uberAgent

Changelog and Release Notes

Version 7.0

New features

  • Citrix session monitoring (Windows) [B19]: uberAgent now determines bandwidth usage per Citrix HDX virtual channel, records applied Citrix session policies & collects important session state information (including video codec and color space).
  • Elasticsearch 8 [B274]: added support for Elasticsearch 8 and Elasticsearch data streams.
  • Event triggers for timers (Windows) [B267]: new event-based trigger option for timers to collect data when something happens, e.g., a user logs on. Event triggers are compatible with classic timers that collect data at fixed intervals.
  • Intelligent disk buffering [B636]: evolution of the persistent output queue introduced with 6.2. Events are sent directly to the backend if possible; events are only buffered to disk if network connectivity is unavailable.
  • MITRE ATT&CK integration [B561]: all uberAgent ESA rules now come with MITRE ATT&CK technique ID annotations. MITRE ATT&CK technique information is displayed in the Activity Monitoring Events dashboard.
  • Nutanix Frame integration (Windows) [B702]: uberAgent now collects session metrics for Nutanix Frame sessions.
  • Performance counters (Windows) [B262, B674]: new dashboard for Windows performance counters; support for wildcards in counter paths.
  • Process statistics (Windows) [B517]: uberAgent now collects additional process information, e.g., handle count, private & virtual memory usage, priority, and page faults.
  • Protected processes (Windows) [B626]: uberAgent now also collects data from protected processes (e.g., EDR & antivirus products).
  • Splunk Enterprise Security [B561]: new Splunk uberAgent ESA Enterprise Security companion app to integrate ESA metrics in Splunk’s Risk Based Alerting with support for event annotations (MITRE ATT&CK and others).
  • System time change resilience (Windows) [I87]: durations and other time measurements are now determined correctly even if the interval overlaps with system time changes.

Improvements

  • Activity monitoring [B730]: the converted Sigma ruleset has been updated.
  • Application errors (macOS) [B634]: the sourcetype uberAgent:Application:Errors is now supported for application crashes with a corresponding system report in .ips format (Monterey).
  • Application errors (macOS) [B634]: the sourcetype uberAgent:Application:Errors now supports the fields ModulePath and ModuleVersion on macOS as well.
  • Application errors (macOS) [B634]: the sourcetype uberAgent:Application:Errors now contains two additional fields on macOS: ProcImageUUID and ModuleImageUUID. These fields allow the unique identification of a crashed binary image.
  • Application identification (macOS) [B686]: application versions are now reported uniformly in the standard macOS format.
  • Authenticode signature verification [B705]: new property IsSignedByOSVendor for Process, Parent, and Image.
  • Boot monitoring (Windows) [I736]: improved determination of parent process properties.
  • Browsers [B579]: when configuring full URL monitoring, query parameters in the component detail specification are now interpreted as regular expressions. This makes it possible to use wildcards or to specify more sophisticated patterns that define which query parameters are to be included in the collected data. This feature requires at least version 3.1.0 of the uberAgent browser extensions. The uberAgent Internet Explorer add-on does not support this.
  • Citrix Cloud monitoring [I593]: avoid parallel determination of Citrix Cloud metrics and Citrix authentication token. This only resulted in an error within the log file if an invalid Cloud configuration exists.
  • Citrix Cloud monitoring [I605]: use the ConfigFlag: NetworkCommunicationTimeoutMs for all Citrix Cloud network calls.
  • Citrix Cloud monitoring [B644]: exchanged deprecated Trust Service Flow API with OAuth 2.0 API.
  • Citrix Cloud monitoring (Windows) [B687]: use configuration option for disabling or ignoring TLS certificate revocation (CRL) checks for HTTPS transmissions.
  • Configuration (macOS) [B558]: the timer setting Persist interval is now supported on macOS, too.
  • Configuration [B563, I638]: any configuration stanza can now be platform-specific using platform=Windows or platform=macOS in its configuration.
  • Configuration (Windows) [B652]: the new section ActivityMonitoringRule_Filter adds a new allow-/denylist to configure [ActivityMonitoringRule] entries.
  • Dashboards [B19]: new dashboards Citrix Session Protocol Insights, Citrix Session Configuration Details.
  • Dashboards [B19]: in case of a Citrix session, additional information is displayed on the Analyze timechart and Single User Detail dashboards.
  • Experience Score [B547]: new individual dashboards for machine, session, and application scores for detailed analysis of scores.
  • Experience Score [B547]: better search performance for score calculation.
  • Experience Score [B659]: scores are no longer aggregated for the past day at midnight. Instead, scores stay in raw format in the score index.
  • Installer (macOS) [B627]: templates for configuration files are now installed to /Library/Application Support/uberAgent/Config Templates and copied to the parent directory only if the file does not already exist in the parent directory.
  • Logging (Windows) [I733]: removed unnecessarily logged messages if it is impossible to determine a Remote Desktop client IP.
  • Logon monitoring (Windows) [I570]: improved logon/logoff monitoring for short-lived sessions.
  • Logon monitoring (Windows) [I570]: fixed a rare circumstance where logon monitoring end is not detected correctly.
  • Machine inventory (Windows) [I530]: determine correct user-friendly OS version string for in-place Windows upgrades.
  • Machine inventory (Windows) [B677]: virtual machine detection is more accurate now and should not emit false positive results in VM hosts anymore.
  • Machine inventory (Windows) [B678]: determine hypervisor vendor name and display it in single machine dashboard.
  • Machine inventory (macOS)[B693]: in addition to the detection if macOS is running in a virtual machine, the hypervisor vendor is now detected as well.
  • Network monitoring (macOS) [B633]: network connection failures are now determined on macOS, too.
  • Process details (macOS) [B557]: the uberAgent:Session:ProcessDetail field ProcNetKBPS is now determined on macOS, too.
  • Service (Windows) [B728]: increased default values for maximum number of elements in internal hashes list.
  • Service (Windows) [I622]: stop error metrics are reported for Event Log events with IDs 1001 and 41.
  • Splunk [B607]: implemented a new Splunk data model architecture.
  • Splunk [B666]: enabled auto-skewing for all saved searches.
  • Splunk [B667]: added sc_admin permissions to meet Splunk Cloud requirements.
  • Splunk [B679]: added more CIM fields for the source types uberAgent:Process:ProcessStartup (uberAgent UXM) and uberAgent:Process:ProcessStop (uberAgent ESA). Thanks to Alexander Schüller!
  • Tagging (Windows) [B507]: changed user/host tags determination from a hard-coded interval to a new timer metric UserTags and HostTags.
  • Tagging (Windows) [I657, I758]: improved determination of user tags.
  • uAQL (Windows) [B592]: added support for reading registry data in uAQL queries.

