Changelog and Release Notes
- Registry monitoring [B340]: the new registry monitoring feature extends ESA’s Activity Monitoring to registry events.
- Hashing [B280]: uberAgent ESA now calculates hash values of PE files (executables). Supported hash types: SHA-1, SHA-256, MD5, ImpHash.
- uAQL [B439]: uberAgent ESA now includes uAQL, a powerful query language for use with ESA’s Activity Monitoring rules.
- Application identification [B444]: automatic application identification is now available on macOS, too.
- Application errors [B429]: uberAgent now records the type of application hang events (requires Windows 10 1909).
- Configuration [B428]: the application ID to name mapping data collection interval is now configurable via the new
- Configuration [B434]: added the on-demand metric
ProcessTagging. It controls whether the ESA process tagging feature is enabled or disabled.
- Configuration [B420]: new configuration setting
ConfigFlagsfor altering specific aspects of uberAgent’s functionality.
- Network configuration [I140]: some VPN adapters (e.g., Cisco AnyConnect) were excluded because they present themselves not as VPN but as Ethernet interfaces to the OS. The new config flag
NoGatewayCheckcan be used to adjust uberAgent’s detection algorithm.
- Browsers/IE add-on [B451]: if the config flag
IEIgnoreFramesis set, the IE add-on only tracks the main page, ignoring frames.
- Driver [B265]: timestamps now have a higher resolution (to within a microsecond).
- Logging [B437]: the configuration is now written to a separate log file (
- Dashboards [B422]: the Application Errors dashboard now shows the affected hosts/users.
- Dashboards [B272]: new dashboard Application GPU.
- Dashboards [B272]: the Process GPU dashboard now shows usage data over time.
- Dashboards [B426]: the Data Volume dashboard now shows ESA sourcetypes, too, and lists the data volume per product (UXM/ESA).
- Dashboards [I468]: added calculated fields to make the use of
ProcNameconsistent across all dashboards.
- Licensing [B301]: uberAgent licenses are now checked on macOS, too.
- System session [I207]: on macOS, information about the system session is now collected as session 0 in the sourcetype
- Service [I96]: a BSOD or power loss does not cause multiple bugcheck events anymore.
- Service [I157]: the log only once functionality was broken in 6.0 beta 1.
- Service [I135]: fixed a memory leak in public key cryptography code.
- Service [I205]: in rare cases involving Citrix PVS the OS boot time reported by uberAgent would reflect the master image’s boot time.
- Service [I222]: fixed inheriting handles to child processes.
- Dashboards [I150]: the timechart values within the Citrix XA/XD Licensing dashboard now match the details table.
- uAInSessionHelper [I142]: reduced the CPU usage while collecting per-process GPU metrics.
- uAInSessionHelper [I22]: fixed rare crash during with faulting module
KERNEL32.DLL_unloadedduring the startup phase of the helper.
- Backend [I156]: if Kafka/Confluent schema ID caching is disabled, the log is flooded with: Did not find the value_schema_id in the server’s response.
- Backend [I3]: on-demand metrics
ProcessStopwere always sent to all receivers.
- Backend [I201]: Splunk HTTP Event Collector (HEC) falls back to HTTP/1.0 if clients don’t specify a user agent string. This breaks persistent HTTP connections resulting in high connection counts.
- User and host tags [I89]: multi-valued Active Directory attributes were not processed correctly.
- Configuration [I175]: on macOS, the
ProcCmdlinefield was always populated, independent of the
- IE add-on [I93]:
SessionFgBrowserActiveTabHostis not sent if
BrowserPerformanceIEis disabled or the URL must be ignored due to configuration.
uberAgent:Application:Errorshas new field(s):
uberAgent:Process:ProcessStartuphas new fields:
uberAgent:License:LicenseInfois now available on macOS, too.
- Configuration now uses the terms allowlist and denylist instead of whitelist and blacklist. Older terms remain supported.
BatteryWearLevelPercentdoes not report negative numbers anymore if the full charged capacity is higher than designed capacity.
uberAgent:Application:AppNameIdMappingis now available on macOS, too.
- Network communication [I197]: latency metrics may be not accurate for delayed TCP acknowledgements