This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Default Configuration
This page lists uberAgent’s default configuration that is in effect if the endpoint agent is installed without making any changes.
uberAgent can be configured via config file or Active Directory Group Policy (see configuration options).
uberAgent’s Default Config File
# # This is the default configuration file for uberAgent # Place it in the same directory as uberAgent.exe # ############################################ # General configuration # # Configurable settings in this section: # # Setting name: DebugMode # Description: When in debug mode, uberAgent's log file is more verbose, providing more detail on what is going on. # Valid values: true | false # Default: false # Required: no # # Setting name: LogFileCount # Description: Number of log files to keep (current + historical). When exceeded, the oldest log file is deleted. # Valid values: any positive integer # Default: 5 # Required: no # # Setting name: EncryptUserNames # Description: If enabled, user and domain names are encrypted in the agent before being sent off to Splunk. This can be useful for compliance with privacy regulations. # Valid values: true | false # Default: false # Required: no # # Setting name: LicenseFilePath # Description: # Valid values: Any valid path (local or UNC) where uberAgent looks for the license file(s). These license files are cached locally in "%ProgramData%\vast limits\uberAgent\License cache". If this path is not specified uberAgent looks for licenses in the installation directory. # Default: empty # Required: no # ############################################ [Miscellaneous] DebugMode = true ############################################ # Data receivers # # uberAgent sends data to the receivers configured here. # If multiple [Receiver] sections are specified, data will be sent to EACH receiver. This can be overridden per Timer by specifying a comma-separated list of receivers. # To load-balance and fail over between servers specify multiple comma-separated values for "Servers" in a SINGLE receiver section # # Configurable settings in this section: # # Setting name: Name # Description: Arbitrary name for the data receiver. Used only internally. # Valid values: any string # Default: empty # Required: no # # Setting name: Type # Description: Receiver type. # Valid values: Splunk | Elasticsearch | OMSLogAnalytics # Default: Splunk # Required: yes # # Setting name: Protocol # Description: How to send data to the backend. # TCP uses a direct TCP connection # HTTP sends to a REST endpoint via HTTP or HTTPS # "Console" prints the data on the screen # For type Splunk use TCP or HTTP, for type Elasticsearch use HTTP, for type OMSLogAnalytics use HTTP. # Valid values: TCP | HTTP | Console # Default: TCP # Required: no # # Setting name: RESTToken # Description: Authentication token required by the Splunk HTTP Event Collector and by OMS Log Analytics. # For Type OMSLogAnalytics use the primary or the secondary key for the workspace. # For Type Elasticsearch credentials in format: can be used to authenticate to the Elasticsearch server. # Valid values: any string # Default: empty # Required: only for Type Splunk and Protocol HTTP # # Setting name: ElasticIngestPipeline # Description: Name of the Elasticsearch ingest pipeline used to perform common data transformation and enrichments. # Valid values: any string # Default: empty # Required: no # # Setting name: Servers # Description: List of target servers/URLs. Not required if Protocol is Console. # Valid values: # TCP: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345 # HTTP: comma-separated list of URLs starting with http or https. # Splunk example: http://server1:8088, https://server2:8088 # OMS Log Analytics example: https://CUSTOMERID.ods.opinsights.azure.com # Default: empty # Required: yes, unless Protocol is Console # # Setting name: Index # Description: Name of the backend index. Custom Splunk index names must be configured in macros.conf, too. # Valid values: any lowercase string # Default: uberagent # Required: no # # Setting name: Host # Description: Name of the Splunk source host sending the event. Normally does not need to be changed. # Valid values: any string # Default: %computername% # Required: no # # Setting name: Source # Description: Event source name. Normally does not need to be changed. # Valid values: any string # Default: uberAgent # Required: no # # Setting name: MaxQueueSizeRamMb # Description: Maximum queue size in RAM in MB. If exceeded, events are discarded. # Valid values: any number # Default: 10 # Required: no # ############################################ [Receiver] Name = Default Type = Splunk Protocol =TCP Servers =localhost:19500 RESTToken = ############################################ # Metrics explanation # # Available metrics: # # a) uberAgent timer metrics (output at regular intervals): # # ProcessDetailTop5 Performance & application data for each