Bugfixes

  • Application errors (macOS) [I591]: fixed very rare doubly reported crash of uberAgent itself.
  • Application errors (macOS) [I600]: events with the sourcetype uberAgent:Application:Errors are now sent with the timestamp of the crash, not the timestamp of the detection of a crash.
  • Application errors (macOS) [I608]: the field FaultOffset in the sourcetype uberAgent:Application:Errors was erroneously sent as an absolute address instead of an offset relative to the base image address.
  • Application errors (macOS) [I719]: events of the sourcetype uberAgent:Application:Errors might have been empty in some rare cases in which multiple crashes occurred in a very short time frame.
  • Application identification (Windows) [I529]: all Windows 11 UWP applications and their app names are now determined correctly.
  • Application identification (macOS) [I602]: the formatting of the field AppVersion now follows the macOS versioning convention of version (buildnumber) e.g. 1.2.3 (4567).
  • Application identification (Windows) [I696]: Java AppName and AppID identification was sometimes incorrect.
  • Authenticode signature verification (Windows) [B626]: fixed a very rare case where no hash was calculated for an executable.
  • Authenticode signature verification (Windows) [I539]: CPU usage for Authenticode validation of executables significantly reduced.
  • Boot monitoring (Windows) [I29]: the field AutostartServicesMs was empty on Windows 10 or newer.
  • Browsers (macOS) [I626]: fixed faulty filtering of invalid data sent from Firefox.
  • Citrix Cloud monitoring [I565]: metrics collection was stopped for all Cloud instances if authentication failed for one such instance.
  • Citrix site/Cloud monitoring (Windows) [I574]: Citrix metrics were not determined for older Citrix versions.
  • Daemon (macOS) [I540]: introduced controlled shutdown of uberAgent, and fixed race condition in ES client.
  • Daemon (macOS) [I567]: fixed cases where uberAgent would crash upon shutdown.
  • Dashboards [I545]: fixed experience score chart error after drilldown from User Sessions to Analyze Data Over Time dashboard.
  • Dashboards [I577]: fixed drilldown on the data table on the dashboard Process UI Unresponsiveness.
  • Dashboards [I582]: fixed wrong distinct counts for applications and users on the dashboards Application Network Issues and Machine Network Issues.
  • Dashboards [I598]: fixed wrong includes on Machine Storage dashboards that caused JavaScript errors with Splunk version 8.2.5.
  • Dashboards [I601]: reimplemented custom single value visualization to fix JavaScript error in Splunk Cloud.
  • Dashboards [I651]: filters were not applied on the chart Average logon duration over time on the dashboard User Session Overview.
  • Dashboards [I712]: fixed wrong network and performance timechart calculations.
  • Dashboards [I743]: the Power button timestamp field in the table Stop error detail on the dashboard Stop Errors (Blue Screen & Power Loss) showed a misleading timestamp when power button button was not pressed.
  • Dashboards [I753]: removed deprecated JS/CSS includes from various dashboards.
  • Dashboards [I778]: fixed drilldown on the Process DNS dashboard for process names containing spaces.
  • DNS query monitoring (Windows) [I555]: fixed high CPU load with many DNS entries.
  • DNS query monitoring [I727]: the field ProcGUID of sourcetype uberAgentESA:Process:DnsQuery was empty.
  • Event data filtering [I546]: clearing or changing fields now applies to each receiver individually.
  • Experience Score [B547]: added missing application scores to the Single Application Detail dashboard.
  • Experience Score [I537]: fixed errors in the machine and application score calculations.
  • GPU (Windows) [I721]: fixed rare issue during determination of GPU metrics that caused a warning message about too high GPU compute usage.
