This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Changelog and Release Notes
Version 6.1
New features
- Authenticode signature verification [B343]: uberAgent now detects whether an application has been signed, the associated status, by whom it was signed and checks whether the application was signed by an OS vendor.
- Citrix Cloud monitoring [B227]: Citrix Cloud monitoring for CVAD (catalogs, delivery groups, machines, applications). Requires CVAD Remote PowerShell SDK.
- DNS query monitoring [B458]: uberAgent ESA now monitors DNS queries.
- Event data filtering [B545]: filtering of entire events or individual fields with uAQL queries. This happens on the endpoint, before events are sent to the backend.
- Network configuration [B220]: WiFi signal strength, WiFi connection type, and WiFi authentication method.
- Process & module hashing [B534]: multiple hash types can now be enabled at the same time (SHA-1, SHA-256, MD5, and ImpHash).
- Process & module hashing [B528]: support for executables on network shares.
- SSH sessions on macOS [B504]: information about SSH connections to macOS clients.
Improvements
- Activity monitoring [B474]: AM rules can now have up to 10 generic properties that are sent to the backend when the rule matches.
- Application identification [I345]: app name and version are now determined for processes started from network shares, too.
- Citrix ADC [B258]: added ICA and VPN usage, better SSL vServer and session monitoring as well as hardware counters like CPU temperature for MPX models.
- Citrix monitoring: a set of machines can be configured where to determine the CVAD metrics.
- Configuration [B562]:
@ConfigInclude
directives can now be platform-specific. - Configuration [B539]: new configuration option for disabling or ignoring TLS certificate revocation (CRL) checks for HTTPS transmissions on Windows.
- Dashboards [B526]: added last user logons to Machine Uptime dashboard.
- Experience score [B523][I332]: added filter capabilities and support for multi-tenancy to the Experience Score dashboard.
- macOS [B524]: added native support for uberAgent on Apple Silicon (M1).
- Network communication [B447]: network monitoring is now available on macOS, too.
- Network monitoring [I342]: fixed VPN bandwidth throttling due to growing number of connections.
- Performance [B525]: macOS agent performance improvements.
- Process startup [B482]: process startup monitoring is now available on macOS, too.
- Process & module hashing [I340][I395]: significantly reduced CPU usage.
- Process details [B298]: disk IO writes are now available on macOS, too.
- Splunk [B542]: improved
AppNameIdMapping
lookup performance by switching from CSV to KV Store. - Splunk [B541]: migrated
lookup_hostinfo2
intolookup_hostinfo
. - Service [I163]: do not try to determine GPU engine names on Windows Server 2016 (where this is not supported).
- Service [B532]: Hyper-V hosts are not detected as VMs any more (although they technically are VMs).
- Service [I380]: replaced the deprecated
wmic.exe
with PowerShell. - Service [I382]: added a delay between queries to in-session helper processes to prevent CPU spikes on multi-user systems. Default: 50 ms. Configurable via the new config flag
SessionHelperQueryDelayMs
. - Service [B577][I212]: uberAgent now detects modern standby (where services are throttled and processes from user sessions suspended). While in modern standby, data collection from user sessions (via uAInSessionHelper) is skipped. Metrics that do not depend on uAInSessionHelper are not affected.
- uAQL [B529]: the operators
IN
andNOT IN
are now case-insensitive.
Bugfixes
- Boot monitoring [I373]: in some cases,
BootDetail2
events would show up in Splunk with a timestamp many years in the future. - Browsers/IE add-on [I349]: fixed crash when running the add-on in Microsoft Edge IE compatibility mode.
- Browsers/IE add-on [I265]: the add-on’s configuration was read from the 32-bit registry view, not the 64-bit registry view the service writes it to.
- Citrix ADC [I312]: fixed error when querying internal redirect vServer.
- Citrix ADC [B350]: when multiple ADC pairs are to be monitored, don’t stop if one pair cannot be contacted.
- Citrix dashboards [I337]: fixed error when displaying Citrix licensing usage over time.
- Citrix CVAD [I369]: fixed wrong value in
IncludedUsers
field. - Configuration [I321]: the sourcetype
uberAgent:Application:NetworkConnectFailure
was sent to the backend even if the metricNetworkTargetPerformanceProcess
was not enabled. - Configuration [I376]: configuration option
ConfigFlags
was ignored when defined via Group Policy. - Configuration [I330]: fixed error in Group Policy ADML file.
- Dashboards [I366]: fixed issue when search string contained double backslashes (i.e., Windows UNC paths).
- Driver [I323] fixed stop error (BSOD) that primarly affected VMs on Citrix Hypervisor.
- IE add-on [I348]: check allow-/denylist for NavigateError events.
- Installer [I410]: fixed issue where the macOS installer could have wrongly displayed a failed installation attempt.
- Machine inventory [I306]: battery wear level is now available on macOS, too.
- Process startup [I346]: very long command lines were reported as empty.
- Process details [I271]: on macOS, zombie processes are now being consistently determined but excluded from
uberAgent:Process:ProcessDetail
. Instead, the count of zombie processes on the system is getting logged during the maintenance routine. - Service [I391]: in rare cases event data might have been deleted before it could be sent to the backend. This affected only short-lived processes and long timer intervals. Affected sourcetypes:
uberAgent:Process:ProcessStartup
anduberAgent:Process:ProcessStop
. - Service [I392]: fixed a rare case where
uberAgent.exe
would crash when it tried to open a handle to a protected process. - Service [I394]: don’t send ProcessStop metric if ESA is disabled.
