Version 6.0

Release notes

• Removed dependency to the Splunk Event Generator app. uAEventGen is now a .NET Core application.
• Added sample data for new ESA hash calculation feature.
• Added sample data for new ESA activity monitoring engine.
• Added sample data for ESA scheduled task monitoring.
• Added sample data for Microsoft Edge (Chromium).

Improvements

• Configuration: configure number of RDSH servers (e.g. 2x Citrix + 1x VMWare + 3x RDP).
• Configuration: processes started during boot, login, or in-session are now configurable.

New Sourcetypes

• Sourcetype: new sourcetype uberAgentESA:Process:ProcessStop with fields: Timestamp, ProcName, ProcUser, ProcLifetimeMs, AppId, ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline, IsElevated, AppVersion, ProcParentGUID, ProcHash, HashType, IsProtected.
• Sourcetype: new sourcetype uberAgentESA:ActivityMonitoring:ProcessTagging with fields: Timestamp, EventType, ProcName, ProcParentName, ProcUser, ProcLifetimeMs, ProcID, ProcParentID, ProcGUID, ProcParentGUID, ProcPath, ProcCmdline, ProcTag1, ProcRiskScore1, ProcHash, IsElevated, SessionID, SessionGUID, AppId, AppVersion, HashType, ImageName, ImagePath, ImageHash, NetTargetIp, NetTargetName, NetTargetPort, NetProtocol, IsProtected, EventCount.
• Sourcetype: new sourcetype uberAgentESA:System:ScheduledTasks with fields: Timestamp, TaskEventType, TaskFolder, TaskName, TaskUserName, TaskPrincipal, LogonType, Elevated, TaskAuthor, TaskHidden, WakeToRun, HasActions.
• Sourcetype: new sourcetype uberAgentESA:System:ScheduledTaskActions with fields: Timestamp, TaskPath, IsDeprecated, ActionType, ActionListIndex, ExePath, ExeArguments, ExeWorkingDir, ComClsid, ComData, ComBinary, ComHandlerDescription, ComRemoteComputer, ComServiceName, AutoElevated, EmailBcc, EmailCc, EmailFrom, EmailServer, EmailSubject, EmailTo, MsgTitle, MsgContent.
• Sourcetype: new sourcetype uberAgentESA:System:ScheduledTaskTriggers with fields: Timestamp, TaskPath, TriggerId, TriggerType, EventTriggerSubscription, EventTriggerNumValues, TriggerUserId, LogonTriggerPossiblyGroup, TriggerEnabled, TriggerStartBoundary, TriggerEndBoundary, TriggerRepetitionDuration, TriggerRepetitionInterval, TriggerRepetitionStopAtDurationEnd, TriggerListIndex, DayDisplayName, WeekDisplayName, MonthDisplayName, DayOfMonthDisplayName, DailyTriggerDaysInterval, WeeklyTriggerWeeksInterval, MonthlyTriggerRunOnLastDayOfMonth, MonthlyDowTriggerRunOnLastWeekOfMonth, StateChangeId, WnfTriggerStateName.
• Sourcetype: uberAgent:Process:ProcessStartup has new field(s): IsProtected.
• Sourcetype: uberAgent:Process:ProcessStartup has new field(s): ProcHash, HashType and ProcParentGUID (these requires ESA to be enabled).
• Sourcetype: uberAgent:Process:NetworkTargetPerformance has new fields: NetTargetSendLatencyInitialMs and NetTargetSendLatencyInitialCount.
• Sourcetype: uberAgent:OnOffTransition:BootProcesses has new fields: SortOrder2 replaces SortOrder because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:Session:SessionDetail has new fields: SessionClientHwIdCtx2 replaces SessionClientHwIdCtx because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:Session:SessionDetail has new fields: SessionRpLatencyMs2 replaces SessionRpLatencyMs because the Kafka data type was incorrect (int instead of double).