  • GPU (Windows) [I760]: the GpuUsageEngine field GpuEngineComputeUsagePercent was always zero if more than one graphic card is present.
  • GPU (Windows) [I771]: the GpuUsageEngine metric was not sent on some non-English Windows systems.
  • In-session helper (macOS) [I735]: fixed erroneous restarts if using multiple profiles under Chrome.
  • Installer (macOS) [I701]: added a grace period of up to sixty seconds to allow uberAgent to send all pending events in case of a shutdown.
  • Kafka [I746]: the schema was changed to avoid warnings in the REST log file like: Ignored the uberAgent_Application_SoftwareUpdateInventory.time.logicalType property.
  • License verification (macOS) [I569]: fixed an issue where license files containing non-ASCII characters could not be verified.
  • Logging [I442]: reduced CPU load by improving logger performance.
  • Logging [I490]: logging of http receiver errors and warnings only once per host.
  • Logging [I564]: ConfigFlag TraceLogFilterExpression is checked only for trace log messages.
  • Logon monitoring (Windows) [I617]: fixed a rare issue where logon monitoring could crash the uberAgent.exe process.
  • Network monitoring (macOS) [I365]: removed unreliable pcap statistics from logging.
  • Network monitoring (macOS) [I550]: fixed rare cases of miscalculated values for NetTargetSendJitterMs, NetTargetSendLatencyMs and NetTargetSendLatencyInitialMs.
  • Network monitoring (macOS) [I589]: fixed overflow in hash calculation, which could lead to memory corruption.
  • Network monitoring (macOS) [I610]: fixed differing metrics between Windows and macOS.
  • Network monitoring (macOS) [I676]: fixed wrong timestamps for DNS query events.
  • Network monitoring (Windows) [I687]: uberAgent’s network driver could slow down network transfers or freeze the system with some network drivers, e.g., Nutanix VirtIO Ethernet Adapter.
  • Persistent output queue [I527]: events would be lost if Elasticsearch, Kafka or Azure Monitor backends were not reachable at service shutdown.
  • Persistent output queue (Windows) [I528]: updated the receiver server URL within the persistent output queue file if needed.
  • Persistent output queue [I729]: fixed issue during service start if corrupt persistent output queue files exist.
  • Process monitoring (macOS) [I563]: events could no longer be processed if more than 100k processes had been created within a short timeframe (PID wrapping).
  • Process monitoring (Windows) [I599]: fixed rare issue during determination of process image path.
  • Process monitoring (macOS) [I705]: fixed possible crash while handling events generated by the Endpoint Security framework.
  • Process startup (macOS) [I503]: fixed missing process user for short-lived processes.
  • Process startup (macOS) [I516]: fixed cases where short process lifetimes and faulty lookups created inconsistent AppIDs.
  • Process startup (macOS) [I628]: fixed bug in retrieval of the process name for sourcetype ProcessStartup.
  • Process startup (macOS) [I749]: the field SessionID is now available for sourcetype uberAgent:Process:ProcessStartup. Please also note the corresponding release notes.
  • Scheduled task monitoring [I559]: made use of Splunk macros for each dataset’s datamodel.
  • Service (Windows) [I776]: fixed rare issue that trimmed whitespaces while parsing command line output of started scripts.
  • Sessions (Windows) [I584]: fixed rare issue during determination of session connection information.
  • Sessions (Windows) [B702]: when no data for the field SessionClientHwIdCtx2 could be determined, the field’s content was 0 instead of empty.
  • Splunk CIM data model [I560]: added missing report tag for processes.
  • Splunk [I588]: removed the usage of search macros in eventtypes.conf.

