Installing the Windows Endpoint Agent
The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.
Note
Securing the Configuration Directory
uberAgent can be configured via the
%ProgramData%directory (details). It is important to secure this directory, or standard users might be able to elevate their privileges to SYSTEM and/or abuse uberAgent.
Starting with version 7.0.2, uberAgent’s installer secures the agent’s %ProgramData% directories automatically. Two new MSI parameters provide control over the process: PROGRAMDATA_CONFIGDIR_RESETPERMISSIONS and PROGRAMDATA_CONFIGDIR_DELETEFILES (see below).
We recommend disabling those MSI parameters only if you’re managing the security of %ProgramData%\vast limits and its subdirectories via other means. We recommend the following permissions:
Administrators: full control SYSTEM: full control
Optionally provide read access to standard users on scripts that are to be executed in user context:
Users: read
Note
Changed Startup Behavior After Installation
Starting with uberAgent 7.2.1, the uberAgent installer does not start the service automatically after a successful installation. Please update any agent deployment procedures to reflect changes.
Manual Installation
Run the batch file uberAgent_endpoint\bin\manual-install.cmd.
Configuration
uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.
Note
Configuration Directory Change - Windows
Starting with uberAgent 7.3.0, the agent no longer searches for configuration files in the installation directory. To configure uberAgent, you can use the template configuration files that are part of the installation and can be found in the
Config Templatesfolder located in the installation directory. Once the config files have been customized, deploy the customized files to:%PROGRAMDATA%\vast limits\uberAgent\Configurationand start the uberAgent service. For more details, please see: Configuration via Local Config Files.
License File
If you have a license file for uberAgent, copy it to the installation directory (default: %ProgramFiles%\vast limits\uberAgent). Without a license file, uberAgent displays a splash screen during logon. Please see the uberAgent licensing guide for more details.
Installation Through a Software Deployment Tool
Install the appropriate MSI file from the directory uberAgent_endpoint\bin depending on the bitness of your machine: uberAgent-32.msi or uberAgent-64.msi.
MSI Parameters
Specify the following MSI parameters:
INSTALLDIR
- Required: no
- Description: installation directory
- Valid values: any local file system path
PROGRAMDATA_CONFIGDIR_RESETPERMISSIONS
- Required: no
-
Default:
1 -
Description: Set secure permissions on uberAgent’s ProgramData directory (
%ProgramData%\vast limits\uberAgent). -
Valid values:
-
0: disabled -
1: enabled
-
PROGRAMDATA_CONFIGDIR_DELETEFILES
- Required: no
-
Default:
1 -
Description: Delete existing config files in uberAgent’s ProgramData directory (
%ProgramData%\vast limits\uberAgent). Disable this setting only if you’re removing potentially malicious existing config files as part of your own deployment package logic. -
Valid values:
-
0: disabled -
1: enabled
-
License File
If you have a license file for uberAgent, copy it to the installation directory (default: %ProgramFiles%\vast limits\uberAgent). Without a license file, uberAgent displays a splash screen during logon. Please see the uberAgent licensing guide for more details.
Installation Through Splunk Deployment Server
Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.
uberAgent
Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOME\etc\deployment-apps on your deployment server.
Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically %ProgramFiles%\Splunk.
Configuration
To deploy a customized configuration file, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin. This overwrites the default configuration file from the installation package.
License File
If you have a license file for uberAgent, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.
Serverclass
Create a file called serverclass.conf in $SPLUNK_HOME\etc\system\local on your deployment server. Serverclass.conf defines what to deploy where. For a quick start paste the following content into Serverclass.conf to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.
# [global]
# We cannot match by machine type here. We'll do that on the app level below.
whitelist.0 = *
# Define a serverclass
[serverClass:windows]
# Deploy only to Windows machines
machineTypesFilter = windows-*
# Define which apps to deploy to the serverclass
[serverClass:windows:app:uberAgent_endpoint]
stateOnClient = enabled
restartSplunkd = true
<!--NeedCopy-->
To make Splunk read the new file serverclass.conf, run the following command:
$SPLUNK_HOME\splunk.exe reload deploy-server
<!--NeedCopy-->
Citrix Site Monitoring
If some or all of your endpoints are running the Citrix Virtual Apps and Desktops (CVAD) VDA, you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.
Endpoint to Backend Communication Via Splunk Universal Forwarder
Note: This is optional and not required for the recommended architecture.
If you decided to implement the alternative endpoint to backend communication path via Splunk Universal Forwarder, you need to install Universal Forwarder on each endpoint.
Imaging & Citrix PVS
If you intend to copy the agent installation via an imaging method or Citrix PVS, we recommend you remove instance-specific information. To do that, follow these steps right before capturing the image:
- Stop the service
uberAgent(but leave the start type atautomatic). - Backup your Central Config File Management ConfigFilePath if configured.
- Open an administrative command prompt.
- Run the command:
reg delete "HKLM\SOFTWARE\vast limits\uberAgent" /f /reg:64. - Restore the Central Config File Management ConfigFilePath if previously backed up.
- Optionally: delete existing log files.
- Optionally: delete existing Persistent Output Queue files/folders.
- Prepare the machine for cloning as necessary, but do not reboot.
For your convenience, we provide a PowerShell script that performs the steps listed above. Please make sure that you run it as an administrator. If you want to perform a complete cleanup without user interaction, you can use the -clearAll script parameter.