- Service [I399]: improved logoff detection. Communication with the in-session helper process is now only stopped once the logoff has been confirmed.
- Service [I336]: fixed
EnableCalculateHash
setting was ignored. - Service [I367]: incorrect application identification in rare cases involving executables not installed via Windows Installer.
- Session details [I344] fixed
SessionCPUUsagePercent
accounting for dead processes on macOS. - Splunk [I338]: experience score lookups would cause Splunk knowledge bundles to grow in size.
- Splunk CIM data model [I319]: fixed invalid field alias specifications.
- User and host tags [I322]: existing tags are now updated when the endpoint sends new tag data. Previously, an additional tag was created with different tag data.
- Volume inventory [I308]: used space information is now computed correctly for volumes that share free space of a physical disk.
- Service [I414]: uberAgent.exe would try to terminate unrelated processes when their parent process ID (PID) matched its own.
- Service [I406]: uberAgent.exe would occasionally drop valid process startup data when the startup timeout expired.
Release notes
- Configuration [B539]: new
ConfigFlags
:TLSRevocationChecksDisabled
,TLSRevocationChecksBestEffort
,SessionHelperQueryDelayMs
,DisableESFileSystemMonitoring
. - Activity monitoring [B548]: the converted Sigma ruleset has been updated and now supports DNS events and existing Process- and Image events support new field(s):
Process.Company
,Process.Hash.*
,Image.Hash.*
. - Experience score [B523]: switched from KV Store to index storage for scores. Check the upgrade instructions to delete the obsolete KV Store collections.
- Sourcetype: new sourcetype
uberAgentESA:Process:DnsQuery
with fields:ProcName
,ProcGUID
,DnsRequest
,DnsResponse
,DnsResponseType
,DnsEventCount
. - Sourcetype:
uberAgent:CitrixADC:AppliancePerformance
has new field(s):CpuFan0Speed
,CpuFan1Speed
,SystemFanSpeed
,Cpu0Temp
,Cpu1Temp
,InternalTemp
,PowerSupply1Status
,PowerSupply2Status
,PowerSupply3Status
,PowerSupply4Status
,VoltageV33Main
,ICAOnlySessions
,ICAOnlyConnections
,SmartAccessSessions
,SmartAccessICAConnections
,SSLSessions
. - Sourcetype:
uberAgent:CitrixADC:Gateway
has new field(s):HSTS
,HSTSMaxAge
,HSTSInclSubdom
,TLS13
. - Sourcetype:
uberAgent:CitrixADC:vServer
has new field(s):HSTS
,HSTSMaxAge
,HSTSInclSubdom
,TLS13
. - Sourcetype:
uberAgent:System:NetworkConfigInformation
has new field(s):NetworkConfigWiFiSignalQuality
,NetworkConfigWiFiType
,NetworkConfigWiFiAuthentication
. - Sourcetype:
uberAgent:Process:ProcessStartup
has new field(s):HashMD5
,HashSHA1
,HashSHA256
,HashIMP
,SignatureStatus
,IsSignedByOSVendor
,SignerName
. - Sourcetype:
uberAgent:Process:ProcessStartup
: fieldsProcHash
andHashType
have been removed. - Sourcetype:
uberAgent:Process:ProcessStop
has new field(s):HashMD5
,HashSHA1
,HashSHA256
,HashIMP
. - Sourcetype:
uberAgent:Process:ProcessStop
: fieldsProcHash
andHashType
have been removed. - Sourcetype:
uberAgent:Process:ProcessDetail
: fieldsProcIOWriteCount
andProcIOPSWrite
are now collected on macOS, too. - Sourcetype:
uberAgent:System:MachineInventory
: fieldBatteryWearLevelPercent
is now collected on macOS, too. - Splunk: lookup
lookup_hostinfo2
has been removed.
Known issues
- Boot duration: the metrics
TotalBootTimeMs
,MainPathBootTimeMs
andPostBootTimeMs
cannot be determined for every system boot. - Browsers/IE add-on: metrics are not collected on page reload.
- Browsers/IE add-on: metrics are collected incompletely for the configured start page.
- Browser web app performance: websites may modify the JavaScript
performance
variable. When that happens, uberAgent cannot determine the page load duration. - Citrix ADC: in very rare cases the content of the Virtual Server Performance field
vServerName
contains spaces in wrong places. - Citrix site monitoring: data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
- Citrix XA/XD Machines: when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
- Experience score [I377]: scheduled searches generate three warnings in Splunk’s
_internal
index every 30 minutes. The messages look like the following:DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.
. However, there is no impact on uberAgent’s functionality. - GPU [I33]: values for the fields
ComputeUsagePercentAllEngines
,ComputeUsagePercentEngine0
and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607. - IE browser performance monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
- Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no affect; the transmission is repeated and succeeds on the second try.
- Performance [I372]: on macOS, running uberAgent has a noticeable impact on I/O performance of small writes. As a workaround, the new config flag
DisableESFileSystemMonitoring
has been added. If set, performance will not be impacted, butProcIOWriteCount
andProcIOPSWrite
will not be available inuberAgent:Process:ProcessDetail
. - Update inventory: not all installed Windows updates may be reported due to API limitations.
- Volume inventory: on macOS, the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.