Release notes

  • Configuration [B521]: the timer setting Thread priority was marked as deprecated and removed from the default configuration.
  • Configuration [B652]: the configuration stanza [ActivityMonitoringRule] now has a new mandatory setting: RuleId.
  • Configuration [I605]: new ConfigFlag: NetworkCommunicationTimeoutMs.
  • Configuration (macOS) [I749]: the field SessionID of sourcetype uberAgent:Process:ProcessStartup is only available if both metrics SessionDetail and ProcessStartup are configured to run in the same timer. This also applies to SessionDetail and ProcessDetail(Full).
  • Dashboards [B19]: removed dashboard Session Info: Citrix and merged its content into Citrix Session Configuration Details.
  • Elasticsearch 8 [B274]: the field time was changed to @timestamp to support Elasticsearch data streams.
  • Libraries [B729]: updated Boost to version 1.78.
  • Libraries [B729]: updated curl to version 7.81.0.
  • Libraries [B729]: replaced the stand-alone version of Asio with Boost Asio.
  • Libraries [B729]: replaced the RapidJSON library with the nlohmann JSON library.
  • Persistent output queue [B636]: intelligent disk buffering via the persistent output queue is now enabled by default. This can be changed through the receiver configuration setting PersistentOutputQueue.
  • Sourcetype [B19]: new sourcetype uberAgent:CitrixSession:VirtualChannelDetail with fields: SessionGUID, SessionUser, VirtualChannelVendorName, VirtualChannelDataVolumeInputMB, VirtualChannelDataVolumeOutputMB.
  • Sourcetype [B19]: new sourcetype uberAgent:CitrixSession:SessionConfig with fields: SessionGUID, SessionUser, AudioActualPriority, AudioPolicyAllowMicrophoneRedirection, AudioPolicyAllowRedirection, AudioPolicyPriority, AudioPolicySoundQuality, CdmActualPriority, CdmVolumes, CdmPolicyAllowDriveRedirection, CdmPolicyPriority, CdmPolicyReadOnly, DisplayMode, ThinwireActualPriority, ThinwireColorDepth, ThinwireComponentEncoder, ThinwireHardwareEncodeInUse, ThinwireVideoCodecType, ThinwireColorspace, ThinwireVideoCodecUse, ThinwirePolicyFps, ThinwirePolicyPriority, ThinwirePolicyUseHardwareEncoding, ThinwirePolicyUseVideoCodec, ThinwirePolicyVisualQuality, FramehawkActualPriority, FramehawkPolicyPriority, D3DActualPriority, D3DPolicyAeroRedirection, D3DPolicyGraphicsQuality, D3DPolicyPriority, GraphicsActualPriority, GraphicsPolicyDisplayDegradeNotifyUser, GraphicsPolicyDisplayDegradePolicy, GraphicsPolicyPriority, NetworkConnectedVia, NetworkEdtMtu, NetworkPolicyAcceptSessionReliabilityConnections, NetworkPolicyICAListenerPortNumber, NetworkPolicySessionReliabilityPort, NetworkPolicySessionReliabilityTimeout, PrinterActualPriority, PrinterSessionPrinter, PrinterPolicyAllowRedirection, PrinterPolicyAutoCreateClientPrinters, PrinterPolicyPriority, USBActualPriority, USBPolicyAllowPNPRedirection, USBPolicyAllowUSBSupport, USBPolicyPriority.
  • Sourcetype [B517]: new sourcetype uberAgent:Process:ProcessStatistics with fields: ProcHandleCount, ProcThreadCount, ProcPriority, ProcPrivateMB, ProcVirtualSizeMB, ProcPageFaultsPS, ProcPageFileMB, ProcName, ProcID, ProcGUID, ProcUser and AppId.
  • Sourcetype [B674]: new sourcetype uberAgent:System:PerformanceCounter with fields: PerformanceCounterObject, PerformanceCounterInstance, PerformanceCounterName, PerformanceCounterValue.
  • Sourcetype [B678]: uberAgent:System:MachineInventory has new field(s): HwHypervisorVendor.
  • Sourcetype [B19]: uberAgent:Session:SessionDetail has new field(s): SessionRoundTripTimeMs, SessionFps, SessionTransportProtocols.
  • Sourcetype (macOS) [B634]: the sourcetype uberAgent:Application:Errors no longer contains data in the field ProcTimestamp on macOS, since this metric can be confusing, e.g., if an application crashes during an update or the binary on disk was deleted during runtime.
  • Sourcetype [B675]: uberAgent:Citrix:Applications has new field(s): CustomerId.
  • Sourcetype [B675]: uberAgent:Citrix:Catalogs has new field(s): CustomerId.
  • Sourcetype [B675]: uberAgent:Citrix:DesktopGroups has new field(s): CustomerId.
  • Sourcetype [B675]: uberAgent:Citrix:Machines has new field(s): CustomerId.
  • Sourcetype [B675]: uberAgent:Citrix:PublishedDesktops has new field(s): CustomerId.
  • Sourcetype [B674]: replaced KV sourcetype uberAgent:PerformanceCounter: with CSV sourcetype uberAgent:System:PerformanceCounter.
  • Sourcetype [B672]: uberAgent:Application:ApplicationUsage has been removed (it was marked as deprecated as of version 6.1.1).
  • Sourcetype: the sourcetypes uberAgent:Citrix:Hypervisor, uberAgent:OnOffTransition:SlowSMSSInit and uberAgent:OnOffTransition:SlowUserPolicy are now marked as deprecated. They have been removed from the uberAgent UXM data models.
  • Splunk: the minimum required Splunk version is now 7.0 (formerly 6.6).
  • Splunk data models [B607]: removed the data models uberAgent, uberAgent_Score, uberAgent60m, uberAgent_ESA.
  • Splunk data models [B607]: added the uberAgent UXM data models uberAgentUXM_Application, uberAgentUXM_Citrix, uberAgentUXM_CitrixADC, uberAgentUXM_CitrixSession, uberAgentUXM_License, uberAgentUXM_Logoff, uberAgentUXM_Logon, uberAgentUXM_OnOffTransition, uberAgentUXM_Process, uberAgentUXM_Score, uberAgentUXM_Session, uberAgentUXM_System, uberAgentUXM_Tags.
  • Splunk data models [B607]: added the uberAgent ESA data models uberAgentESA_ActivityMonitoring, uberAgentESA_Process, uberAgentESA_System.

