Documentation

Contents
Contents
Contents
Contents
!
This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Changelog and Release Notes

Version 6.1

New features

  • Authenticode signature verification [B343]: uberAgent now detects whether an application has been signed, the associated status, by whom it was signed and checks whether the application was signed by an OS vendor.
  • Citrix Cloud monitoring [B227]: Citrix Cloud monitoring for CVAD (catalogs, delivery groups, machines, applications). Requires CVAD Remote PowerShell SDK.
  • DNS query monitoring [B458]: uberAgent ESA now monitors DNS queries.
  • Event data filtering [B545]: filtering of entire events or individual fields with uAQL queries. This happens on the endpoint, before events are sent to the backend.
  • Network configuration [B220]: WiFi signal strength, WiFi connection type, and WiFi authentication method.
  • Process & module hashing [B534]: multiple hash types can now be enabled at the same time (SHA-1, SHA-256, MD5, and ImpHash).
  • Process & module hashing [B528]: support for executables on network shares.
  • SSH sessions on macOS [B504]: information about SSH connections to macOS clients.

Improvements

  • Activity monitoring [B474]: AM rules can now have up to 10 generic properties that are sent to the backend when the rule matches.
  • Application identification [I345]: app name and version are now determined for processes started from network shares, too.
  • Citrix ADC [B258]: added ICA and VPN usage, better SSL vServer and session monitoring as well as hardware counters like CPU temperature for MPX models.
  • Citrix monitoring: a set of machines can be configured where to determine the CVAD metrics.
  • Configuration [B562]: @ConfigInclude directives can now be platform-specific.
  • Configuration [B539]: new configuration option for disabling or ignoring TLS certificate revocation (CRL) checks for HTTPS transmissions on Windows.
  • Dashboards [B526]: added last user logons to Machine Uptime dashboard.
  • Experience score [B523] [I332]: added filter capabilities and support for multi-tenancy to the Experience Score dashboard.
  • macOS [B524]: added native support for uberAgent on Apple Silicon (M1).
  • Network communication [B447]: network monitoring is now available on macOS, too.
  • Network monitoring [I342]: fixed VPN bandwidth throttling due to growing number of connections.
  • Performance [B525]: macOS agent performance improvements.
  • Process startup [B482]: process startup monitoring is now available on macOS, too.
  • Process & module hashing [I340] [I395]: significantly reduced CPU usage.
  • Process details [B298]: disk IO writes are now available on macOS, too.
  • Splunk [B542]: improved AppNameIdMapping lookup performance by switching from CSV to KV Store.
  • Splunk [B541]: migrated lookup_hostinfo2 into lookup_hostinfo.
  • Service [I163]: do not try to determine GPU engine names on Windows Server 2016 (where this is not supported).
  • Service [B532]: Hyper-V hosts are not detected as VMs any more (although they technically are VMs).
  • Service [I380]: replaced the deprecated wmic.exe with PowerShell.
  • Service [I382]: added a delay between queries to in-session helper processes to prevent CPU spikes on multi-user systems. Default: 50 ms. Configurable via the new config flag SessionHelperQueryDelayMs.
  • Service [B577] [I212]: uberAgent now detects modern standby (where services are throttled and processes from user sessions suspended). While in modern standby, data collection from user sessions (via uAInSessionHelper) is skipped. Metrics that do not depend on uAInSessionHelper are not affected.
  • uAQL [B529]: the operators IN and NOT IN are now case-insensitive.

Bugfixes

  • Boot monitoring [I373]: in some cases, BootDetail2 events would show up in Splunk with a timestamp many years in the future.
  • Browsers/IE add-on [I349]: fixed crash when running the add-on in Microsoft Edge IE compatibility mode.
  • Browsers/IE add-on [I265]: the add-on’s configuration was read from the 32-bit registry view, not the 64-bit registry view the service writes it to.
  • Citrix ADC [I312]: fixed error when querying internal redirect vServer.
  • Citrix ADC [B350]: when multiple ADC pairs are to be monitored, don’t stop if one pair cannot be contacted.
  • Citrix dashboards [I337]: fixed error when displaying Citrix licensing usage over time.
  • Citrix CVAD [I369]: fixed wrong value in IncludedUsers field.
  • Configuration [I321]: the sourcetype uberAgent:Application:NetworkConnectFailure was sent to the backend even if the metric NetworkTargetPerformanceProcess was not enabled.
  • Configuration [I376]: configuration option ConfigFlags was ignored when defined via Group Policy.
  • Configuration [I330]: fixed error in Group Policy ADML file.
  • Dashboards [I366]: fixed issue when search string contained double backslashes (i.e., Windows UNC paths).
  • Driver [I323] fixed stop error (BSOD) that primarly affected VMs on Citrix Hypervisor.
  • IE add-on [I348]: check allow-/denylist for NavigateError events.
  • Installer [I410]: fixed issue where the macOS installer could have wrongly displayed a failed installation attempt.
  • Machine inventory [I306]: battery wear level is now available on macOS, too.
  • Process startup [I346]: very long command lines were reported as empty.
  • Process details [I271]: on macOS, zombie processes are now being consistently determined but excluded from uberAgent:Process:ProcessDetail. Instead, the count of zombie processes on the system is getting logged during the maintenance routine.
  • Service [I391]: in rare cases event data might have been deleted before it could be sent to the backend. This affected only short-lived processes and long timer intervals. Affected sourcetypes: uberAgent:Process:ProcessStartup and uberAgent:Process:ProcessStop.
  • Service [I392]: fixed a rare case where uberAgent.exe would crash when it tried to open a handle to a protected process.
  • Service [I394]: don’t send ProcessStop metric if ESA is disabled.
  • Service [I399]: improved logoff detection. Communication with the in-session helper process is now only stopped once the logoff has been confirmed.
  • Service [I336]: fixed EnableCalculateHash setting was ignored.
  • Service [I367]: incorrect application identification in rare cases involving executables not installed via Windows Installer.
  • Session details [I344] fixed SessionCPUUsagePercent accounting for dead processes on macOS.
  • Splunk [I338]: experience score lookups would cause Splunk knowledge bundles to grow in size.
  • Splunk CIM data model [I319]: fixed invalid field alias specifications.
  • User and host tags [I322]: existing tags are now updated when the endpoint sends new tag data. Previously, an additional tag was created with different tag data.
  • Volume inventory [I308]: used space information is now computed correctly for volumes that share free space of a physical disk.
  • Service [I414]: uberAgent.exe would try to terminate unrelated processes when their parent process ID (PID) matched its own.
  • Service [I406]: uberAgent.exe would occasionally drop valid process startup data when the startup timeout expired.