process, top 5 items are displayed per category. Should not be used in conjunction with ProcessDetailFull (redundancy). # ProcessDetailFull Performance & application data for each process, all processes are displayed. Generates a huge data volume! Should not be used in conjunction with ProcessDetailTop5 (redundancy). # ApplicationUsage Data for application usage calculations (how many users were running an app at any given time) # ApplicationInventory Retrieves a list of all installed applications # SoftwareUpdateInventory Retrieves a list of all installed updates and patches # MachineInventory Retrieves information about machines (OS, hardware model) # SessionCount Number of user sessions # SessionDetail Performance data for each session # SystemPerformanceSummary Performance data for the entire system # BrowserPerformanceIE Internet Explorer: browser performance per site # BrowserPerformanceChrome Chrome: browser performance (tracking page loads and web requests requires the uberAgent browser extension) # GpuUsage GPU usage per machine and per process # NetworkTargetPerformanceProcess Performance data per target IP address and port per process (see also [NetworkTargetPerformanceProcess_Filter]) # SMBClientSharePerformance Performance data per SMB share accessed by the machine's SMB client (requires Windows 8 / Server 2012 or newer) # NetworkConfigInformation Retrieves information about network configuration # # The following metrics are collected only if uberAgent is running on a Citrix XenApp/XenDesktop delivery controller: # # CitrixDCDesktopGroup Information on Citrix XenApp/XenDesktop delivery groups # CitrixDCCatalog Information on Citrix XenApp/XenDesktop machine catalogs # CitrixDCMachine Information on Citrix XenApp/XenDesktop machines (VDAs and DDCs) # CitrixDCHypervisor Information on Citrix XenApp/XenDesktop hypervisor connections # CitrixDCGeneralInformation Information on Citrix XenApp/XenDesktop site properties like databases # CitrixDCLicenseInformation Information on Citrix XenApp/XenDesktop license usage # CitrixDCApplication Information on Citrix XenApp/XenDesktop published applications # CitrixDCPublishedDesktops Information on Citrix XenApp/XenDesktop published desktops # # # b) uberAgent on-demand metrics (output when it happens): # # LogonDetail Several logon metrics like logon script processing time, group policy processing time, etc. # LogonProcesses Information about all processes run during user logon # BootDetail Boot performance data including applications/services/drivers that cause delays # ShutdownDetail Shutdown performance data including applications/services/drivers that cause delays # StandbyDetail Standby performance data including applications/services/drivers that cause delays # ProcessStartup Startup duration of processes # OutlookPerformanceEvents Performance information for Microsoft Outlook # ApplicationErrors Information about application crashes and related errors # ApplicationUIDelay Application UI unresponsiveness # # c) System performance counters (output at regular intervals) # # Any Windows performance counter can be used. Example: # # Perf counter = \System\System Up Time # ############################################ ############################################ # Timers # # uberAgent works with one or more timers. # Each timer wakes up periodically. When it does, it computes the values of a configurable set of metrics and sends the results off for storage. # Additionally there are on-demand metrics that log data when an event occurs, e.g. a user logon. # # Configurable settings per timer: # # Setting name: Name # Description: Arbitrary name for the timer. Used only internally. # Valid values: any string # Default: empty # Required: yes # # Setting name: Comment # Description: Arbitrary comment for the timer. Not used by uberAgent. # Valid values: any string # Default: empty # Required: no # # Setting name: Interval # Description: How long to wait before collecting data again. Unit: milliseconds. # Valid values: any number # Default: [none] # Required: yes # # Setting name: UA metric # Description: Name of any uberAgent timer metric to be collected through this timer. May be specified more than once per timer. # Valid values: any uberAgent timer metric # Default: empty # Required: no # # Setting name: Perf counter # Description: Name of any Windows performance counter to be collected through this timer. May be specified more than once per timer. # Valid values: any performance counter name # Default: empty # Required: no # # Setting name: Start delay # Description: If a start delay is configured, uberAgent waits for the given time in ms before running the timer's metrics for the first time. If no start delay is configured, uberAgent waits for the time configured with the Interval parameter. # Valid values: any number # Default: 0 # Required: no # # Setting name: Persist interval # Description: If this is enabled, uberAgent stores the timer's last runtime