IT operations platform designed for small and mid-size businesses. It deploys a lightweight agent on each machine in your fleet, continuously monitoring system health -- CPU, memory, disk, running processes, network connectivity -- and reporting events to a central server where an AI classification engine identifies incidents in real time.

When a problem is detected, Onicis does not just create a ticket and wait. It executes an ORBEL runbook -- a human-readable remediation script written in the Open Runbook Expression Language -- directly on the affected machine. The runbook follows a strict diagnose-remediate-verify cycle: it confirms the problem, applies a fix, and validates that the fix worked. If the automated remediation fails, Onicis escalates to your existing ticketing system (Zendesk, Freshdesk, or ServiceNow) with full diagnostic context attached.

The result is fewer tickets, faster resolution, and less 3 AM paging. Your IT team focuses on strategic work while Onicis handles the repetitive operational tasks that consume most of a helpdesk's time: restarting crashed services, clearing full disks, killing runaway processes, flushing DNS caches, and more.

How it Works

Onicis operates in four steps, running continuously on every managed machine:

1. Collect

The agent monitors CPU, memory, disk, and process metrics every 60 seconds. When a threshold is exceeded (e.g. CPU above 90%), it sends an event to the Onicis server.

2. Classify

The server receives the event and classifies the incident type using pattern matching. It determines which ORBEL runbook to execute based on the incident category.

3. Remediate

The matched runbook is sent to the agent for execution. The agent runs the diagnose-remediate-verify cycle locally on the machine, applying the fix and confirming it worked.

4. Report

Results are reported back to the server. If remediation succeeded, the incident is closed automatically. If it failed, Onicis escalates to your ticketing system with full context.

Prerequisites

Before installing the Onicis agent, make sure your machine meets the following requirements:

Operating System: Windows 10+, Windows Server 2016+, or Linux (Ubuntu 18+, Debian 10+, CentOS 7+, RHEL 7+, or any distro with /proc/stat and /proc/meminfo)
Port: TCP port 8888 must be available on the local machine
Permissions: Administrator (Windows) or root (Linux) -- required for restarting services, killing processes, and reading performance counters
Network: Outbound HTTPS (port 443) to api.onicis.com for event reporting (optional for standalone mode)
Build from source (optional): Go 1.21+ if compiling the agent yourself. Pre-built binaries have no external dependencies
Account: An Onicis account with an org token (sign up at app.onicis.com)

Installation -- Windows

Step 1: Get the binary

Option A -- Build from source (requires Go 1.21+):

PowerShell

cd agent
go build -o onicis-agent.exe .

Option B -- Download the pre-built binary from the releases page and place it in a directory such as C:\\onicis\\.

Step 2: Configure environment variables

PowerShell (run as Administrator)

# Required -- authentication token for the agent API
[System.Environment]::SetEnvironmentVariable("ONICIS_TOKEN", "your-secret-token", "Machine")

# Optional -- URL of the central Onicis server (enables automatic monitoring)
[System.Environment]::SetEnvironmentVariable("ONICIS_SERVER_URL", "https://your-org.onicis.com", "Machine")

# Optional -- auth token for the central server
[System.Environment]::SetEnvironmentVariable("ONICIS_SERVER_TOKEN", "server-token", "Machine")

Step 3: Run the agent

For testing, run directly:

PowerShell

.\onicis-agent.exe

# Expected output:
# Onicis Agent listening on 0.0.0.0:8888 (machine: YOUR-MACHINE-NAME)

For production, install as a Windows Service:

PowerShell (run as Administrator)

sc.exe create OnicisAgent binPath= "C:\onicis\onicis-agent.exe" start= auto
sc.exe description OnicisAgent "Onicis Agent - Monitoring and remediation"
sc.exe start OnicisAgent

Step 4: Verify

PowerShell

curl http://localhost:8888/health

# Expected: {"status":"ok","machine":"YOUR-MACHINE-NAME"}

Installation -- Linux

Step 1: Get the binary

Option A -- Build from source (requires Go 1.21+):

bash

cd agent
go build -o onicis-agent .
chmod +x onicis-agent

Option B -- Download the pre-built binary:

bash

curl -L -o /usr/local/bin/onicis-agent https://releases.onicis.com/agent/latest/linux-amd64
chmod +x /usr/local/bin/onicis-agent

Step 2: Create a systemd service

Create the file /etc/systemd/system/onicis-agent.service:

/etc/systemd/system/onicis-agent.service

[Unit]
Description=Onicis Agent
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/onicis-agent
Restart=always
RestartSec=5
Environment=ONICIS_TOKEN=your-secret-token
Environment=ONICIS_SERVER_URL=https://your-org.onicis.com
Environment=ONICIS_SERVER_TOKEN=server-token
User=root

[Install]
WantedBy=multi-user.target

bash

sudo systemctl daemon-reload
sudo systemctl enable onicis-agent
sudo systemctl start onicis-agent

Step 3: Verify

bash

curl http://localhost:8888/health

# Expected: {"status":"ok","machine":"your-hostname"}

First Runbook

Create a file called hello.orb to test the ORBEL pipeline:

hello.orb

runbook "hello_world"
  description: "A minimal runbook to verify the setup"

  cycle:
    diagnose system_health
    remediate clear_temp_files
    verify system_health

Validate and dry-run it with the ORBEL CLI:

terminal

# Validate syntax
orbel validate hello.orb

# Dry-run (shows execution plan without running anything)
orbel run hello.orb

# Push to the platform
onicis runbook push hello.orb
# Runbook "hello_world" uploaded successfully.

Verify Setup

Once the agent is running, confirm everything is working:

terminal

# 1. Health check (no auth required)
curl http://localhost:8888/health
# {"status":"ok","machine":"your-hostname"}

# 2. Run a diagnostic (requires Bearer token)
curl -X POST http://localhost:8888/diagnostic \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-token" \
  -d '{"name": "check_cpu_usage", "args": {}}'
# {"success":true,"message":"CPU usage is 23.45% (threshold 90%).","metadata":{...}}

# 3. Check agent logs (Linux)
sudo journalctl -u onicis-agent -f

Agent Endpoints

The agent exposes an HTTP API on port 8888 (bound to 0.0.0.0). All endpoints except /health require a Bearer token via theAuthorization header.

Method	Endpoint	Auth	Description
GET	/health	No	Returns agent status and machine hostname. Use for health checks and uptime monitoring.
POST	/diagnostic	Bearer token	Executes a named diagnostic check and returns the result. Does not modify the system.
POST	/remediation	Bearer token	Executes a named remediation action. Modifies the system (kills processes, restarts services, etc).
POST	/analyze	Bearer token	Runs a full machine analysis: CPU, memory, disk, and top processes. Returns a comprehensive report.

Request body for /diagnostic and /remediation:

JSON body

{
  "name": "check_cpu_usage",
  "args": {
    "threshold": 80
  }
}

Request body for /analyze:

JSON body

{
  "machine": "WORKSTATION-01"
}

Available Diagnostics

Diagnostics are read-only checks that inspect the current state of the machine. They never modify the system.

Name	Description	Args
check_cpu_usage	Measures current CPU utilization percentage.	`threshold` (float, default: 90) -- percentage above which success is false
check_memory_usage	Measures current memory utilization percentage.	`threshold` (float, default: 90)
check_disk_usage	Checks disk usage for a given path.	`path` (string, default: "/" or "C:\\"), `threshold` (float, default: 85)
check_spooler	Checks if the print spooler service is running.	None
check_running_process	Checks if a specific process is currently running.	`name` (string, required) -- process name to look for
check_dns_resolution	Tests DNS resolution for a given hostname.	`host` (string, default: "google.com")
check_gateway_connectivity	Pings the default gateway to verify network connectivity.	None

Available Remediations

Remediations take corrective action on the machine. They require administrator or root permissions.

Name	Description	Args
restart_spooler	Stops and restarts the print spooler service.	None
kill_process	Terminates a running process by name.	`name` (string, required) -- process name to kill
cleanup_temp_files	Removes temporary files to free disk space. Cleans system temp directories.	None
flush_dns	Flushes the DNS resolver cache.	None
restart_outlook	Kills and restarts Microsoft Outlook. Useful when Outlook becomes unresponsive.	None

Background Monitor

When ONICIS_SERVER_URL is configured, the agent starts a background monitor that continuously checks system metrics and sends events when thresholds are exceeded.

Metric	Default Threshold	Event Type	Check Interval
CPU Usage	> 90%	high_cpu_usage	60 seconds
Disk Usage	> 85%	low_disk_space	60 seconds
Memory Usage	> 90%	high_memory_usage	60 seconds

The monitor also sends a heartbeat event (agent_heartbeat) every 5 minutes, including the agent version and uptime. Events are sent via POST to{ONICIS_SERVER_URL}/events/machine with automatic retry (up to 3 attempts with exponential backoff).

