Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

Changelog and Release Notes

New features

  • Security: beta version of uberAgent ESA (endpoint security analytics). It shares the binaries with the existing UXM (user experience monitoring) product but must be licensed separately.
  • macOS: preview of the macOS agent
  • Network communication: the new network monitoring driver adds many features, including jitter, packet loss, source address, and latency accuracy (see below).
  • Browsers [B329]: support for Microsoft Edge (Chromium)
  • Configuration [B279]: the configuration file now supports includes from other files.
  • Configuration [B290]: the configuration file now supports reusable blocks.
  • Dashboards [B167]: the dashboards Application Network Communication and Application Network Issues are enriched with the NetTargetSourceAddress field.

Improvements

  • Network communication: uberAgent now measures TCP send latency accurately. Previously, the measurements had a high margin of error.
  • Dashboards [B285]: the dashboards Single Machine Detail and User Sessions Overview are enriched with the HwManufacturer and HwModel fields.
  • Backend: process start and stop events are now sent in bulk API calls to HTTP(S) receivers. This significantly reduces the number of API calls and the load on the endpoint.
  • Service [B376]: new architecture guarantees type safety for all sourcetype fields.
  • Performance [I98]: reduced CPU & memory usage
  • Sourcetype uberAgent:System:SystemPerformanceSummary2 field NetUtilizationPercent: calculation now only includes active physical network adapters. Before, virtual adapters were counted, too, which could skew the result.
  • Splunk [B276]: improved lookup performance in large environments by switching from CSV to KV Store
  • Splunk [B404]: improved scheduled searches performance by switching from raw to data model searches

Bugfixes

  • Splunk [I88]: moved configuration settings in props.conf from the search head to the indexer app.
  • Browsers [I48]: in rare cases, multiple concurrent communications with the Chrome/Firefox browser extensions would get mixed up. uberAgent would stop processing extension data and log “BrowserExtTransact,Response protocol type does not match requested data”
  • Browsers/IE add-on [I97]: the field SessionFgBrowserType could be empty even though IE was in the foreground. This happened with a blank page as the active tab, for example.
  • Logon monitoring [I99]: in rare cases, it could happen that uberAgent started logon monitoring for a session while the service was still starting up. When this happened for session 0, the service’s memory usage would slowly grow with every new process started in the session because logon monitoring for session 0 had no timeout.
  • Citrix ADC [I105]: if using a Citrix ADC Gateway Edition the hostname was missing, which resulted in empty dashboards
  • Splunk [I143]: changed the scheduled search populate_hostinfo so that it returns data even if the sub-search terminates

Release notes

  • Sourcetypes: merged the following KV sourcetypes into the new CSV sourcetype uberAgent:Logon:LogonDetail: uberAgent:Logon:SessionLogonTime, uberAgent:Logon:ProfileLoadTimeMs, uberAgent:Logon:GroupPolicyProcessingTimes, uberAgent:Logon:GroupPolicyLogonScriptTimeMs, uberAgent:Logon:ADLogonScriptTimeMs, uberAgent:Logon:ResWmProcessingTimeMs, uberAgent:Logon:ShellStartupTimeMs, uberAgent:Logon:TotalLogonTimeMs, uberAgent:Logon:LogonPerformance
  • Sourcetypes: merged the following KV sourcetypes into the new CSV sourcetype uberAgent:Logoff:LogoffDetail: uberAgent:Logoff:SessionLogoffTime, uberAgent:Logoff:ProfileUnloadTimeMs, uberAgent:Logoff:GroupPolicyLogoffScriptTimeMs, uberAgent:Logoff:TotalLogoffTimeMs, uberAgent:Logon:SessionEnd, uberAgent:Logoff:LogoffPerformance
  • Sourcetypes: replaced KV sourcetype uberAgent:Logon:GroupPolicyCSEDetail with CSV sourcetype uberAgent:Logon:GroupPolicyCSEDetail2. No changes to the fields.
  • Sourcetype uberAgent:Process:NetworkTargetPerformance has new fields: NetTargetSendJitterMs and NetTargetSendJitterCount
  • Sourcetype uberAgent:Process:ProcessStartup has new field(s): ProcParentGUID (this requires ESA to be enabled)
  • Sourcetype uberAgent:Process:ProcessDetail has new fields: ProcIOLatencyReadMs2 and ProcIOLatencyWriteMs2 replace ProcIOLatencyReadMs and ProcIOLatencyWriteMs because the Kafka data type was incorrect (int instead of double)
  • Sourcetype uberAgent:Process:LogonProcesses has new fields: ProcIOLatencyReadMs2 and ProcIOLatencyWriteMs2 replace ProcIOLatencyReadMs and ProcIOLatencyWriteMs because the Kafka data type was incorrect (int instead of double)
  • Sourcetype uberAgent:Process:LogoffProcesses has new fields: ProcIOLatencyReadMs2 and ProcIOLatencyWriteMs2 replace ProcIOLatencyReadMs and ProcIOLatencyWriteMs because the Kafka data type was incorrect (int instead of double)
  • Sourcetype uberAgent:Logoff:ProfileUnloadTimeMs (now merged into uberAgent:Logoff:LogoffDetail) has new field: ProfileUnloadTimeMs2 replaces ProfileUnloadTimeMs because the Kafka data type was incorrect (string instead of number)
  • Sourcetype uberAgent:Session:SessionDetail has new fields: SessionRpLatencyMs2 replaces SessionRpLatencyMs because the Kafka data type was incorrect (int instead of double)
  • Sourcetype uberAgent:Citrix::Licenses has new fields: LicenseEdition2 replaces LicenseEdition because the Kafka data type was incorrect (int instead of string)
  • Sourcetype uberAgent:System:GpuUsage has removed fields: ComputeUsagePercentEngine0 through ComputeUsagePercentEngine11 because a much more useful alternative exists with the sourcetype uberAgent:System:GpuUsageEngine
  • Sourcetype uberAgent:Session:SessionCount has been removed.
  • Azure Monitor (formerly OMS Log Analytics): events are now assigned to log type tables by sourcetype instead of by index.
  • Performance counters: changed the sourcetype names from uberAgent:System:PerformanceCounter to uberAgent:PerformanceCounter:TimerName (where TimerName is the timer name from uberAgent’s configuration)
  • Splunk [B276]: changed the type of the following lookups from CSV to KV Store: lookup_hostinfo, lookup_hostinfo2, lookup_processstartup_processlist, lookup_networktargetperformance_targetlist
  • Splunk [B404]: changed the following scheduled searches from raw to data model searches: populate_appnameidmapping, populate_hostinfo, populate_hostinfo2

Leave a Reply

Your email address will not be published. Required fields are marked *