- Support for Splunk 7.1
- Data model acceleration: enabled auto-skewing, a new feature of Splunk 7.1.
- Group Policy processing: depending on timing and machine configuration, events could be lost, resulting in missing Group Policy processing information. This issue potentially affected other event log data sources, too.
- Splunk process to application mapping: made this more robust so that a minority of machines with outdated configurations cannot change the global mapping any more
- Dashboard Update Inventory: after an update the new OS build was displayed a day too late
- Dashboards Application Network Communication and Application Startup: fixed the “show only new” functionality.
- Dashboard Machine Network Configuration: search filter was not applied on data table “Network configurations grouped”.
- Dashboard Citrix XA/XD Licensing: displayed information for consumed/available licenses were incorrect.
- Dashboard Application Inventory: added missing column for the distinct count of machines where an application is not installed.
- Dashboard Single Application Inventory: fixed inaccurate identification of notebooks.
- Data model auto-skewing causes a (harmless) warning message on Splunk versions prior to 7.1 during a restart of Splunkd. To remove that, simply comment out the setting acceleration.allow_skew in datamodels.conf.
- IE browser performance monitoring does not work if IE is running as a Citrix XenApp published application. It does work from published desktops, however.
- Boot duration: The metrics TotalBootTimeMs, MainPathBootTimeMs and PostBootTimeMs cannot be determined for every system boot.
- Browsers: uberAgent now determines UX metrics for SaaS and web apps in Chrome
- GPU: uberAgent now shows GPU usage per engine (e.g. 3D, video decode; requires Windows 10 1709)
- Windows 10: uberAgent now collects the UBR (update build revision) on Windows 10 machines
- VMware Horizon: uberAgent now collects the version numbers of VMware Horizon clients (requires Horizon 7.3 and Horizon Client 4.6)
- CPU usage: uberAgent now calculates the relative CPU frequency so that the effects of Turbo Boost and C states can be analyzed
- Pagefile: uberAgent now determines pagefile size and utilization
- Network configuration: uberAgent now collects basic information about all active network interfaces
- Process startup: uberAgent now optionally only shows new processes never seen before
- Network communication: uberAgent now optionally only shows new ports and targets never seen before
- Elasticsearch: uberAgent now supports Elasticsearch 6
- Configuration: if a config file is found at “%ProgramData%\vast limits\uberAgent\Configuration\uberAgent.conf”, it is used in place of the default config file in the installation directory. Config files in %ProgramData% are not deleted during agent upgrades.
- Spectre: uberAgent binaries are now compiled with a flag to mitigate the Spectre security issue
- Citrix XA/XD licensing: uberAgent now allows to choose between available and consumed licenses
- Application Inventory: uberAgent now shows the distinct count of machines where an application is not installed. The Single Application Inventory data table now includes hosts where a specific application is not installed.
- New dashboards: Citrix XA/XD Databases, Machine Network Issues<, Process Network Issues
- uberAgent service: Memory consumption improvements
- Citrix XA/XD licensing: concurrent XenApp licenses were not displayed in dashboard
- Time zones: fixed a bug calculating the minutes digits of time zone offsets. This would break calculations on the “Machine Uptime” dashboard in time zones with half-hour offsets.
- Dashboards: in some cases not the latest value of a field was displayed. For reasons of consistency the commands “first” and “last” were replaced with “latest”.
- Group Policy logon processing: CSE duration was missing if GP processing was not complete before logon end
- Network communication: the dashboard was always grouped by application
- Logging: in very rare cases a very high volume of messages to uberAgent’s log file could cause a high CPU utilization of uberAgent.exe
- Application UI unresponsiveness: in some cases longer phases of unresponsiveness were not detected
- Application errors: crashes with missing process ID were not processed. They are now, but user and application cannot be determined
- Boot duration: metrics that sometimes cannot be determined, like total boot duration, were reported as zero instead of null (nonexistent)
- Shutdown duration: events might have been ignored by uberAgent
- During interactive agent upgrades Windows Installer may display a message indicating that a reboot is required. This is typically not the case and can be ignored. This does not happen during unattended installs with commands like the following: msiexec /i uberAgent-64.msi /qn
- The timer configuration metric ApplicationUILatency has been removed along with the field SessionFgAppUILatencyUs of the sourcetype uberAgent:Session:SessionDetail
- New on-demand configuration metric ApplicationUIDelay
- New sourcetype uberAgent:Application:BrowserWebRequests with fields: Browser, ProcUser, TabHost, TabUriScheme, RequestHost, RequestUriScheme, RequestCountTotal, RequestCountTotalNoFrames, RequestCountXmlHttp, RequestCountXmlHttpNoFrames, RequestCountWebSocket, RequestCountWebSocketNoFrames, TotalDurationMs, TotalDurationNoFramesMs, XmlHttpDurationMs, XmlHttpDurationNoFramesMs, WebSocketDurationMs, WebSocketDurationNoFramesMs, HttpStatusCount2xx, HttpStatusCount3xx, HttpStatusCount4xx, HttpStatusCount5xx
- New sourcetype uberAgent:Application:BrowserPageLoads with fields: Browser, ProcUser, TabHost, TabUriScheme, RequestHost, RequestUriScheme, RequestCountTotal, RequestCountTotalNoFrames, TotalDurationMs, TotalDurationNoFramesMs, NetworkDurationMs, NetworkDurationNoFramesMs, RenderDurationMs, RenderDurationNoFramesMs
- Sourcetype uberAgent:System:MachineInventory has new field: OsUpdateBuildRevision
- Sourcetype uberAgent:System:MachineInventory has removed fields (now in NetworkConfigInformation): Ipv4Address, NetworkAdapterName, NetworkAdapterDescription
- Sourcetype uberAgent:System:GpuUsage has new field: DisplayAdapterIndex
- New sourcetype uberAgent:System:GpuUsageEngine with fields: DisplayAdapterIndex, GpuEngineIndex, GpuEngineType, GpuEngineTypeDisplayName, GpuEngineComputeUsagePercent
- New sourcetype uberAgent:System:NetworkConfigInformation with fields: NetworkConfigFriendlyName, NetworkConfigDescription, NetworkConfigInterfaceType, NetworkConfigInterfaceTypeDisplayName, NetworkConfigDnsSuffix, NetworkConfigSsid, NetworkConfigIsConnectedToInternet, NetworkConfigIPv4, NetworkConfigIPv6, NetworkConfigMACAddress
- Replaced KV sourcetype uberAgent:OnOffTransition:BootDetail with CSV sourcetype uberAgent:OnOffTransition:BootDetail2. No changes to the fields.