If ONICIS_SERVER_URL is not set, monitoring is disabled and the agent runs in standalone mode. The agent logs will show: Monitor: disabled (no ONICIS_SERVER_URL).

Configuration

The agent is configured exclusively through environment variables. There are no configuration files.

Variable	Required	Description
ONICIS_TOKEN	Recommended	Bearer token for authenticating requests to `/diagnostic`, `/remediation`, and `/analyze`. If not set, the agent runs without authentication (not recommended for production).
ONICIS_SERVER_URL	No	Base URL of the central Onicis server. Enables the background monitor, which sends events to `{url}/events/machine`. Example: `https://your-org.onicis.com`
ONICIS_SERVER_TOKEN	No	Bearer token included in event requests to the central server. Required if the server enforces authentication.

Request Examples

Health check

bash

curl http://localhost:8888/health

# Response:
# {"status":"ok","machine":"WORKSTATION-01"}

Check CPU usage

bash

curl -X POST http://localhost:8888/diagnostic \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-token" \
  -d '{"name": "check_cpu_usage", "args": {"threshold": 80}}'

# Response:
# {
#   "success": true,
#   "message": "CPU usage is 23.45% (threshold 80%).",
#   "metadata": {
#     "cpu_usage_percent": 23.45,
#     "threshold_percent": 80,
#     "os": "linux"
#   }
# }

Check disk usage for a specific path

bash

curl -X POST http://localhost:8888/diagnostic \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-token" \
  -d '{"name": "check_disk_usage", "args": {"path": "/var", "threshold": 70}}'

Check if a process is running

bash

curl -X POST http://localhost:8888/diagnostic \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-token" \
  -d '{"name": "check_running_process", "args": {"name": "nginx"}}'

Kill a process

bash

curl -X POST http://localhost:8888/remediation \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-token" \
  -d '{"name": "kill_process", "args": {"name": "runaway-app"}}'

Flush DNS cache

bash

curl -X POST http://localhost:8888/remediation \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-token" \
  -d '{"name": "flush_dns", "args": {}}'

Full machine analysis

bash

curl -X POST http://localhost:8888/analyze \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-token" \
  -d '{"machine": "WORKSTATION-01"}'

ORBEL Overview

ORBEL (Open Runbook Expression Language) is a declarative domain-specific language for describing IT operations runbooks. An ORBEL runbook captures the full diagnostic-remediation-verification cycle that a helpdesk operator or automation engine follows when responding to an incident.

Rather than encoding procedures as opaque scripts, ORBEL makes each runbook human-readable, version-controllable, and auditable. Every step is explicit and every outcome is recorded -- no hidden side effects.

ORBEL source files use the .orb extension and must be encoded in UTF-8.

Syntax

Every ORBEL file defines a runbook with a name, optional description, optional parameters, and one or more cycle blocks. Each cycle contains ordered steps: diagnose, remediate, and verify.

Structure

runbook "<name>"
  description: "<what this runbook does>"

  params:
    hostname: string
    threshold: int

  cycle:
    diagnose <target> [qualifiers]
    remediate <action>
    verify <target> [qualifiers]

Comments start with # and extend to the end of the line. Variables reference parameters using the $name syntax.

# This is a comment
diagnose dns_resolution with host "$hostname"  # inline comment

ORBEL supports five parameter types:

Type	Description	Example
string	UTF-8 text value	"hello"
bool	Boolean value	true, false
int	Integer number	42, 0, -1
float	Floating-point number	3.14, 0.5
enum[...]	Constrained set of values	enum[hr\|finance\|it]

Features (v0.2)

ORBEL v0.2 introduces several features for production runbook authoring:

Feature	Syntax	Description
retry	retry 3 times interval "10s"	Retry a failed cycle up to N times with an interval between attempts.
timeout	timeout "30s"	Maximum execution time per cycle. Supports "s" (seconds), "m" (minutes), "h" (hours).
notify	notify to "telegram"	Send a notification when the cycle completes. Channels: "email", "slack", "telegram".
escalate	escalate to "zendesk"	Escalate to a ticketing system if remediation fails. Targets: "zendesk", "freshdesk", "jira".
if failed / if passed	if failed: stop	Conditional logic after a diagnose or verify step. Execute different actions based on the result.
import / use	import "common.orb" as common	Import and reuse cycles from other runbook files. Enables modular runbook composition.

