Documentation

Contents
Contents

User & Host Tags

uberAgent collects lots of data from your machines and users. The collected data is presented in uberAgent’s pre-built Splunk dashboards, which allows you to filter the data with pre-built filters like machine name, hardware manufacturer, IP address or user name.

Typically, organizations are using own mechanisms to maintain their assets like machines and users in an internal database. A common mechanism to identify a user’s department is storing the department information in a custom Active Directory attribute, to name just one.

uberAgent’s tags feature allows you to integrate these custom identifiers natively by filtering dashboards for your own tags. Supported mechanisms for tags are

  • Active Directory attributes
  • Environment variables
  • Registry items

These mechanisms are applicable to

  • Users
  • Hosts (= machines)

Requirements

  • uberAgent version 5.3 or later
  • Host tags are determined directly after the Machine Inventory metric and are internally bound to it. If the Machine Inventory metric is not enabled in the configuration, host tags are not determined. Machine Inventory is enabled by default.
  • User tags are determined directly after the user’s logon has finished and then every 15 minutes

Configuration

To configure the tags feature you can either use the configuration file or group policy. In this article, we are using the configuration file.

The stanza of interest in the configuration file is [UserHostTagging]. You can have multiple of these, one for each tag you want to set. The configurable settings are:

  • Tag name
    • A user-defined unique name of the tag. Spaces are permitted.
    • This is the tag you can search for later in the dashboards.
    • Example: Department
  • Tag type
    • Defines if the tag is a host or a user tag
    • Valid values: Host, User
    • Example: User
  • Tag source
    • Defines the source where the tag data is read from. Registry values of type REG_EXPAND_SZ are automatically expanded.
    • Valid values: Registry, Environment, Ad
    • Example: Registry
  • Tag value
    • The path where to read the data from. Supported registry paths are HKLM (HKEY_LOCAL_MACHINE) and HKCU (HKEY_CURRENT_USER).
      Registry format: [HKCU|HKLM\<key>\<value>]. E.g. HKCU\Software\vast limits\Department
      Environment format: %<variablename>%. E.g. %DEPARTMENT%
      Ad format: <Ad attribute name>. E.g. Department
    • Example: HKCU\Software\vast limits\Department

With the examples from above, you would get the following stanza:

[UserHostTagging]
Tag name = Department
Tag type = User
Tag source = Registry
Tag value = HKCU\Software\vast limits\Department

Another example: group machines by roles like notebook, graphics workstation, desktop PC, virtual machine or executive machine with an environment variable.

[UserHostTagging]
Tag name = Machine role
Tag type = Host
Tag source = Environment
Tag value = %MACHINEROLE%

You can find more examples in our corresponding practice guide.

Usage in Splunk

The capability to filter for tags is built into the dashboards since version 5.3. To filter for host tags choose the host tags filter field and to filter for user tags choose the user tags filter field.

When using our user tag Department from above a search for all users from human resources would look like this:

You can also search for users from two or more departments by listing them comma-separated.

Interested in all users where Department is set to something?

Note the asterisks around the tag’s name. This is needed by design when searching for the tag’s name only.