Script (uA-imaging-preparation.ps1):
[CmdletBinding()]
param(
[Switch]$clearAll
)
Write-Host "----------------------------------------"
Write-Host " uberAgent PVS & Imaging Preparation Script"
Write-Host "----------------------------------------"
Write-Host ""
# Check for administrator privileges
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host "Error: This script must be run as administrator."
exit 1
}
Write-Host "This script will:"
Write-Host "1. Stop the 'uberAgentSvc' service."
Write-Host "2. Backup the CCFM ConfigFilePath if configured and remove the 'uberagent' registry key."
Write-Host "3. Optionally remove all 'uberagent*.log', 'uAGuardian.log', and 'uAInSessionHelper.log' files from C:\Windows\Temp and the current user's temp directory."
Write-Host "4. Optionally remove all Persistent Output Queue files in %ProgramData%\vast limits\uberAgent\Output Queue\."
Write-Host "5. Restore the 'ConfigFilePath' registry value if it was backed up."
Write-Host ""
Write-Host "You can run this script in automatic mode by using the -clearAll parameter."
Write-Host ""
Write-Host "----------------------------------------"
Write-Host ""
# Define base registry path
$baseKey = 'HKLM:\Software\vast limits\uberAgent'
$configPath = 'HKLM:\Software\vast limits\uberAgent\Config'
$configFileValueName = 'ConfigFilePath'
$configFileValue = $null
# Stop the uberAgentSvc service if it is running
$serviceName = 'uberAgentSvc'
if (Get-Service -Name $serviceName) {
try {
Stop-Service -Name $serviceName -Force -ErrorAction Stop
Write-Host "Service '$serviceName' stopped successfully."
}
catch {
Write-Host "Failed to stop service '$serviceName': $_"
exit 1
}
}
else {
Write-Host "Service '$serviceName' not found."
}
# Backup ConfigFilePath value if it exists
if (Test-Path $configPath) {
$regValues = Get-ItemProperty -Path $configPath -ErrorAction SilentlyContinue
if ($regValues -and $regValues.$configFileValueName) {
Write-Host "Found ConfigFilePath value: $($regValues.$configFileValueName)"
Write-Host "Backing up ConfigFilePath value..."
$configFileValue = $regValues.$configFileValueName
}
}
# Remove the entire 'uberAgent' key
if (Test-Path $baseKey) {
Write-Host "Removing registry key: $baseKey"
Remove-Item -Path $baseKey -Recurse -Force -ErrorAction SilentlyContinue
}
# Optionally remove all uberAgent .log files from C:\Windows\Temp and the current user's temp directory
$cleanLogs = $clearAll
if (-not $clearAll) {
$response = Read-Host "Do you want to remove all uberAgent log files from C:\Windows\Temp and the current user temporary directory? (y/n)"
$cleanLogs = $response -match '^[Yy]$'
}
else {
Write-Host "Automatic mode: Removing all uberAgent log files..."
}
if ($cleanLogs) {
# Define log file patterns to remove
$logPatterns = @("uberagent*.log", "uAGuardian.log", "uAInSessionHelper.log")
# Clean Windows\Temp directory
foreach ($pattern in $logPatterns) {
$logFiles = Get-ChildItem -Path "C:\Windows\Temp" -Filter $pattern -ErrorAction SilentlyContinue
if ($logFiles) {
foreach ($file in $logFiles) {
try {
Remove-Item -Path $file.FullName -Force -ErrorAction Stop
Write-Host "Removed: $($file.FullName)"
}
catch {
Write-Host "Failed to remove $($file.FullName): $_"
}
}
}
}
# Also clean current user's temp directory
$userTempPath = [System.IO.Path]::GetTempPath()
foreach ($pattern in $logPatterns) {
$logFiles = Get-ChildItem -Path $userTempPath -Filter $pattern -ErrorAction SilentlyContinue
if ($logFiles) {
foreach ($file in $logFiles) {
try {
Remove-Item -Path $file.FullName -Force -ErrorAction Stop
Write-Host "Removed: $($file.FullName)"
}
catch {
Write-Host "Failed to remove $($file.FullName): $_"
}
}
}
}
}
# Optionally remove all folders (including files) in %ProgramData%\vast limits\uberAgent\Output Queue
$cleanQueue = $clearAll
if (-not $clearAll) {
$response = Read-Host "Do you want to remove all Persistent Output Queue folders (including files) in %ProgramData%\vast limits\uberAgent\Output Queue? (y/n)"
$cleanQueue = $response -match '^[Yy]$'
}
else {
Write-Host "Automatic mode: Removing all Persistent Output Queue folders..."
}
if ($cleanQueue) {
$outputQueuePath = "$env:ProgramData\vast limits\uberAgent\Output Queue"
if (Test-Path $outputQueuePath) {
Get-ChildItem -Path $outputQueuePath -Directory -ErrorAction SilentlyContinue | ForEach-Object {
try {
Remove-Item -Path $_.FullName -Recurse -Force -ErrorAction Stop
Write-Host "Removed folder: $($_.FullName)"
}
catch {
Write-Host "Failed to remove folder $($_.FullName): $_"
}
}
}
}
# Restore ConfigFilePath value if it was backed up
if ($configFileValue) {
New-Item -Path $configPath -Force | Out-Null
Set-ItemProperty -Path $configPath -Name $configFileValueName -Value $configFileValue -ErrorAction SilentlyContinue
Write-Host "ConfigFilePath value restored: $configFileValue"
}
else {
Write-Host "No ConfigFilePath value found to restore."
}
Write-Host "Finished cleaning up successfully."
Write-Host ""
Write-Host "----------------------------------------"
Write-Host "The machine can now be prepared for cloning as necessary."
Write-Host "Please do not reboot the machine."
Write-Host "----------------------------------------"
<!--NeedCopy-->
If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.