so that it does not run it more often than specified with the Interval parameter even when restarted. # Valid values: true | false # Default: false # Required: no # # Setting name: Thread priority # Description: Relative priority for the timer's thread. # Valid values: background | normal # Default: normal # Required: no # # Setting name: Receivers # Description: List of receivers to send this timer's data to. Overrides the default (send to all receivers). # Valid values: Comma-separated list of receiver names configured in [Receiver] sections, e.g.: SplunkPool1, SplunkPool2 # Default: all receivers # Required: no # # Setting name: Script # Description: Run a script once or periodically, depending on the configured Interval (0 = run only once). The script's output to stdout is sent to Splunk, each line as a new event. Can be specified more than once per timer. # Valid values: Any valid command line, optionally including command line parameters. # Default: empty # Required: no # # Setting name: ScriptContext # Description: The user context to run a script in. # Valid values: Session0AsSystem | UserSessionAsSystem | UserSessionAsUser # Default: Session0AsSystem # Required: no # ############################################ ############################################ # On-demand metrics ############################################ [OnDemand] UA metric = LogonDetail UA metric = LogonProcesses UA metric = BootDetail UA metric = ShutdownDetail UA metric = StandbyDetail UA metric = ProcessStartup UA metric = OutlookPerformanceEvents UA metric = ApplicationErrors UA metric = ApplicationUIDelay ############################################ # Timer 1 ############################################ [Timer] Name = Default timer Comment = Metrics are placed here unless there is a reason to have them run at different frequencies or to isolate them Interval = 30000 UA metric = ProcessDetailFull UA metric = ApplicationUsage UA metric = SessionCount UA metric = SessionDetail UA metric = SystemPerformanceSummary UA metric = SMBClientSharePerformance ############################################ # Timer 2 ############################################ [Timer] Name = Network configuration information Comment = Collects network configuration information Interval = 300000 UA metric = NetworkConfigInformation ############################################ # Timer 3 ############################################ [Timer] Name = GPU usage Comment = Isolate GPU metrics from the other metrics Interval = 30000 UA metric = GpuUsage ############################################ # Timer 4 ############################################ [Timer] Name = Browser performance Comment = Isolate browser metrics from the other metrics Interval = 30000 UA metric = BrowserPerformanceIE UA metric = BrowserPerformanceChrome ############################################ # Timer 5 ############################################ [Timer] Name = Network performance Comment = Isolate in its own thread because DNS lookups are performed Interval = 30000 UA metric = NetworkTargetPerformanceProcess ############################################ # Timer 6 ############################################ [Timer] Name = Inventory Comment = Perform an inventory at a very low frequency Interval = 86400000 Start delay = 600000 Persist interval = true Thread priority = background UA metric = ApplicationInventory UA metric = SoftwareUpdateInventory UA metric = MachineInventory ############################################ # Timer 7 ############################################ [Timer] Name = Citrix site - default Comment = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else) Interval = 300000 Start delay = 240000 UA metric = CitrixDCDesktopGroup UA metric = CitrixDCCatalog UA metric = CitrixDCHypervisor UA metric = CitrixDCGeneralInformation UA metric = CitrixDCApplication UA metric = CitrixDCPublishedDesktops ############################################ # Timer 8 ############################################ [Timer] Name = Citrix site - machines Comment = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else) Interval = 300000 Start delay = 260000 UA metric = CitrixDCMachine ############################################ # Timer 9 ############################################ [Timer] Name = Citrix site - licenses Comment = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else) Interval = 60000 Start delay = 180000 UA metric = CitrixDCLicenseInformation ############################################ # List of core Windows processes that also (sometimes) run in user sessions # # The sole effect of listing core Windows processes here is to enable uberAgent to calculate the resource usage of the OS # ############################################ [WindowsProcesses] audiodg.exe=Microsoft Windows OS conhost.exe=Microsoft Windows OS csrss.exe=Microsoft Windows OS dllhost.exe=Microsoft Windows OS dwm.exe=Microsoft Windows OS lsass.exe=Microsoft Windows OS lsm.exe=Microsoft Windows OS