Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Changelog and Release Notes

Version 6.2

New features

  • Persistent output queue [B17]: buffering of the generated events on the endpoint’s disk before attempting to send them to the backend. Guarantees no events are lost.
  • Activity monitoring (Windows) [B338]: uberAgent ESA now detects remote thread creation and process tampering (hollowing, herpaderping, doppelganging).


  • Activity monitoring [B630]: the converted Sigma ruleset has been updated and now supports more categories: network_connection, firewall, create_remote_thread, registry_event.
  • Application errors (macOS) [B585]: application crashes are now detected and reported.
  • Authenticode signature verification (Windows) [B576]: Authenticode verification can now be configured per image type (processes, libraries/DLLs, or both).
  • Boot duration (Windows) [I468]: boot events are now ignored if the corresponding timestamp in the trace file is invalid.
  • Citrix Cloud monitoring (Windows) [I485]: improved stability and faster OData API queries for machines, catalogs, and hypervisors.
  • Citrix Cloud monitoring (Windows) [I485]: multiple retries for more resilience in case of API query failures. Default: 10 attempts. Configurable via the new config flag CitrixODataAPIMaximumAttempts.
  • Citrix site/Cloud monitoring (Windows) [I485]: the new Citrix PowerShell SDK record limits are now supported. Default: 1000 records per call. Configurable via the new config flag CitrixSDKMaxRecordCount.
  • Configuration (Windows) [I487]: the configuration option CollectCitrixCloudInformationMachines is now logged to the configuration log, too.
  • Custom scripts [B615]: all events generated from the output of a script instance now have the same timestamp.
  • Daemon (macOS) [I411]: increased process and thread priorities on macOS to avoid resource starvation, and thus hanging timers, in high load scenarios like GUI session logins.
  • Dashboards [I419]: all Splunk dashboards have been upgraded to Simple XML version 1.1 and jQuery 3.5.
  • Dashboards [I495]: center Lifetime cell vertically in the Single Logon/Logoff and Single Boot Duration dashboards.
  • DNS query monitoring (macOS) [B549]: now supported on macOS, too.
  • Installer [B621]: optimized the uberAgent installation script logic by removing an unnecessary service/daemon restart.
  • Network monitoring (macOS) [B549]: the field NetTargetRemoteName is now available on macOS.
  • Network monitoring (Windows) [I370]: further optimized network throughput and reduced the monitoring driver’s overhead.
  • Session details (macOS) [B578]: improved reliability of SSH session detection.
  • Splunk [B608]: added more CIM data models, datasets, and fields.


  • Browsers/IE add-on (Windows) [I494]: fixed occasional crash with short-lived pages.
  • Configuration (Windows) [I488]: the setting LogFileCount was not honored for configuration logs.
  • Configuration (Windows) [I489]: the configuration option CollectADCInformationMachines is now processed correctly.
  • Daemon (macOS) [I471]: timers configured with only the NetworkTargetPerformanceProcess metric would stop after their first run.
  • Dashboards [I431]: historic user tags were not available in the dashboards.
  • Dashboards [I436]: the selected timeframe is now shown correctly in the data table of the Process DNS dashboard. Table filters are now applied correctly, too.
  • Dashboards [I495]: limit Lifetime cell width in the Single Logon/Logoff and Single Boot Duration dashboards for long running processes.
  • Event data filtering [I498]: clearing fields now works correctly.
  • Logging (Windows) [I429]: localized log messages with special characters are now converted correctly.
  • Network monitoring (macOS) [I460]: the field ProcUser is now set correctly.
  • Monitor inventory (macOS) [I130]: MonitorHRes and MonitorVRes field values are only populated if the OS reports them correctly.
  • Process startup (Windows) [I446]: invalid values are now dropped.
  • Service (Windows) [I467]: the service hung if it was stopped while communicating with in-session helper processes.
  • Service (Windows) [I478]: fixed a rare issue where a crashed uberAgent.exe process would remain as a zombie process.
  • Service (Windows) [I479, I486]: fixed a rare issue where the process driver could cause a BSOD.