- Replaced KV sourcetype uberAgent:System:SystemPerformanceSummary with CSV sourcetype uberAgent:System:SystemPerformanceSummary2 with fields: CPUUsagePercent, RAMUsagePercent, RAMUsageGB, IOPSRead, IOPSWrite, IOCountRead, IOCountWrite, IOMBRead, IOMBWrite, IOLatencyMsRead, IOLatencyMsWrite, IOPercentDiskTime, NetUtilizationPercent, KernelPagedMB, KernelNonPagedMB, HandleCount, ThreadCount, IdlenessPercent, CPURelativeFrequencyPercent, PagefileTotalSizeGB, PagefileUsagePercent, PagefileIOPSRead, PagefileIOPSWrite
- Data models: switched all boolean fields to string and adjusted the dashboards accordingly.
- Sourcetype uberAgent:Application:Errors: renamed incorrectly named field SessionUser to ProcUser and added system user expansion in the field ProcUserExpanded
- uberAgent now collects additional hardware inventory information for physical monitors
- Central license file management: the location of uberAgent’s license files can now be defined in uberAgent’s configuration. All license files are cached locally.
- Elasticsearch: support for ingest pipelines
- Elasticsearch: support for X-Pack authentication
- Splunk: support for version 7.0
- Custom scripts: support has been extended to Elasticsearch and Splunk HEC (HTTP Event Collector; formerly data from custom scripts had to be submitted to Splunk via TCP)
- Citrix Site Monitoring: authentication improvements
- Elasticsearch: replaced the deprecated “string” type with “keyword” in the index template (supported on 5.0 and newer)
- In very rare cases the uberAgent service would crash while determining IE performance if IE was unresponsive
- Fixed a memory leak in uAInSessionHelper.exe
- Group Policy user logon metrics were missing if the logon was very slow and the session user was not available before Group Policy processing was complete
- Data model: fixed a potential issue in NetworkTargetPerformance with NULL fields causing error search process did not exit cleanly
- Log file: error messages related HTTP(S) connections were not logged correctly on non-English systems
- New sourcetype uberAgent:System:MonitorInventory with fields: MonitorIndex, MonitorHRes, MonitorVRes, MonitorColorDepth, MonitorIsPrimary, MonitorDisplayName
- The Windows 10 security feature “Control Flow Guard” is now enabled for all uberAgent executables
- uberAgent now collects information on blue screens, power losses and hard hangs
- uberAgent can now run custom scripts in SYSTEM or user context and collect the output
- New configuration set optimized for small data volume as an alternative to the default configuration
- Standby/resume duration is now much more detailed and works on Windows 10, too
- Significant performance improvements determining Citrix Site Monitoring data
- Application unresponsiveness detection now with better noise filters and indication if an unresponsive window had the focus
- Increased maximum number of timers in Group Policy configuration from 10 to 15
- Data volume: the sourcetype uberAgent:Application:AppNameIdMapping would generate one event per started process instead of one event per application name. This could lead to many identical events being sent to the backend.
- Citrix Site Monitoring: fixed issues parsing license data
- In rare cases GPU usage per process could not be determined with multiple adapters present and some returning errors
- SMB Client Performance: on some machines data collection would fail with “the system cannot find the file specified”
- Dashboard User Sessions: on older versions of Splunk (e.g. 6.4.1) some column names contained variables and would not display any data
- Dashboard User Sessions: on Splunk 6.6.x no data would be shown and an error message displayed if not all uberAgent 4.x endpoints had sent inventory information yet
- New sourcetype uberAgent:System:Bugcheck with fields: BugcheckCode, BugcheckParameter1, BugcheckParameter2, BugcheckParameter3, BugcheckParameter4, SleepInProgress, PowerButtonTimestamp, BootAppStatus, Checkpoint, ConnectedStandbyInProgress, SystemSleepTransitionsToOn, CsEntryScenarioInstanceId
- Replaced sourcetype uberAgent:OnOffTransition:StandbyDetail with sourcetype uberAgent:OnOffTransition:StandbyDetail2 with fields: SleepTime, WakeTime, EnterStandbyMs, ResumeFromStandbyMs, DriverInitDuration, BiosInitDuration, HiberWriteDuration, HiberReadDuration, HiberPagesWritten, Attributes, TargetState, EffectiveState, WakeSourceType, WakeSourceTextLength, WakeSourceText, WakeTimerOwnerLength, WakeTimerContextLength, NoMultiStageResumeReason, WakeTimerOwner, WakeTimerContext
- Sourcetype uberAgent:Application:UIDelay has new field: HasFocus
- Logon monitoring: in some cases the user name was determined incorrectly. This affected primarily Windows 10 1703 (Creators Update).
- uberAgent’s version number format was inconsistent (sometimes with appended ” mod xxx”)
- Citrix XenApp/XenDesktop site information (catalogs, delivery groups, machines, applications, licenses) when installed on delivery controllers (requires XA/XD 7.6+)
- uberAgent now detects failed network connection attempts. This information can be used to identify application misconfigurations, missing firewall rules or service outages.
- New hardware inventory with information on: CPU (type, speed, power capabilities), RAM, disks and volumes (type, size, used capacity, mount points), battery (wear level)
- uberAgent now collects detailed information about each user logoff (duration, user profile unloading, processes involved, …)
- With the new NetTargetReconnectCount and NetTargetRetransmitCount metrics network connectivity problems can now be identified easier
- Support for the RES ONE Workspace logon events introduced in version 18.104.22.168. These are used to measure RES logon processing and shell startup duration without the need for a building block or helper application
- New IdlenessPercent metric shows how ready the machine is to go into power saving mode
- Citrix sessions: uberAgent now determines the client hardware ID, which can be used to track endpoints
- uberAgent can now send the collected data to Microsoft OMS Log Analytics, too (status: experimental)
- New dashboards: Application Network Issues, Machine Storage, Machine Uptime, User Logoff Duration
- Improvements to various dashboards
- Hardware inventory: with Lenovo devices the field HwModel in sourcetype uberAgent:System:MachineInventory showed the manufacturer part number instead of the model name (e.g. “20BGCTO1WW” instead of “ThinkPad W540”). This has been corrected.