ORBEL Examples

1. cpu_runaway.orb -- Detect and kill runaway processes consuming excessive CPU.

cpu_runaway.orb

runbook "cpu_runaway"
  description: "Kill runaway processes consuming excessive CPU"

  cycle:
    timeout "30s"
    retry 2 times interval "10s"
    notify to "slack"

    diagnose cpu_usage
      if failed:
        remediate kill_top_cpu_process
        verify cpu_usage

2. disk_full.orb -- Free disk space by purging old logs when usage exceeds 90%.

disk_full.orb

runbook "disk_full"
  description: "Free disk space by purging old logs"

  cycle:
    timeout "60s"
    notify to "email"
    escalate to "zendesk"

    diagnose disk_usage with path "/" threshold 90
      if failed:
        remediate clear_old_logs
        remediate vacuum_journal
        verify disk_usage with path "/" threshold 80

3. printer_spooler.orb -- Restart the print spooler when it stops responding.

printer_spooler.orb

runbook "printer_spooler"
  description: "Restart the print spooler service"

  cycle:
    timeout "30s"
    notify to "telegram"

    diagnose spooler_status
      if failed:
        remediate restart_spooler
        verify spooler_status

4. password_reset.orb -- Parameterized runbook for user password resets.

password_reset.orb

runbook "password_reset"
  description: "Reset a user password and verify account status"

  params:
    username: string
    department: enum[hr|finance|it|engineering]

  cycle:
    timeout "30s"
    escalate to "freshdesk"

    diagnose account_status with user "$username"
      if failed:
        stop
    remediate reset_password with user "$username"
    verify account_status with user "$username"
    notify to "email"

5. service_restart.orb -- Restart a service with retry logic.

service_restart.orb

runbook "service_restart"
  description: "Restart a failed service with retry"

  params:
    service_name: string

  cycle:
    timeout "120s"
    retry 3 times interval "15s"
    notify to "telegram"
    escalate to "zendesk"

    diagnose service_status with name "$service_name"
      if failed:
        remediate restart_service with name "$service_name"
        verify service_status with name "$service_name"
          if failed:
            escalate to "zendesk"

Validation and Tooling

Use the ORBEL CLI to validate, format, and lint your runbooks before deploying them:

terminal

# Validate syntax and semantics
orbel validate my-runbook.orb

# Lint for errors and warnings
orbel lint my-runbook.orb

# Auto-format to canonical style
orbel fmt my-runbook.orb

# Check formatting without modifying
orbel fmt my-runbook.orb --check

A VS Code extension is available for syntax highlighting, inline validation, and auto-completion of ORBEL keywords and targets. Search for "ORBEL" in the VS Code marketplace.

CLI Overview

The ORBEL CLI (orbel) is the command-line tool for working with ORBEL runbook files. It provides parsing, validation, formatting, linting, dry-run execution, and access to the community runbook registry.

terminal

# Install via pip
pip install orbel

# Verify installation
orbel version

orbel parse

Parse and display the structure of an ORBEL file.

usage

orbel parse <file> [--json] [--verbose]

Flag	Description
--json	Output the parsed AST as JSON instead of human-readable text.
--verbose	Print additional status messages to stderr.

example

orbel parse cpu_runaway.orb --json

# Output: full JSON representation of the runbook AST

orbel validate

Validate an ORBEL file for syntax and semantic errors. Exits with code 1 if validation fails.

usage

orbel validate <file>

example

orbel validate my-runbook.orb
# Output: ✓ Validation successful

orbel fmt

Auto-format ORBEL files to the canonical style. Without arguments, formats all .orbel files in the current directory.

usage

orbel fmt [files...] [--check] [--verbose]

Flag	Description
--check	Check formatting without modifying files. Exits with code 1 if any file needs formatting.
--verbose	Print status for each file, even if already formatted.

example

# Format all files in the current directory
orbel fmt

# Check formatting in CI
orbel fmt --check
# Exit code 0 = all formatted, 1 = needs formatting

orbel lint

Lint ORBEL files for errors and warnings. Checks for parse errors, validation errors, and best-practice warnings (missing if failed handlers, excessive retry counts, long timeouts).

usage

orbel lint [path] [--format text|json]

Flag	Description
path	File or directory to lint. Defaults to current directory.
--format	Output format: `text` (default) or `json` for machine-readable output.

