Blog

User Session Script Collecting Custom Metrics (Citrix ICA RTT)

uberAgent is often used in conjunction with Universal Forwarder, Splunk’s generic agent that monitors logs and collects the output from custom scripts. The combination of the two agents is a powerful one, as it allows customers to add any metric they require to uberAgent’s already rich dataset.

However, running two agents side by side has drawbacks, too: the administrative overhead increases as do the hardware resources required on the endpoints.

As of uberAgent 4.1, there exists an attractive alternative: what started out with the intention of providing a way of collecting custom metrics from individual user sessions turned into a generic script execution engine. It runs any type of script at any desired interval, either per machine or per user session (documentation).

Example: Querying WMI Data Using a PowerShell Script

This example shows how to collect the ICA RTT metric in every user session by way of a custom script running every 30s. The ICA protocol round trip time (RTT) is an important metric supplementing uberAgent’s remoting protocol latency in Citrix XenApp / XenDesktop environments. You can find a detailed description of the ICA RTT metric here.

The following PowerShell script queries the ICA RTT as a property of a WMI class:

$Citrix_Euem_RoundTrip = Get-WmiObject -Namespace root\Citrix\euem -Class Citrix_Euem_RoundTrip
$CurrentSessionID = [System.Diagnostics.Process]::GetCurrentProcess().SessionId

foreach ($Session in $Citrix_Euem_RoundTrip)
{
   if ($Session.SessionID -eq $CurrentSessionID)
   {
      [Hashtable]$Output = @{
         'RoundtripTime'=$($Session.RoundtripTime) 
         'SessionID'=$($Session.SessionID)
         'SessionUser'=[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
      }
      Write-Output $($Output.Keys.ForEach({"$_=$($Output.$_)"}) -join ' ')
   }
}

All properties (SessionUser, SessionID and RoundtripTime) are written to stdout as key-value pairs:

SessionUser=AD\timmtest02 SessionID=5 RoundtripTime=28

This script (named Citrix_Euem_RoundTrip.ps1) is located in the %ProgramFiles%\vast limits\uberAgent\Scripts directory on the endpoint.

I configured the script execution as follows in uberAgent’s configuration:

############################################
# Timer 10
############################################
[Timer]
Name           = PowerShell Citrix Euem RoundTrip
Interval       = 30000
Script         = powershell.exe -executionpolicy bypass -file "C:\Program Files\vast limits\uberAgent\Scripts\Citrix_Euem_RoundTrip.ps1"
ScriptContext  = UserSessionAsUser

As you can see, this script is executed every 30 seconds (30,000 milliseconds) as user inside every interactive session.

The Splunk search results look as follows:

By default, all collected data is sent to the Splunk index uberagent. The Splunk sourcetype used for the script’s output is a concatenation of uberAgent:Script: and the timer name specified in uberAgent’s configuration.

Comments (2)

  1. Jeremy Cooper says:

    Hi Timm,
    My question is around additional user / session data that is also collected in conjunction with the script outputs.
    I see from the screenshot that the host event is captured, is there any other data that is also captured or that would allow this to be correlated? E.g. Session GUID or username?
    I do see a way of including the username as an output from the script for creating a correlation in SPLUNK.
    I haven’t implement the script yet to see everything that would be returned as this blog post outlines.

    Thanks again for your and Helge’s work on this product.

    Jeremy

    1. Hi Jeremy,

      I updated the PowerShell example code to reflect your requirements.
      Now the SessionUser is written to stdout in addition to the SessionID and the RoundtripTime, which makes a lot of sense.

      Thanks, Timm

Leave a Reply

Your email address will not be published. Required fields are marked *