Skip to main content

Monitoring User Session Activity With uberAgent

  • by Dominik Britz
  • April 11, 2019

The other day I got a question from a customer if it is possible to monitor session activity with uberAgent. Of course, I thought! One has to just look at the session connection state which can be active, disconnected, etc. That is monitored by uberAgent very well. But when I thought about it further, I noticed that the situation is not so trivial. Read below how I solved it with a custom search.

Customer’s Requirements

Our customer is a service provider and wants to know if users are actively working in their sessions and to what percentage. “Actively working” means users are logged in and are doing something in the session. Non-active time means the users are logged in but not working. The latter is the case when:

  1. the session is disconnected
  2. the session is locked
  3. the screensaver is active

How to Solve That With uberAgent

Disconnected and Idle Sessions

The first point was easy to solve, you just have to search for sessions which are in the state active so all others are sorted out.

| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
   latest(SessionUserLower) as User
   filter host in (*)
   filter SessionConnectionState is "active"

Locked Sessions

Points two and three took me a while to figure out. uberAgent’s capability to collect the foreground application brought me to my goal. Let us start with locked sessions.

Want to know more about uberAgent’s capability to collect the foreground application? Read more here.

If the desktop is locked, the foreground process is LockApp.exe. That is the screen which appears before you have to enter your credentials. Mine looks like this:

uberAgent’s application identification groups LockApp.exe into the application Microsoft Windows OS. To identify the process uniquely, I have overwritten the identification in uberAgent’s configuration file:

# Lock App
^C:\\Windows\\SystemApps\\Microsoft.LockApp_cw5n1h2txyewy\\LockApp\.exe$ = Lock App

While this upstream lock screen looks nice on physical PCs, it makes no sense in virtual environments and is typically disabled. In virtual environments, users are taken directly to the “real” login screen where they have to put in their credentials. That is a secure shell and cannot be accessed by uberAgent, hence the foreground application field is empty – which is good for us as it is empty only in this case!

By the way, if a user is just looking at the desktop with all applications closed the foreground application identified by uberAgent is Microsoft Windows OS (foreground process is explorer.exe).

As a conclusion uberAgent is able to identify if a desktop is locked either with Microsoft’s Lock App or without.

Active Screensaver

After I found out how to recognize the lock screen with uberAgent, the screensaver was a breeze. The foreground application is empty when the screensaver is active, too.

The Final Search

So the logic to see if a session is not active is as follows. One statement has to be true.

  • the session connection state is not active
  • the session is active and the foreground app is Lock App
  • the session is active and there is no foreground app

That translates into this easy-peasy Splunk eval command: | eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)

Here is the final search I ended up with:

| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
   count(Session_SessionDetail_Users) as EventCount
   latest(SessionConnectionState) as SessionConnectionState
   latest(SessionFgAppName) as SessionFgAppName
   latest(SessionUserLower) as User
      period second
   filter host in (*)
| eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
| stats
   sum(Active) as Active
   sum(EventCount) as EventCount
   latest(User) as User
| eval "Active time (%)" = round(Active / EventCount * 100,1)
| eval sortfield='Active time (%)'
| sort limit=0 -sortfield 'Active time (%)'
| table
   "Active time (%)"

And the result:

Alternative Method

While the above works per session, uberAgent also collects idleness in percent per machine. 100% means the system is completely idle. This metric is used by Windows to determine whether to start the screen saver or turn off the display. Details are available in our documentation.

Test Setup

  • Microsoft Windows 10 Enterprise 1809 x64
  • uberAgent 5.2
  • Splunk 7.2.5


Your email address will not be published. Required fields are marked *