- On Windows 10 the total logon duration determined by uberAgent was too short
- The field NetTargetRemoteAddress in sourcetype uberAgent:Process:NetworkTargetPerformance would sometimes show a (bogus) IPv6 address instead of an IPv4 address
- When EnableExtendedInfo is true, the field ProcGUID in sourcetype uberAgent:Process:ProcessDetail always contained a null GUID (“00000000-0000-0000-0000-000000000000”)
- Drilling down from the User Sessions dashboard by clicking on a chart would not work if user name encryption was enabled
- The application identification feature would remove version numbers from the internally stored AppId. This would cause incorrect labeling in mixed-version environments (e.g. Office 2016 displayed as 2013 or vice versa).
- In rare cases a blue screen of type APC_INDEX_MISMATCH would occur on certain versions of Windows 10
- Sourcetype uberAgent:Logon:SessionLogonTime is now sent more reliably when the machine is under heavy load during boot
- Configuration section ProcessToApplicationMapping: overriding uberAgent’s automatic application identification would not work for executables installed from MSI packages. This has been fixed. Bear in mind that the full path to the executable needs to be specified in the configuration for the override to work.
- In some PC environments uberAgent startup during machine boot was unnecessarily slow
- uberAgent would cause spikes in the event log’s CPU utilization every 2 seconds, approximately
- Sourcetype uberAgent:Process:NetworkTargetPerformance: network data from processes running in multiple concurrent sessions under different user accounts would show up as a single accumulated event with empty user name
- Sourcetype uberAgent:Process:NetworkTargetPerformance: user names were stored as lowercase
- System account names were stored as localized strings for sourcetypes: uberAgent:Process:NetworkTargetPerformance, uberAgent:Logon:*, uberAgent:Logoff:*, uberAgent:Application:BrowserPerformanceChrome, uberAgent:Process:NetworkTargetPerformance, uberAgent:Session:SessionDetail, uberAgent:Application:ApplicationUsage
- New sourcetype uberAgent:Citrix:PublishedDesktops with fields: Id, Name, PublishedName, SiteName, SiteGuid, DesktopGroupId, DesktopGroupName, BrowserName, ColorDepth, Description, Enabled, ExcludedUserFilterEnabled, ExcludedUsers, IncludedUserFilterEnabled, IncludedUsers, LeasingBehavior, RestrictToTag, SecureIcaRequired, SessionReconnection, Tags
- New sourcetype uberAgent:Citrix:Applications with fields: Id, Name, PublishedName, SiteName, SiteGuid, DesktopGroupId, DesktopGroupName, ApplicationType, Enabled, AdminFolder, LifecycleState, CreatedDate, ModifiedDate, Tags
- New sourcetype uberAgent:Citrix:Databases with fields: SiteName, SiteGuid, DataStore, IntegratedSecurity, MirrorServerAddress, Name, ServerAddress
- New sourcetype uberAgent:Citrix:Licenses with fields: SiteName, SiteGuid, LicenseServer, LicenseProductName, LicenseEdition, LicenseExpirationDate, LicenseSubscriptionAdvantageDate, LicenseType, LicenseTypeLocalized, LicensesInUse, LicensesAvailable, LicenseOverdraft, LicenseModel
- New sourcetype uberAgent:Citrix:Hypervisors with fields: Id, Name, SiteName, SiteGuid, LifecycleState
- New sourcetype uberAgent:Citrix:DesktopGroups with fields: Id, Name, SiteName, SiteGuid, IsRemotePC, DesktopKind, LifecycleState, SessionSupport, DeliveryType, Tags, CreatedDate, ModifiedDate
- New sourcetype uberAgent:Citrix:Catalogs with fields: Id, Name, SiteName, SiteGuid, LifecycleState, ProvisioningType, PersistentUserChanges, IsMachinePhysical, AllocationType, SessionSupport, ProvisioningSchemeId, CreatedDate, ModifiedDate
- New sourcetype uberAgent:Citrix:Machines with fields: Id, Sid, Name, NameHost, SiteName, SiteGuid, EffectiveLoadIndex, DnsName, LifecycleState, IPAddress, HostedMachineId, HostingServerName, HostedMachineName, IsAssigned, IsInMaintenanceMode, IsPendingUpdate, AgentVersion, AssociatedUserFullNames, AssociatedUserNames, AssociatedUserUPNs, CurrentRegistrationState, RegistrationStateChangeDate, LastDeregisteredCode, LastDeregisteredDate, CurrentPowerState, CurrentSessionCount, ControllerDnsName, PoweredOnDate, PowerStateChangeDate, FunctionalLevel, FailureDate, WindowsConnectionSetting, IsPreparing, FaultState, CatalogId, DesktopGroupId, HypervisorId, Hash, MachineRole, HypervisorDisplayName, CatalogDisplayName, DesktopGroupDisplayName, CreatedDate, ModifiedDate, Tags
- New sourcetype uberAgent:System:DiskInventory with fields: Name, Enumerator, DiskNumber, CapacityMB, IsWritable, IsRemovable
- New sourcetype uberAgent:System:VolumeInventory with fields: Guid, DeviceName, Label, FileSystem, MountPoints, DiskNumbers, FreeMB, CapacityMB, UsedSpacePercent, PartitionStyle, IsSystemVolume, IsBootVolume, IsDirty
- New sourcetype uberAgent:Application:NetworkConnectFailure with fields: AppId, AppVersion, ProcessName, ProcessId, User, SessionGUID, NetTargetRemoteAddress, NetTargetRemoteName, NetTargetRemotePort, NetTargetProtocols
- New sourcetype uberAgent:Logon:ResWmProcessingTimeMs with fields SessionGUID, SessionID, User, ResWmProcessingTimeMs
- New sourcetype uberAgent:Logoff:GroupPolicyLogoffScriptTimeMs with fields SessionGUID, SessionID, User, GroupPolicyLogoffScriptTimeMs
- New sourcetype uberAgent:Logoff:ProfileUnloadTimeMs with fields SessionGUID, SessionID, User, ProfileUnloadTimeMs