• Sourcetype: uberAgent:CitrixADC:AppliancePerformance has new fields: NumCpus2, MemSizeMB2, and MemUseInMB2 replaces NumCpus, MemSizeMB, and MemUseInMB because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:CitrixADC:Gateway has new fields: TotalRequests2, TotalResponses2, and SessionTimeout2 replaces TotalRequests, TotalResponses, and SessionTimeout because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:CitrixADC:vServer has new fields: ActSvcs2, TotHits2, TotalRequests2, TotalResponses2, VSLBHealth2, and SessionTimeout2 replaces ActSvcs, TotHits, TotalRequests, TotalResponses, VSLBHealth, and SessionTimeout because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:CitrixADC:ApplianceInventory has new fields: SSLCards2 and SSLCardsUp2 replaces SSLCards and SSLCardsUp because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:Application:Errors has new field(s): HangType.
• Sourcetype: uberAgent:System:MachineInventory field BatteryWearLevelPercent does not report negative numbers anymore if the full charged capacity is higher than designed capacity.
• Sourcetypes: merged the following KV sourcetypes into the new CSV sourcetype uberAgent:Logon:LogonDetail: uberAgent:Logon:SessionLogonTime, uberAgent:Logon:ProfileLoadTimeMs, uberAgent:Logon:GroupPolicyProcessingTimes, uberAgent:Logon:GroupPolicyLogonScriptTimeMs, uberAgent:Logon:SessionEnd, uberAgent:Logon:ADLogonScriptTimeMs, uberAgent:Logon:ResWmProcessingTimeMs, uberAgent:Logon:ShellStartupTimeMs, uberAgent:Logon:TotalLogonTimeMs, uberAgent:Logon:LogonPerformance.
• Sourcetypes: merged the following KV sourcetypes into the new CSV sourcetype uberAgent:Logoff:LogoffDetail: uberAgent:Logoff:SessionLogoffTime, uberAgent:Logoff:ProfileUnloadTimeMs, uberAgent:Logoff:GroupPolicyLogoffScriptTimeMs, uberAgent:Logoff:TotalLogoffTimeMs, uberAgent:Logoff:LogoffPerformance.
• Sourcetype: replaced KV sourcetype uberAgent:Logon:GroupPolicyCSEDetail with CSV sourcetype uberAgent:Logon:GroupPolicyCSEDetail2. No changes to the fields.
• Sourcetype: uberAgent:Process:NetworkTargetPerformance has new fields: NetTargetSendJitterMs and NetTargetSendJitterCount.
• Sourcetype: uberAgent:Process:ProcessDetail has new fields: ProcIOLatencyReadMs2 and ProcIOLatencyWriteMs2 replaces ProcIOLatencyReadMs and ProcIOLatencyWriteMs because the Kafka data type was incorrect (int instead of double).
• Sourcetype: uberAgent:Process:LogonProcesses has new fields: ProcIOLatencyReadMs2 and ProcIOLatencyWriteMs2 replaces ProcIOLatencyReadMs and ProcIOLatencyWriteMs because the Kafka data type was incorrect (int instead of double).
• Sourcetype: uberAgent:Process:LogonProcesses has new fields: SortOrder2 replaces SortOrder because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:Process:LogoffProcesses has new fields: SortOrder2 replaces SortOrder because the Kafka data type was incorrect (string instead of int).
• Sourcetype: uberAgent:Process:LogoffProcesses has new fields: ProcIOLatencyReadMs2 and ProcIOLatencyWriteMs2 replaces ProcIOLatencyReadMs and ProcIOLatencyWriteMs because the Kafka data type was incorrect (int instead of double).
• Sourcetype: uberAgent:Logoff:ProfileUnloadTimeMs (now merged into uberAgent:Logoff:LogoffDetail) has new field: ProfileUnloadTimeMs2 replaces ProfileUnloadTimeMs because the Kafka data type was incorrect (string instead of number).
• Sourcetype: uberAgent:Citrix::Licenses has new fields: LicenseEdition2 replaces LicenseEdition because the Kafka data type was incorrect (int instead of string).
• Sourcetype: uberAgent:System:GpuUsage has removed fields: ComputeUsagePercentEngine0 through ComputeUsagePercentEngine11 because a much more useful alternative exists with the sourcetype uberAgent:System:GpuUsageEngine.
• Sourcetype: uberAgent:Session:SessionCount has been removed.
• Performance counters: changed the sourcetype names from uberAgent:System:PerformanceCounter to uberAgent:PerformanceCounter:TimerName (where TimerName is the timer name from uberAgent’s configuration).