Release notes

  • Configuration: changed description of stanza ProcessDetail_SendCommandline because it is actually not deprecated.
  • Configuration (Windows) [B576]: the setting name HashObjects has been renamed to HashImageTypes. HashObjects is now deprecated.
  • Activity monitoring (Windows) [B599]: added new event type: Process.CreateRemoteThread with the specific properties: Thread.Id, Thread.Timestamp, Thread.Process.Id, Thread.Parent.Id, Thread.StartAddress, Thread.StartModule, Thread.StartFunctionName. The common event properties are available, too.
  • Activity monitoring (Windows) [B338]: added new event type: Process.TamperingEvent. The common event properties are available.
  • Activity monitoring (Windows) [B601]: added new registry event property: Reg.Key.Target.
  • Activity monitoring (Windows) [B601]: added new common event properties: Process.Hashes, Parent.Hashes, Image.Hashes, Process.Id, Parent.Id.
  • Activity monitoring (Windows) [B567]: added new common event properties: Process.IsSigned, Parent.IsSigned, Image.IsSigned, Process.Signature, Parent.Signature, Image.Signature, Process.SignatureStatus, Parent.SignatureStatus, Image.SignatureStatus.
  • Activity monitoring (Windows) [B409]: added new network event properties: Net.Source.Ip, Net.Source.Port, Net.Source.Name, Net.Source.PortName, Net.Source.IpIsV6, Net.Target.IpIsV6, Net.Target.NetTargetPortName.
  • Authenticode signature verification (Windows) [I509]: added new SignatureStatus values: UntrustedRoot, TrustedRootNotInCA, Error.
  • Libraries (Windows): updated curl to version 7.79.1
  • Sourcetype: uberAgent:Process:NetworkTargetPerformance has new field(s): NetTargetSourcePort. Added it to Splunk’s CIM data model, too.
  • Sourcetype: uberAgent:Application:NetworkConnectFailure has new field(s): NetTargetSourcePort. Added it to Splunk’s CIM data model along with already existing fields.

Known issues

  • Activity monitoring (Windows) [I531]: may cause a very high read disk IO. The issue causing this is cached IO access and, therefore, more a visual issue than an actual issue.
  • Application errors (macOS): crash report collection is not yet supported on macOS Monterey or newer. It is supported on macOS Catalina and macOS BigSur.
  • Boot duration (Windows): the metrics TotalBootTimeMs, MainPathBootTimeMs and PostBootTimeMs cannot be determined for every system boot.
  • Browsers/IE add-on (Windows): metrics are not collected on page reload.
  • Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
  • Browsers/IE add-on (Windows) monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
  • Citrix ADC: in very rare cases the content of the Virtual Server Performance field vServerName contains spaces in wrong places.
  • Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
  • Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
  • Experience score [I377]: scheduled searches generate three warnings in Splunk’s _internal index every 30 minutes. The messages look like the following: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
  • GPU (Windows) [I33]: values for the fields ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0 and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
  • Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no affect; the transmission is repeated and succeeds on the second try.
  • NetworkTargetPerformance (macOS) [I550]: in rare cases the values for NetTargetSendJitterMs, NetTargetSendLatencyMs and NetTargetSendLatencyInitialMs can be calculated incorrectly which leads to huge values.
  • Performance (macOS) [I372]: running uberAgent has a noticeable impact on I/O performance of small writes. If the config flag DisableESFileSystemMonitoring is enabled, performance is not impacted, but the fields ProcIOWriteCount and ProcIOPSWrite are not available in uberAgent:Process:ProcessDetail.
  • Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
  • Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.
  • High CPU usage (Windows) [I539]: the processing of the libraries during hashing and or authentication code currently causes a CPU high load.


Your email address will not be published. Required fields are marked *