- New sourcetype uberAgent:Logoff:SessionLogoffTime with fields SessionGUID, SessionID, User, SessionLogoffTime
- New sourcetype uberAgent:Logoff:TotalLogoffTimeMs with fields SessionGUID, SessionID, User, TotalLogoffTimeMs
- New sourcetype uberAgent:Logoff:LogoffPerformance with fields SessionGUID, SessionID, User, ProcessStartCount, IOCountRead, IOCountWrite, IOMBRead, IOMBWrite, IOLatencyReadMs, IOLatencyWriteMs
- New sourcetype uberAgent:Process:LogoffProcesses with fields ProcName, ProcID, ProcParentName, ProcParentID, ProcUser, AppId, AppVersion, LogoffProcType, ProcStartTimeRelativeMs, ProcLifetimeMs, ProcCmdline, ProcPath, ProcIOReadCount, ProcIOWriteCount, ProcIOReadMB, ProcIOWriteMB, ProcIOLatencyReadMs, ProcIOLatencyWriteMs, ProcNetKBPS, SessionGUID, SessionID, TotalLogoffDurationMs, SortOrder
- Sourcetype uberAgent:System:MachineInventory has new fields RAMSizeGB, PowerSupportsConnectedStandby, PowerSupportsS1, PowerSupportsS2, PowerSupportsS3, PowerSupportsS4, PowerSupportsS5, IsUpsPresent, IsBatteryPresent, BatteryWearLevelPercent, CPUName, CPUSockets, CPUCoresPhysical, CPUCoresLogical, CPUMaxMhz, HwIsVirtualMachine
- Sourcetype uberAgent:System:SystemPerformanceSummary has new field IdlenessPercent
- Sourcetype uberAgent:Process:NetworkTargetPerformance has new fields NetTargetReconnectCount, NetTargetRetransmitCount, AppVersion
- Sourcetype uberAgent:Session:SessionDetail has new field SessionClientHwIdCtx
- Sourcetype uberAgent:Process:ProcessStartup has new field: AppVersion
- Sourcetype uberAgent:Application:Errors has new field: AppVersion
- Sourcetype uberAgent:System:GpuUsage has new fields: MemorySharedSizeMB, MemoryDedicatedSizeMB
- uberAgent now collects SMB performance data per network share (e.g. IOPS, latency, IO count, IO volume). This is available on Windows 8 / Server 2012 or newer.
- uberAgent now collects information on application crashes and hangs
- uberAgent now supports Splunk’s HTTP Event Collector (via HTTP and HTTPS) in addition to sending to a TCP port. This new protocol supports authentication and encryption and is suitable for transmitting data over the internet to Splunk Cloud.
- Dashboard Single Boot: uberAgent now displays a hierarchical table with all processes started during the OS boot showing process dependencies and IO performance
- uberAgent now determines whether a process is running elevated as part of its process startup metrics
- Support for Splunk 6.5, Windows Server 2016, Windows 10 1607
- Dashboards Single Application Performance, Single Machine Detail and Single User Detail can now be easily switched between different applications/machines/users.
- The dashboards now have a new menu “Splunk” with direct links to custom alerts, dashboards and reports
- Field ProcGUID is now populated in sourcetype uberAgent:Process:ProcessDetail if EnableExtendedInfo is true. This can be used for detailed process instance tracking over time (relevant for security use cases).
- Wildcards * and ? can now be used in the AD domain names of license files
- The per-machine GPU memory usage now matches the values reported by GPU-Z exactly (fields MemoryDedicatedMB and MemorySharedMB)
- Java application names are now determined for Java Web Start apps, too
- uberAgent now correctly determines logon metrics when the GP logon script contains the command RunOnce.exe /AlternateShellStartup
- App UI latency outliers (values that are far too high) are now filtered out
- Searching for tags (e.g. “tag=performance”) did not work in a distributed deployment
- Fixed issues on Windows 10 1607 (anniversary update)
- Fixed issues calculating per process GPU compute and memory metrics
- Fixed calculation of data model fields ProcIODurationMs, IODurationMs, ProcIOLatencyMs and IOLatencyMs in data model objects Process_LogonProcesses, Process_ProcessDetail and System_SystemPerformanceSummary
- Dashboard “Data Volume” did not display any data with a large number of endpoints
- Update inventory: when Windows Update threw errors uberAgent would not collect information on some updates
- Support for Windows Vista and Server 2008 has been removed
- Prerequisites for sending data to Splunk’s HTTP Event Collector: HTTP Event Collector must be enabled in Global Settings, and a new token with default settings must be created. The token must be specified in uberAgent’s configuration. Optionally the token can be encrypted with our new uAEncrypt commandline tool.
- New sourcetype uberAgent:Application:Errors with fields: ErrorType, ProcName, ProcPath, ProcVersion, ProcTimestamp, ModuleName, ModulePath, ModuleVersion, ModuleTimestamp, ProcID, ProcLifetimeMs, ExceptionCode, FaultOffset, AppPackageFullName, AppPackageRelativeId, AppId, ProcUser, SessionGUID, ProcGUID
- New sourcetype uberAgent:System:SmbClient with fields: SharePath, IOPSRead, IOPSWrite, IOPSMetadata, IOCountRead, IOCountWrite, IOCountMetadata, IOMBRead, IOMBWrite, IOLatencyMsRead, IOLatencyMsWrite
- New sourcetype uberAgent:OnOffTransition:BootProcesses with fields: ProcName, ProcID, ProcParentID, ProcStartTimeRelativeMs, ProcLifetimeMs, ProcCmdline, ProcIOReadCount, ProcIOWriteCount, ProcIOReadMB, ProcIOWriteMB, ProcIOLatencyReadMs, ProcIOLatencyWriteMs, SessionID, TotalBootDurationMs, SortOrder, BootUID
- Sourcetype uberAgent:OnOffTransition:BootIODetail has been removed. It is being superseded with uberAgent:OnOffTransition:BootProcesses.