Release notes

  • Configuration [B539]: new ConfigFlags: TLSRevocationChecksDisabled, TLSRevocationChecksBestEffort, SessionHelperQueryDelayMs, DisableESFileSystemMonitoring.
  • Activity monitoring [B548]: the converted Sigma ruleset has been updated and now supports DNS events and existing Process- and Image events support new field(s): Process.Company, Process.Hash.*, Image.Hash.*.
  • Experience score [B523]: switched from KV Store to index storage for scores. Check the upgrade instructions to delete the obsolete KV Store collections.
  • Sourcetype: new sourcetype uberAgentESA:Process:DnsQuery with fields: ProcName, ProcGUID, DnsRequest, DnsResponse, DnsResponseType, DnsEventCount.
  • Sourcetype: uberAgent:CitrixADC:AppliancePerformance has new field(s): CpuFan0Speed, CpuFan1Speed, SystemFanSpeed, Cpu0Temp, Cpu1Temp, InternalTemp, PowerSupply1Status, PowerSupply2Status, PowerSupply3Status, PowerSupply4Status, VoltageV33Main, ICAOnlySessions, ICAOnlyConnections, SmartAccessSessions, SmartAccessICAConnections, SSLSessions.
  • Sourcetype: uberAgent:CitrixADC:Gateway has new field(s): HSTS, HSTSMaxAge, HSTSInclSubdom, TLS13.
  • Sourcetype: uberAgent:CitrixADC:vServer has new field(s): HSTS, HSTSMaxAge, HSTSInclSubdom, TLS13.
  • Sourcetype: uberAgent:System:NetworkConfigInformation has new field(s): NetworkConfigWiFiSignalQuality, NetworkConfigWiFiType, NetworkConfigWiFiAuthentication.
  • Sourcetype: uberAgent:Process:ProcessStartup has new field(s): HashMD5, HashSHA1, HashSHA256, HashIMP, SignatureStatus, IsSignedByOSVendor, SignerName.
  • Sourcetype: uberAgent:Process:ProcessStartup: fields ProcHash and HashType have been removed.
  • Sourcetype: uberAgent:Process:ProcessStop has new field(s): HashMD5, HashSHA1, HashSHA256, HashIMP.
  • Sourcetype: uberAgent:Process:ProcessStop: fields ProcHash and HashType have been removed.
  • Sourcetype: uberAgent:Process:ProcessDetail: fields ProcIOWriteCount and ProcIOPSWrite are now collected on macOS, too.
  • Sourcetype: uberAgent:System:MachineInventory: field BatteryWearLevelPercent is now collected on macOS, too.
  • Splunk: lookup lookup_hostinfo2 has been removed.

Known issues

  • Boot duration: the metrics TotalBootTimeMs, MainPathBootTimeMs and PostBootTimeMs cannot be determined for every system boot.
  • Browsers/IE add-on: metrics are not collected on page reload.
  • Browsers/IE add-on: metrics are collected incompletely for the configured start page.
  • Browser web app performance: websites may modify the JavaScript performance variable. When that happens, uberAgent cannot determine the page load duration.
  • Citrix ADC: in very rare cases the content of the Virtual Server Performance field vServerName contains spaces in wrong places.
  • Citrix site monitoring: data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
  • Citrix XA/XD Machines: when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
  • Experience score [I377]: scheduled searches generate three warnings in Splunk’s _internal index every 30 minutes. The messages look like the following: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
  • GPU [I33]: values for the fields ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0 and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
  • IE browser performance monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
  • Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no affect; the transmission is repeated and succeeds on the second try.
  • Performance [I372]: on macOS, running uberAgent has a noticeable impact on I/O performance of small writes. As a workaround, the new config flag DisableESFileSystemMonitoring has been added. If set, performance will not be impacted, but ProcIOWriteCount and ProcIOPSWrite will not be available in uberAgent:Process:ProcessDetail.
  • Update inventory: not all installed Windows updates may be reported due to API limitations.
  • Volume inventory: on macOS, the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.

Leave a Reply

Your email address will not be published. Required fields are marked *