Warning codes:

Code	Description
W001	Diagnostic step has no `if failed:` handler
W003	Retry count exceeds recommended maximum of 5
W004	Timeout exceeds recommended maximum of 300 seconds
W005	Runbook has no params block

example

orbel lint ./runbooks/ --format json

# Output: JSON array of files with issues, severity, codes, and messages

orbel run

Dry-run an ORBEL file. Displays the execution plan without running any commands or making changes to the system.

usage

orbel run <file>

example

orbel run disk_full.orb

# Output:
# Execution Plan for: disk_full
# Description: Free disk space by purging old logs
#
# --- Cycle 1 ---
# Diagnostics:
#   → Check disk_usage
# Remediations:
#   → Execute clear_old_logs
#   → Execute vacuum_journal
# Verifications:
#   → Verify disk_usage

orbel list

List available diagnostic targets, remediation actions, runbook files, or domains.

usage

orbel list targets|actions|runbooks|domains [--domain <domain>]

Subcommand	Description
targets	List all valid diagnostic targets. Optionally filter by `--domain`.
actions	List all valid remediation actions. Optionally filter by `--domain`.
runbooks	Find and list all `.orbel` files in the current directory tree.
domains	List all available domains with their target and action counts.

example

orbel list domains

# Output:
# Available domains:
#   networking       12 targets, 8 actions
#   storage           6 targets, 4 actions
#   ...

orbel new

Create a new runbook from a starter template. Generates a .orbel file with the correct structure.

usage

orbel new <name>

example

orbel new memory-cleanup
# Output: ✓ Created memory-cleanup.orbel

orbel registry

Browse and install runbooks from the ORBEL community registry.

usage

orbel registry list              # List all categories and counts
orbel registry search <term>     # Search by name, description, or tags
orbel registry show <name>       # Display full runbook source
orbel registry install <name>    # Download runbook to current directory

example

# Search for disk-related runbooks
orbel registry search disk
# Found 3 runbook(s) matching 'disk':
#   disk_full                        Free disk space by purging old logs
#                                    tags: storage, cleanup, linux
#   ...

# Install a runbook
orbel registry install disk_full
# Installed disk_full -> ./disk_full.orbel

orbel version

Display the ORBEL CLI version.

usage

orbel version
# Output: ORBEL CLI v0.2.0
# The open expression language for IT runbook automation

Zendesk

Connect Onicis to Zendesk to automatically create and sync tickets when escalation is triggered. When a runbook fails to remediate an issue, Onicis can create a Zendesk ticket with full diagnostic context -- system metrics, runbook output, and remediation history.

Environment variables:

Variable	Required	Description
ZENDESK_SUBDOMAIN	Yes	Your Zendesk subdomain (e.g. `mycompany` for mycompany.zendesk.com)
ZENDESK_EMAIL	Yes	Email address of the Zendesk API user
ZENDESK_TOKEN	Yes	Zendesk API token (generate at Admin > Channels > API)

Setup steps:

In your Zendesk admin panel, go to Admin > Channels > API and generate an API token.
Set the three environment variables on your Onicis server.
Go to Settings > Integrations in the Onicis dashboard and click Connect Zendesk.
Map your escalation policies to Zendesk ticket groups.
Test the connection: onicis config test zendesk

Capabilities:

Sync tickets bi-directionally between Onicis and Zendesk
Auto-triage incoming tickets using AI classification
Create tickets with diagnostic context on escalation
Update ticket status when runbooks resolve issues

Freshdesk

Connect Onicis to Freshdesk for ticket synchronization and automated triage.

Environment variables:

Variable	Required	Description
FRESHDESK_DOMAIN	Yes	Your Freshdesk domain (e.g. `mycompany` for mycompany.freshdesk.com)
FRESHDESK_API_KEY	Yes	Freshdesk API key (find at Profile Settings > API Key)

Setup steps:

In Freshdesk, go to your profile settings and copy your API key.
Set FRESHDESK_DOMAIN and FRESHDESK_API_KEY on your Onicis server.
Go to Settings > Integrations in the Onicis dashboard and click Connect Freshdesk.
Map escalation policies to Freshdesk groups.
Test with onicis config test freshdesk.

Receive real-time incident notifications on Telegram. Onicis sends formatted HTML messages for workflow completions, incident alerts, and escalation events.