- Sourcetype uberAgent:System:MachineInventory has new field OsArchitecture
- Sourcetype uberAgent:Process:ProcessDetail has new field: ProcGUID
- Sourcetype uberAgent:Process:ProcessStartup has new field: IsElevated
- The two index name macros have been consolidated into one.
- All macro names now start with “uberAgent_” to improve coexistence with other apps
- New MSI variables for unattended agent installation: RECEIVER_PROTOCOL, REST_TOKEN
- New configuration setting LogFileCount
- uberAgent can now send the collected data from the agent to an Elasticsearch backend, too (via HTTP or HTTPS)
- New configuration setting ProcessStartupSettings.EnableExtendedInfo. If enabled, uberAgent sends detailed process properties for each process start. uberAgent also generates unique GUIDs per process and session to help trace process execution.
- TCP port 19500 on Splunk indexer: Splunk does not perform a reverse DNS lookup of the endpoint’s IP address any more
- uberAgent now determines the primary IP address as part of machine inventory
- Most dashboards would not display any data in Internet Explorer 10 and below
- Logon duration dashboards: added missing filters (e.g. per user)
- Application UI unresponsiveness data was not collected on Windows 7 / Server 2008 R2
- uberAgent did not determine Outlook plugin load performance on French language versions of Windows/Office
- Dashboard “Data Volume” did not display any data with a large number of endpoints
- RES Workspace Manager shell startup duration is now determined correctly
- RDS RemoteApp: RDPinit.exe might incorrectly have been identified as AD logon script
- The user profile quota executable proquota.exe might incorrectly have been identified as AD logon script
- The session GUID creation algorithm was changed. As a result long-running sessions will get new GUIDs with this version and might be counted as two different sessions during the upgrade period.
- Sourcetype uberAgent:Process:ProcessStartup has new fields: ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline
- Sourcetype uberAgent:System:MachineInventory has new fields: Ipv4Address, NetworkAdapterName, NetworkAdapterDescription
- Updated default configuration (Group Policy and config file).
- Application UI latency: measures the responsiveness of the foreground application’s user interface. Enabled through new metric ApplicationUILatency in the configuration.
- Application UI unresponsiveness: determines when and for how long an application’s user interface is unresponsive
- Advanced filtering: each dashboard can now be filtered by various AD / Citrix / hardware / OS fields. We also added multiple filter levels.
- uberAgent now determines which application is in the foreground
- New dashboard: “Single Application Performance” shows detailed information about one application’s performance and network connections
- New dashboard: “Single Machine Detail” shows performance, network and application usage information about a single machine
- New dashboard: “Single User Detail” shows performance and application usage information about a single user
- Scalability improvements: previously a new instance of the in-session helper process was launched each time data needed to be collected from within a session. Now one instance per session is kept running.
- Reduced CPU utilization when there is high network load
- Dashboard “Single Logon” is now adjusted better to logons on Windows client machines
- Dashboard “Session Info: Citrix”: added “Published app count (all users)” and “Unique published apps”
- Dashboard “Application Usage” now shows which application is in the foreground how often
- Dashboard “Session Overview” now has much more detailed information
- As part of machine inventory uberAgent now also determines Active Directory OU and site as well as Citrix farm information
- VMware Horizon View protocols PCoIP and Blast are now identified, too (in addition to RDP and ICA)
- Citrix XenDesktop connection status is now determined correctly
- On/off transitions: the boot duration analysis may fail if events are missing from the boot trace file. This is now identified and logged.
- Application names and versions of Modern UI apps and Universal apps on Windows 8 / Windows 10 are now determined reliably
- Enteo NetInstall user agent NiAgnt32.exe is now processed correctly when started as part of the logon script
- Removed potential uAInSessionHelper cleanup deadlock
- Some fields’ values were calculated incorrectly when processes were started near the end of the data collection interval. This would cause “average of averages” errors. The following fields were affected: ProcCPUPercent, ProcIOPSRead, ProcIOPSWrite, CPUPercent, IOPS, SessionCPUUsagePercent, SessionIOPS.
- In rare cases the GPU usage fields were omitted in the data sent to Splunk.
- Under certain conditions Shell Startup was not determined during logon. This was in some cases followed by a crash of the uberAgent service.
- Shell startup was not determined if RES Workspace Manager was used as shell and was started with a command line parameter (e.g. pwrstart.exe powermenu)
- Legacy mode has been removed. In legacy mode uberAgent ran as a scripted input managed by Splunk’s Universal Forwarder.
- New sourcetype uberAgent:Application:UIDelay with fields: AppId, AppVersion, ProcessName, ProcessId, UIDelayMs, User, SessionGUID
- Sourcetype uberAgent:Session:SessionDetail has new fields SessionFgAppId, SessionFgAppVersion, SessionFgProcessName, SessionFgProcessId, SessionFgAppUILatencyUs
- Sourcetype uberAgent:System:MachineInventory has new fields AdDomainDns, AdDomainNetBios, AdSite, AdOu, ComputerNameDn, ComputerNameCanonical, CtxFarmName, CtxMachineCatalogName, CtxDeliveryGroupName
- The following fields are now available for every sourcetype and data model object: AdDomainDns, AdSite, AdOu, CtxFarmName, CtxMachineCatalogName, CtxDeliveryGroupName, HwManufacturer, HwModel, OsBuild, OsType, OsVersion
- Removed the configuration option HelperFileDirectory as it is no longer required. If you have configured this setting through Group Policy please set it to “not configured” before updating the ADMX/ADML templates.
- Updated default configuration (Group Policy and config file).
- Drilldown on the charts (when clicked they behave the way they should)
- Various resilience improvements
- Fixed a memory leak in the uberAgent service
- Fixed a potential handle leak in the uberAgent service
- Deploying license or configuration files via the batch files bundled with the endpoint (manual-install.cmd and silent-install.cmd) was broken in the last version.
- RDS machines under heavy load or machines with hung instances of Internet Explorer: the uAInSessionHelper child processes might not exit. This would potentially cause a high number of uAInSessionHelper processes to be created.