Known issues

  • Boot duration (Windows): the metrics TotalBootTimeMs, MainPathBootTimeMs and PostBootTimeMs cannot be determined for every system boot.
  • Browsers/IE add-on (Windows): metrics are not collected on page reload.
  • Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
  • Browsers/IE add-on (Windows): monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
  • Browsers/Firefox add-on: if the option privacy.resistFingerprinting is set to true, browser metrics are not available due to invalid data being sent from Firefox.
  • Citrix ADC: in very rare cases, the content of the Virtual Server Performance field vServerName contains spaces in wrong places.
  • Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
  • Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
  • Experience score [I377]: scheduled searches generate three warnings in Splunk’s _internal index every 30 minutes. The messages look like the following: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
  • GPU (Windows) [I33]: values for the fields ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0 and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
  • Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no effect; the transmission is repeated and succeeds on the second try.
  • Network monitoring (Windows) [I815]: network metrics may be missing: 1) after resuming from a low-power state (e.g., suspend), or 2) after certain disastrous network events such as a crash of the default gateway.
  • Performance [I372] (macOS): running uberAgent has a noticeable impact on I/O performance of small writes. If the config flag DisableESFileSystemMonitoring is enabled, performance is not impacted, but the fields ProcIOWriteCount and ProcIOPSWrite are not available in uberAgent:Process:ProcessDetail.
  • Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
  • Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.
Changelog and Release Notes