Environment variables:

Variable	Required	Description
ONICIS_TELEGRAM_TOKEN	Yes	Bot token from @BotFather
ONICIS_TELEGRAM_CHAT_ID	Yes	Target chat or group ID for notifications

How to create a Telegram bot:

Open Telegram and search for @BotFather.
Send /newbot and follow the prompts to name your bot.
Copy the bot token provided by BotFather.
Add the bot to your team's group chat (or use a direct chat).
Get your chat ID by sending a message to the bot and visiting https://api.telegram.org/bot<TOKEN>/getUpdates.
Set ONICIS_TELEGRAM_TOKEN and ONICIS_TELEGRAM_CHAT_ID on your Onicis server.

Notification types:

Workflow Complete: Sent when a runbook cycle finishes. Includes runbook name, status (SUCCESS/FAILED), result message, and any errors.
Incident Alert: Sent when a new incident is detected. Includes workflow name, ticket count, and alert message.

ServiceNow

Connect Onicis to ServiceNow for incident management via the ServiceNow Table API.

Environment variables:

Variable	Required	Description
SN_INSTANCE	Yes	ServiceNow instance name (e.g. `mycompany` for mycompany.service-now.com)
SN_USERNAME	Yes*	Basic auth username. Required when not using OAuth.
SN_PASSWORD	Yes*	Basic auth password. Required when not using OAuth.
SN_CLIENT_ID	No	OAuth client ID. When set, triggers OAuth flow instead of Basic auth.
SN_CLIENT_SECRET	No	OAuth client secret. Required when `SN_CLIENT_ID` is set.

Status: Available

ServiceNow integration is available with Basic auth and OAuth support. Configure your instance credentials and connect via the Onicis dashboard.

Coming Soon

The following integrations are planned for upcoming releases:

Jira -- Create and track issues from escalation events. Supports Jira Cloud and Jira Server.
Slack -- Real-time incident notifications and interactive runbook approvals via Slack channels.
Microsoft Teams -- Incident notifications and status updates via Teams webhooks.

Troubleshooting

Agent not starting / "Connection refused" on port 8888

Cause: The agent process is not running, or another application is using port 8888.

Solution:

Linux: check status with sudo systemctl status onicis-agent. Start with sudo systemctl start onicis-agent.
Windows: verify onicis-agent.exe is running in Task Manager. If installed as a service: sc.exe query OnicisAgent.
Check if port 8888 is in use: netstat -tlnp | grep 8888 (Linux) or netstat -an | findstr 8888 (Windows).
Check agent logs for startup errors.

"Unauthorized" (HTTP 401)

Cause: The Bearer token in the request does not match the ONICIS_TOKEN configured on the agent.

Solution:

Verify the Authorization header format: Authorization: Bearer <your-token>.
Confirm ONICIS_TOKEN is set correctly on the machine running the agent.
If ONICIS_TOKEN is not set, the agent runs without authentication and will not return 401.
Restart the agent after changing environment variables.

Alerts not firing / Monitor not sending events

Cause: ONICIS_SERVER_URL is not configured, or the server is unreachable.

Solution:

Verify ONICIS_SERVER_URL is set: check agent logs for "Monitor: disabled (no ONICIS_SERVER_URL)".
Test connectivity to the server: curl -v $ONICIS_SERVER_URL/events/machine.
Check firewall rules between the agent machine and the server.
Verify ONICIS_SERVER_TOKEN is correct if the server requires authentication.
Ensure diagnostic collection is succeeding (check for "skipping ... threshold check, collection failed" in logs).

Remediation fails / "Access denied"

Cause: The agent does not have sufficient permissions to execute the remediation.

Solution:

Linux: the agent must run as root to kill processes, restart services, and clean system directories.
Windows: run the agent as Administrator or install as a service with SYSTEM privileges.
Check the systemd service file: User=root must be set.

ORBEL validation errors

Cause: Syntax or semantic errors in your .orb file.

Solution:

Run orbel lint <file> for detailed error messages with line numbers.
Common errors: misspelled keywords, missing cycle block, invalid target names.
Use orbel list targets and orbel list actions to see valid names.
Run orbel fmt <file> to auto-fix formatting issues.

"Unknown diagnostic" or "Unknown remediation"

Cause: The name field in the request does not match any registered diagnostic or remediation.

Solution:

Valid diagnostics: check_cpu_usage, check_memory_usage, check_disk_usage, check_spooler, check_running_process, check_dns_resolution, check_gateway_connectivity.
Valid remediations: restart_spooler, kill_process, cleanup_temp_files, flush_dns, restart_outlook.
Names are case-sensitive and use snake_case.