- The end of user logons was not detected correctly if the user was already logged on to another session on the same machine
- Much more detailed user logon performance data
- Group Policy configuration (as an optional alternative to the configuration file; ADMX template is included)
- Support for Windows 10
- Support for Splunk 6.3
- Sourcetype uberAgent:Logon:GroupPolicyCSEDetail: increased accuracy of DC discovery and CSE duration
- Sourcetype uberAgent:Logon:GroupPolicyCSEDetail: new field CseReturnCode captures a CSE’s return code
- Sourcetype uberAgent:Logon:GroupPolicyProcessingTimes: new field LoopbackMode captures the Group Policy loopback processing mode
- uberAgent now correctly determines and deals with a Group Policy logon script delay. This may cause a 5 minute delay before logon information is sent to Splunk.
- uberAgent now correctly deals with the Explorer startup delay, which would increase the following values by about 10 seconds on Windows 8, 8.1 and Server 2012 (R2): ShellStartupTimeMs, TotalLogonTimeMs. Instead, uberAgent now stops timing a logon when the Explorer shell is fully initialized.
- The name of the Splunk index used by uberAgent can now be changed easily through a macro in macros.conf
- Indexer app: added “repFactor = auto” for easier integration with Splunk indexer clusters
- CSS changes in Splunk 6.2.4 would cause display issues with some input controls. This has been fixed.
- An RDS initial program configured via the group policy setting Start a program on connection might have been mistakenly identified as Active Directory logon script
- On XenApp 7.6 after a disconnect and reconnect published application names were displayed in lowercase. The changed case caused Splunk to identify them as different applications.
- The default Splunk index name has been changed from “uberAgent” to “uberagent”.
- Various smaller bugfixes
- The end of a logon is now determined differently to account for the Explorer startup delay in Windows 8 and newer. Because of this change, shell startup time and total startup duration reported by this version will be different from what earlier versions of uberAgent reported.
- Added new sourcetype uberAgent:Logon:LogonPerformance with fields ProcessStartCount, IOCountRead, IOCountWrite, IOMBRead, IOMBWrite, IOLatencyReadMs, IOLatencyWriteMs
- Added new sourcetype uberAgent:Process:LogonProcesses with fields ProcName, ProcID, ProcParentName, ProcParentID, ProcUser, AppId, AppVersion, LogonProcType, ProcStartTimeRelativeMs, ProcLifetimeMs, ProcCmdline, ProcPath, ProcCPUTimeMs, ProcIOReadCount, ProcIOWriteCount, ProcIOReadMB, ProcIOWriteMB, ProcIOLatencyReadMs, ProcIOLatencyWriteMs, ProcWorkingSetMB, ProcNetKBPS, SessionGUID, SessionID, TotalLogonDurationMs, SortOrder
- Added new data model object Process_LogonProcesses
- Renamed the product’s company to “vast limits”. This changes the default installation directory. The settings location in the registry is migrated automatically.
- The uberAgent_indexer app had a frozenTimePeriodInSecs setting in indexes.conf that instructed Splunk to remove data after a little more than 30 days. This setting has been removed so that now the Splunk default of approximately 6 years applies.
- Speed: Dashboards are now based on an accelerated data model and should load approx. 50-100 times faster, especially if a lot of data needs to be processed.
- Functionality: All dashboards have been rebuilt with Splunk’s Simple XML/HTML technology and provide much richer functionality.
- Inventory: uberAgent now has dashboards for application, update and machine inventory information
- Anonymization: user names can now optionally be encrypted if required for compliance with privacy regulations. If this is enabled, user or domain names are never sent to Splunk in clear text.
- ProcessStartup events now show the corresponding application name and the user’s domain name.
- ProcessDetail events now show the corresponding application name, version and the process ID.
- ProcessDetail events now optionally show the process commandline. This is disabled by default since it may significantly increase the data volume. It can be enabled selectively using whitelists and blacklists.
- NetworkTargetPerformance events now show the corresponding application name.
- Timers with a very long interval (e.g. 24h) now wake up reliably at the correct time even when the computer has been in suspend or hibernate part of the time
- Disk IO: very high latencies potentially caused by suspend/resume are now ignored
- Network transfer volume may have been displayed as 0 even though data was transmitted. This was because of rounding issues. To prevent that from happening the resolution of the fields NetTargetSendMB and NetTargetReceiveMB has been increased from 100 KB to 1 KB.
- In order to reduce the data volume, system user accounts like NETWORK SERVICE are now sent to Splunk in shortened form. The full name is restored by an automatic lookup. The change is masked by the data model, so that the new dashboards display old and new data correctly. This applies to the sourcetypes uberAgent:Process:ProcessDetail and uberAgent:Process:ProcessStartup.
- The dashboard Application Usage now displays the number of (ICA/RDP/PCoIP) remoting clients an application was accessed from. This enables license checks adhering to Microsoft’s requirements.
- Names of Java applications were not in all cases determined correctly
- Batch files executing during user logon might have been mistakenly identified as Active Directory logon script
- The new dashboards require at least Splunk 6.2.
- Sourcetype uberAgent:Application:ApplicationDetail has been removed. Application performance data is now retrieved from sourcetype uberAgent:Process:ProcessDetail, to which application ID and version fields have been added. Because of this change the new dashboards cannot display application performance data from older versions.
- Sourcetype uberAgent:Process:ProcessSummary has been removed as it was not used.
- CSE processing times have been removed from sourcetype uberAgent:Logon:GroupPolicyProcessingTimes because the data can also found in sourcetype uberAgent:Logon:GroupPolicyCSEDetail.
- Application ID to name mapping is performed through new sourcetype uberAgent:Application:AppNameIdMapping
- Changed the names of the data model objects to better match the respective sourcetype
- Fields ProcessName and ProcessUser in sourcetype uberAgent:Process:NetworkTargetPerformance have been renamed to ProcName and ProcUser, respectively. The new dashboards display new and old data correctly.
- Fields ProcessType and ProcessUser in sourcetype uberAgent:Application:BrowserPerformanceChrome have been renamed to ProcType and ProcUser, respectively. The new dashboards display new and old data correctly.
- Fields ProcessType and ProcessID in sourcetype uberAgent:Application:BrowserPerformanceIE have been renamed to ProcType and ProcID, respectively. The new dashboards display new and old data correctly.