ntoskrnl.exe=Microsoft Windows OS services.exe=Microsoft Windows OS smss.exe=Microsoft Windows OS spoolsv.exe=Microsoft Windows OS svchost.exe=Microsoft Windows OS taskhost.exe=Microsoft Windows OS WmiPrvSE.exe=Microsoft Windows OS wininit.exe=Microsoft Windows OS winlogon.exe=Microsoft Windows OS ############################################ # Executable to application name mappings (for overriding uberAgent's automatic application identification) # # Format: C:\Full path to\process.exe = Application name # # Specifying only the file name without the full path only works in specific cases and is not recommended. # ############################################ [ProcessToApplicationMapping] ## Windows Search SearchFilterHost.exe=Microsoft Windows Search SearchIndexer.exe=Microsoft Windows Search SearchProtocolHost.exe=Microsoft Windows Search ## Protected processes MsMpEng.exe=Microsoft Malware Protection NisSrv.exe=Microsoft Malware Protection Services.exe=Microsoft Windows OS fontdrvhost.exe=Microsoft Windows OS ############################################ # Processes to ignore in application lookup # # Format: process.exe = uberAgent_ignore # ############################################ [ApplicationMappingIgnoredProcesses] ############################################ # Process startup duration load image wait interval # # When uberAgent determines process startup duration, it looks for the beginning of a 30 second time interval without image (DLL) load events # The default wait duration of 30 seconds can be adjusted either globally or for individual processes here (individual has precedence over global). # # Additionally, if there are IO operations during the DLL loading phase, uberAgent calculates the average IOPS during that phase and waits until # IOPS drop to less than 20% for at least 10 seconds after the end of the DLL loading phase. The value of 10 seconds can be adjusted here, too. # # Configurable settings: # # Setting name: DllLoadWaitDurationGlobal # Description: Globally set the DLL loading phase wait duration for all processes in ms. # Valid values: any number # Default: 30000 # Required: no # # Setting name: IopsDropoffDurationGlobal # Description: Globally set the IOPS dropoff phase duration for all processes in ms. # Valid values: any number # Default: 10000 # Required: no # # Setting name: # Description: Set the DLL loading phase wait duration for a specific process in ms. May be specified more than once. # Valid values: any number # Default: 30000 # Required: no # ############################################ [ProcessStartupDurationWaitIntervalOverride] AcroRd32.exe = 15000 ############################################ # Optional settings for Process startup metrics # # Setting name: EnableExtendedInfo # Description: Send detailed information about each started process to the backend, e.g. path, command line, process ID, parent ID. This also enables population of the ProcGUID field in other sourcetypes, which can be used for detailed process instance tracking. # Valid values: true | false # Default: false # Required: no # ############################################ [ProcessStartupSettings] ############################################ # Optional filter for the metric ProcessDetailFull # # Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting. # # Format: process.exe = uberAgent_blacklist | uberAgent_whitelist # ############################################ [ProcessDetailFull_Filter] cmd.exe = uberAgent_blacklist conhost.exe = uberAgent_blacklist csrss.exe = uberAgent_blacklist lsm.exe = uberAgent_blacklist smss.exe = uberAgent_blacklist wininit.exe = uberAgent_blacklist winlogon.exe = uberAgent_blacklist ############################################ # Optionally add the command line to the ProcessDetail* metrics # This can significantly increase the data volume, so use with caution # # Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting. # Default: disabled for all processes # # Format: process.exe = uberAgent_blacklist | uberAgent_whitelist # ############################################ [ProcessDetail_SendCommandline] ############################################ # Optional filter for the metric NetworkTargetPerformanceProcess # # Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting. # # Format: process.exe = uberAgent_blacklist | uberAgent_whitelist # ############################################ [NetworkTargetPerformanceProcess_Filter] ############################################ # Optional configuration for the metric NetworkTargetPerformanceProcess # # Configurable settings: # # Setting name: Key # Description: What to group by: process name or ID # Valid values: name | id # Default: name # Required: no # # Setting name: IgnoreLowActivity # Description: Whether to ignore processes with very low activity during a collection interval # Valid values: true | false # Default: true # Required: no # ############################################ [NetworkTargetPerformanceProcess_Config]