"Failed to read CPU usage" / "/proc/stat" errors

Cause: On Windows: performance counter unavailable. On Linux: insufficient permissions or /proc not mounted.

Solution:

Run the agent as Administrator (Windows) or root (Linux).
Verify /proc is mounted: ls /proc/stat (Linux).

FAQ

What operating systems are supported?

Windows 10+, Windows Server 2016+, and major Linux distributions (Ubuntu 18+, Debian 10+, CentOS 7+, RHEL 7+). macOS support is in beta.

Does the agent need root access?

The agent runs as a system service and requires elevated permissions to execute remediation steps such as killing processes or restarting services. It can run in read-only mode for monitoring without root, but remediations will fail.

How are runbooks triggered?

The AI engine continuously analyzes incoming metrics and events. When a known pattern is matched above the confidence threshold, the corresponding ORBEL runbook is executed automatically on the target machine.

Can I disable auto-remediation?

Yes. You can set any runbook to "monitor-only" mode, which will classify and alert without executing remediation steps. This is configured per-runbook in the Onicis dashboard.

Is data encrypted in transit?

All communication between agents and the platform uses TLS 1.3. Data at rest is encrypted with AES-256.

What happens if the agent loses connectivity?

The agent continues monitoring and collecting metrics locally. It buffers events and syncs them when connectivity is restored. No data is lost. Diagnostics and remediations can still be executed locally via the agent API on port 8888.

Can I run the agent without internet access?

Yes. The agent runs fully on the local machine. Without ONICIS_SERVER_URL configured, it will not send events to the central server, but all local diagnostics and remediations remain functional via the HTTP API on port 8888.

Can I write custom remediations?

ORBEL is extensible. You can define custom diagnose and remediate blocks that call any shell command, PowerShell script, or bash script. The agent executes whatever commands are specified in the runbook.

How do I update the agent?

Download the latest binary from the releases page, stop the running agent (via systemd on Linux or the Windows service manager), replace the binary, and restart the service. The agent has no external dependencies — it is a single binary.

What data does the agent collect?

The agent collects system metrics: CPU usage, memory usage, disk usage, running processes, print spooler status, DNS resolution, and gateway connectivity. No user data, file contents, or browsing history is collected.

Can I write custom ORBEL blocks?

Yes. ORBEL supports custom diagnose, remediate, and verify blocks. Each block can run arbitrary shell commands. See the ORBEL Reference section for syntax details.

What is the difference between a diagnostic and a remediation?

A diagnostic checks the current state of the system (e.g., CPU usage, disk space) and returns a result without making changes. A remediation takes corrective action (e.g., killing a process, clearing temp files). Diagnostics are read-only; remediations modify the system.

How do I backup my runbooks?

ORBEL runbooks are plain-text .orb files. Store them in version control (Git) alongside your infrastructure code. You can also use orbel registry install to restore runbooks from the community registry.

Does it support Active Directory environments?

The agent runs as a local service and does not interact with Active Directory directly. However, ORBEL runbooks can include PowerShell commands that query or modify AD objects, provided the agent runs with appropriate domain credentials.

How do I get support?

Pro plans have community support via GitHub Discussions. Business plans include priority email support with a 24h SLA. Enterprise plans include a dedicated support engineer.

Changelog

v1.0.0March 2026

Initial public release of the Onicis platform.
Lightweight agent for Windows and Linux with HTTP API on port 8888.
7 built-in diagnostics: CPU, memory, disk, spooler, process, DNS, gateway.
5 built-in remediations: restart spooler, kill process, cleanup temp files, flush DNS, restart Outlook.
Background monitor with CPU (90%), disk (85%), and memory (90%) thresholds.
Heartbeat reporting every 5 minutes with agent version and uptime.
AI-powered incident classification engine.
ORBEL v0.2 runbook language with cycle/diagnose/remediate/verify syntax.
ORBEL features: retry, timeout, notify, escalate, conditionals, imports.
ORBEL CLI with parse, validate, fmt, lint, run, list, new, and registry commands.
Community runbook registry with search and install.
Integrations: Zendesk, Freshdesk, Telegram, ServiceNow.
Real-time dashboard with incident history and analytics.
VS Code extension for ORBEL syntax highlighting.
14-day free trial for Pro and Business plans.