- Fields Name, DurationS and GPONames in sourcetype uberAgent:Logon:GroupPolicyCSEDetail have been renamed to CseName, CseDurationS and CseGPONames, respectively. The new dashboards display new and old data correctly.
- Fields DriverDegradationTimeMs, DriverFriendlyName, DriverName, DriverTotalTimeMs and DriverVersion in sourcetypes uberAgent:OnOffTransition:SlowDriverStandby and uberAgent:OnOffTransition:SlowDriverResume have been renamed to DegradationTimeMs, FriendlyName, Name, TotalTimeMs and Version, respectively. The new dashboards display new and old data correctly.
- Event format of sourcetype uberAgent:Process:ProcessStartup has been changed from key/value to CSV to reduce the data volume. Additionally the fields Name and User have been renamed to ProcName and ProcUser, respectively. Because of these changes the new dashboards cannot display startup duration data from older versions.
- Splunk 6.2.2 does not display the menu of the uberAgent dashboard app
- With this release only the dashboard app contained in the file uberAgent_searchhead.tgz was changed with regards to the previous version 2.1.0. Updating the endpoints is not necessary.
- Citrix XenApp/XenDesktop session properties and client information. New dashboard “Session Info: Citrix”.
- Microsoft RDP session properties and client information.
- VMware Horizon View session properties and client information. New dashboard “Session Info: VMware”.
- VMware Horizon View: PCoIP protocol is now identified as such
- Outlook plugin startup performance. New dashboard “Outlook Plugin Load Performance” (works with Outlook 2010 and 2013)
- Support for per user licenses
- Domain names can now be encrypted in the license file (relevant for service providers)
- uberAgent events are now compliant with the Splunk CIM
- New dashboard: uberAgent versions
- The Splunk event source name can now be specified in the configuration file
- It is now possible to specify on the timer level which receivers to send data to. Previously this could only be configured globally.
- The (ICA/RDP/PCoIP) remoting client name is now logged with sourcetype ApplicationUsage to enable license checks adhering to Microsoft’s requirements
- Fixed potential application crash when handling executable version resources
- The Splunk host and index names can now be specified in the configuration file (index is relevant for multi-tenancy)
- The uberAgent version is now logged to Splunk (sourcetype uberAgent:License:LicenseInfo)
- The event timestamp extraction configuration was incorrectly located in the dashboard app. It has been moved to the indexer app.
- Improved resilience against app crashes
- Under specific conditions uberAgent would crash during system boot
- The unique user count on the dashboard User Session Overview may have been too high
- Increased the height of bar charts as workaround for missing Splunk axis label display label problem
- ICA protocol detection would not always work correctly with XenDesktop
- New architecture: uberAgent runs as its own service now and can (but need not be) used without Splunk’s Universal Forwarder. uberAgent now sends data directly to a Splunk TCP port which needs to be opened either on the Splunk servers or on a locally installed Universal Forwarder. Alternatively uberAgent can be used in a compatibility mode where it is run by Universal Forwarder as a scripted input.
- Process performance (metrics ProcessDetailFull and ProcessDetailTop5): added process whitelist and blacklist functionality (via config file). This can be used to significantly reduce the data volume.
- Added dashboard Process Network Communication
- Added new SA component to be deployed to Splunk indexers. The SA creates the uberAgent index and TCP port
- Various efficiency improvements, resulting in even smaller footprint and reduced CPU / RAM usage
- Reduced the data volume by approx. 15%
- Dashboard User Sessions: Connection protocol is now shown correctly as ICA for XenDesktop sessions, too
- Dashboard Machine Network Communication: Added charts Data volume over time and Latency over time and the following columns to the table: Connect count and Processes
- Log file format was changed from UTF-16 to UTF-8. This roughly halves the size (in bytes) per log line. Please see the section Release notes regarding the migration of the log collector app.
- IE browser performance would not work if a user had many tabs open
- Latency values were incorrectly calculated on many dashboards
- GPU usage per process would not work in systems with multiple GPUs
- Dashboard Single Network Communication Target: the target name was not shown in the dashboard’s top section
- New architecture: please read the documentation to find out how you can benefit from it.
- Configuration file changes: old configuration files must be updated before using them with this version. With 2.0 at least one Receiver section is required.
- Replaced sourcetype uberAgent:System:NetworkTargetPerformance with uberAgent:Process:NetworkTargetPerformance
- If you are using our log collector app or some other mechanism for parsing uberAgent’s log file you need to change the file format from UTF-16 to UTF-8.
In case of our log collector app version 1.1 is required.
Upgrade order: first upgrade uberAgent on your endpoints to version 2.x before you upgrade the log collector app to version 2.x.
New features / improvements
- New feature: network latency and throughput per network target (host + port)
- New dashboard: Process Startup Duration Detail
- Dashboard Process Detail now displays the average latency of the process’ network communication
- Dashboard Machine GPU Usage now displays each machine’s GPU model
- Dashboard Single User Session now displays the remoting protocol latency over time
- Dashboard SBC Sizing moved from experimental to official status. This is the first dashboard to be implemented using Splunk’s Web Framework which is by default not available on Splunk 5 (but can be installed).
- Process startup duration events were logged with the startup end timestamp. Now they are logged with the startup begin timestamp.
- Application and session disk IO latency calculation was inaccurate
New features / improvements
- ICA: uberAgent now collects Citrix ICA (HDX) latency per session
- Chrome: uberAgent now collects Google Chrome performance data per process type
- Java: uberAgent now determines the name of Java applications so that performance information per Java app can be displayed
- Logon: Active Directory site name and authenticating domain controller (logon server) are now reported, too
- Logon: Additional metric Pre logon init: the time it takes for the session to initialize before user logon
- Configuration: The directory from which helper tools are run is now configurable
- Footprint: Reduced memory footprint, especially long-term
- Removed error messages sometimes logged with concurrently running helper app
- Fixed smaller bugs that occurred on devices with connected standby (primarily tablets)
- Software assignments to users via group policy were ignored when calculating logon duration
- uberAgent’s splash screen was clipped on high-DPI devices on Windows 8
- Changed the location from which helper processes are run from %ProgramFiles%\Helge Klein GmbH to %ProgramFiles%\Helge Klein\uberAgent
New features / improvements
- GPU usage: uberAgent now reports GPU usage for the entire machine and for each process
- Application versions: the application usage dashboards now also display the number of different application versions, user count per version and computer count per version
- Application names: uberAgent now determines application names for Windows 8 modern UI aka metro apps, too
- Tuning: Process startup duration measurement gives unrealistic values for certain processes that resume DLL loading after a shorter period of time than uberAgent’s default wait period of 30 seconds. This wait period length can now be adjusted globally and per process via the section ProcessStartupDurationWaitInvervalOverride of the configuration file.
