This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Changelog and Release Notes

New features

  • Registry monitoring [B340]: the new registry monitoring feature extends ESA’s Activity Monitoring to registry events.
  • Hashing [B280]: uberAgent ESA now calculates hash values of PE files (executables). Supported hash types: SHA-1, SHA-256, MD5, ImpHash.
  • uAQL [B439]: uberAgent ESA now includes uAQL, a powerful query language for use with ESA’s Activity Monitoring rules.
  • Application identification [B444]: automatic application identification is now available on macOS, too.


  • Application errors [B429]: uberAgent now records the type of application hang events (requires Windows 10 1909).
  • Configuration [B428]: the application ID to name mapping data collection interval is now configurable via the new AppNameIdMapping timer metric.
  • Configuration [B434]: added the on-demand metric ProcessTagging. It controls whether the ESA process tagging feature is enabled or disabled.
  • Configuration [B420]: new configuration setting ConfigFlags for altering specific aspects of uberAgent’s functionality.
  • Network configuration [I140]: some VPN adapters (e.g., Cisco AnyConnect) were excluded because they present themselves not as VPN but as Ethernet interfaces to the OS. The new config flag NoGatewayCheck can be used to adjust uberAgent’s detection algorithm.
  • Browsers/IE add-on [B451]: if the config flag IEIgnoreFrames is set, the IE add-on only tracks the main page, ignoring frames.
  • Driver [B265]: timestamps now have a higher resolution (to within a microsecond).
  • Logging [B437]: the configuration is now written to a separate log file (uberAgentConfiguration.log).
  • Dashboards [B422]: the Application Errors dashboard now shows the affected hosts/users.
  • Dashboards [B272]: new dashboard Application GPU.
  • Dashboards [B272]: the Process GPU dashboard now shows usage data over time.
  • Dashboards [B426]: the Data Volume dashboard now shows ESA sourcetypes, too, and lists the data volume per product (UXM/ESA).
  • Dashboards [I468]: added calculated fields to make the use of ProcName consistent across all dashboards.
  • Licensing [B301]: uberAgent licenses are now checked on macOS, too.
  • System session [I207]: on macOS, information about the system session is now collected as session 0 in the sourcetype SessionDetail.


  • Service [I96]: a BSOD or power loss does not cause multiple bugcheck events anymore.
  • Service [I157]: the log only once functionality was broken in 6.0 beta 1.
  • Service [I135]: fixed a memory leak in public key cryptography code.
  • Service [I205]: in rare cases involving Citrix PVS the OS boot time reported by uberAgent would reflect the master image’s boot time.
  • Service [I222]: fixed inheriting handles to child processes.
  • Dashboards [I150]: the timechart values within the Citrix XA/XD Licensing dashboard now match the details table.
  • uAInSessionHelper [I142]: reduced the CPU usage while collecting per-process GPU metrics.
  • uAInSessionHelper [I22]: fixed rare crash during with faulting module KERNEL32.DLL_unloaded during the startup phase of the helper.
  • Backend [I156]: if Kafka/Confluent schema ID caching is disabled, the log is flooded with: Did not find the value_schema_id in the server’s response.
  • Backend [I3]: on-demand metrics ProcessStartup and ProcessStop were always sent to all receivers.
  • Backend [I201]: Splunk HTTP Event Collector (HEC) falls back to HTTP/1.0 if clients don’t specify a user agent string. This breaks persistent HTTP connections resulting in high connection counts.
  • User and host tags [I89]: multi-valued Active Directory attributes were not processed correctly.
  • Configuration [I175]: on macOS, the ProcCmdline field was always populated, independent of the ProcessDetail_SendCommandline configuration.
  • IE add-on [I93]: SessionFgBrowserActiveTabHost is not sent if BrowserPerformanceIE is disabled or the URL must be ignored due to configuration.

Release notes

  • Sourcetype uberAgent:Application:Errors has new field(s): HangType.
  • Sourcetype uberAgent:Process:ProcessStartup has new fields: ProcHash and HashType.
  • Sourcetype uberAgent:License:LicenseInfo is now available on macOS, too.
  • Configuration now uses the terms allowlist and denylist instead of whitelist and blacklist. Older terms remain supported.
  • Sourcetype uberAgent:System:MachineInventory field BatteryWearLevelPercent does not report negative numbers anymore if the full charged capacity is higher than designed capacity.
  • Sourcetype uberAgent:Application:AppNameIdMapping is now available on macOS, too.

Known issues

  • Network communication [I197]: latency metrics may be not accurate for delayed TCP acknowledgements

Leave a Reply

Your email address will not be published. Required fields are marked *