- Data volume reduction: In the default configuration the metric ProcessDetailFull generates the highest data volume. A new section ProcessDetailFullIgnoredProcesses has been added to the configuration file that makes it possible to selectively filter processes of low relevance. The default configuration file filters these system processes: cmd.exe, conhost.exe, csrss.exe, lsm.exe, smss.exe, wininit.exe, winlogon.exe.
- Browser performance data output was formatted incorrectly so that the dashboard Browser Performance: Internet Explorer did not display meaningful data.
- User profile loading duration events could be lost due to a timing issue. In that case the dashboard would not display anything in the user profile column.
New features / improvements
- All dashboards: the filter box now accepts Splunk search expressions. This makes it possible to filter for two machines only, for example, like this: host=server1 OR host=server2
- Version 1.7 introduced a memory leak in uberAgent.exe. This has been fixed in 1.7.1.
New features / improvements
- Support for Citrix Profile Management
- uberAgent now detects if Citrix PM is present and active and adds PM’s processing time to Windows’ user profile loading duration
- uberAgent also logs Citrix PM’s processing time independently
- Dashboard boot duration: new metric computer startup (the time from boot start until the logon prompt is shown)
- Experimental SBC sizing dashboard
- uberAgent might fail to start, logging the following: populating the app name lookup cache failed with: The system cannot find the file specified.
- Several dashboards might trigger a bug in splunkd, causing excessive memory usage and potentially a crash of splunkd
IMPORTANT: working around this required a change in how the data is stored in Splunk. For that reason version 1.7 dashboards display only some of the older data correctly.
- The data format of the following sourcetypes was changed in this release: ApplicationDetail, ApplicationUsage, BootProcessDetail, BrowserPerformanceIE, ProcessDetail, SessionDetail. Searches need to be adapted by removing the multikv command. This was done to increase performance and work around a memory leak in Splunk 5 and 6.
New features / improvements
- uberAgent now measures the startup duration of processes
- Support for Windows 8.1 and Server 2012 R2
- Support for Splunk 6
- Logon information now includes GPOs that have been processed
- Process disk IO performance data is now separated into reads and writes (note: because of this some of the new dashboards do not display old data correctly)
- Added a data model (to be used with Splunk 6)
- Added resilience when performance counters do not work as expected
- Improvements to many dashboards
- Occasionally incorrect calculation of RES Workspace Manager shell startup
- User name of Citrix published applications was incorrect on Server 2012
- Browser performance monitoring does not work if IE is running as Citrix XenApp published application. It does work from published desktops, however.
- Shell start duration is now calculated for RES Workspace Manager, too. Prerequisite: place an executable called RESUberAgentApp.exe in WM custom resources; set it to start automatically & hidden
- Shell start duration: ‘run once’ processes are now ignored
- Detection of custom shells is now much more reliable
- Machine average IO latency was calculated incorrectly out of read and write latency values.
- True IOPS per application, user session, process and browser site
- Network throughput per application, user session, process and browser site
- Support for multi-tenancy. A single installation of uberAgent + Splunk can now be used for multiple tenants. Administrators see everything while tenants are isolated from each other.
- For every system boot IO count, IO latency and IO volume are now logged per process and over time
- Added % disk time to machine performance data
- Reduced footprint, lower memory usage and faster startup
- Added dashboard application_detail_windows_os: moved information on the application Windows from the general application dashboard application_detail to this new dashboard
- Fixed IOPS per process/application/session/website: previously, the number of IOPS before the system caches were displayed. Now the IOPS arriving at the disk(s) are shown.
- Dashboard user_session_detail: it could happen that ICA or RDP connections were displayed having a connection type of console
- When a machine was resumed from standby sometimes the first disk latency value was much too high
- Boot duration was not available for some boots
- Much improved reliability of event processing while booting up
- Fixed issues with detection of custom shells during logon
- Many dashboards would only display a subset of the data if a large number of events was selected for display
- On XenApp machines the AD logon script was not detected correctly
- On XenApp machines iexplore.exe was recognized as application Citrix XenApp 6.5
- Custom shells set via per-user Group Policy were not recognized correctly
- Dashboards single_machine_detail and single_machine_io_detail: Startup time was not displayed (correctly)
- Dashboard machine_detail: in certain situations network utilization was a lot over 100%
- When a client machine booted up very quickly group policy events could be lost. The likelihood for this happening has been reduced.
- New dashboards:
- Boot duration
- Boot delays
- Standby / resume duration
- Standby / resume delays
- Shutdown duration
- Shutdown delays
- Added Average IOPS read ratio over time to dashboard Single Machine Disk IO
- Added German translation of uberAgent app
- Application performance & usage now works for App-V applications, too
- Various bugfixes and improvements
Version 1.0.2 (v1 final)
- New: Internet Explorer performance monitoring by URL
- Requirement: Splunk Universal Forwarders must run with local system account
- Per machine data:
- Replaced single counters for read+write with separate read and write counters
- Added machine disk IO dashboard
- Data volume reduction by 20%
- Added data volume dashboard
- Added metric ProcessDetailTop5: only logs the most interesting processes -> much reduced data volume
- Added network utilization in percent to metric SystemPerformanceSummary
- Previously services sessions and user sessions were mixed in one dashboard. Now there are separate dashboards for services (session 0) and users
- Various bugfixes and improvements
Version 1.0.1 (Beta 2)
- Application usage metering: new
- Machine IOPS metrics: values are now correct (previously, uberAgent displayed soft page faults)
- Added machine IO latency to metric SystemPerformanceSummary
- Licensing: added status dashboard
- Licensing: uberAgent now processes multiple licenses (uberAgent*.lic)
Do you have questions that were not answered here? Please ask us, we are happy to help!