Skip to main content

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Changelog and Release Notes

Version 6.2

New features

  • Persistent output queue [B17]: buffering of the generated events on the endpoint’s disk before attempting to send them to the backend. Guarantees no events are lost.
  • Activity monitoring (Windows) [B338]: uberAgent ESA now detects remote thread creation and process tampering (hollowing, herpaderping, doppelganging).


  • Activity monitoring [B630]: the converted Sigma ruleset has been updated and now supports more categories: network_connection, firewall, create_remote_thread, registry_event.
  • Application errors (macOS) [B585]: application crashes are now detected and reported.
  • Authenticode signature verification (Windows) [B576]: Authenticode verification can now be configured per image type (processes, libraries/DLLs, or both).
  • Boot duration (Windows) [I468]: boot events are now ignored if the corresponding timestamp in the trace file is invalid.
  • Citrix Cloud monitoring (Windows) [I485]: improved stability and faster OData API queries for machines, catalogs, and hypervisors.
  • Citrix Cloud monitoring (Windows) [I485]: multiple retries for more resilience in case of API query failures. Default: 10 attempts. Configurable via the new config flag CitrixODataAPIMaximumAttempts.
  • Citrix site/Cloud monitoring (Windows) [I485]: the new Citrix PowerShell SDK record limits are now supported. Default: 1000 records per call. Configurable via the new config flag CitrixSDKMaxRecordCount.
  • Configuration (Windows) [I487]: the configuration option CollectCitrixCloudInformationMachines is now logged to the configuration log, too.
  • Custom scripts [B615]: all events generated from the output of a script instance now have the same timestamp.
  • Daemon (macOS) [I411]: increased process and thread priorities on macOS to avoid resource starvation, and thus hanging timers, in high load scenarios like GUI session logins.
  • Dashboards [I419]: all Splunk dashboards have been upgraded to Simple XML version 1.1 and jQuery 3.5.
  • Dashboards [I495]: center Lifetime cell vertically in the Single Logon/Logoff and Single Boot Duration dashboards.
  • DNS query monitoring (macOS) [B549]: now supported on macOS, too.
  • Installer [B621]: optimized the uberAgent installation script logic by removing an unnecessary service/daemon restart.
  • Network monitoring (macOS) [B549]: the field NetTargetRemoteName is now available on macOS.
  • Network monitoring (Windows) [I370]: further optimized network throughput and reduced the monitoring driver’s overhead.
  • Session details (macOS) [B578]: improved reliability of SSH session detection.
  • Splunk [B608]: added more CIM data models, datasets, and fields.


  • Browsers/IE add-on (Windows) [I494]: fixed occasional crash with short-lived pages.
  • Configuration (Windows) [I488]: the setting LogFileCount was not honored for configuration logs.
  • Configuration (Windows) [I489]: the configuration option CollectADCInformationMachines is now processed correctly.
  • Daemon (macOS) [I471]: timers configured with only the NetworkTargetPerformanceProcess metric would stop after their first run.
  • Dashboards [I431]: historic user tags were not available in the dashboards.
  • Dashboards [I436]: the selected timeframe is now shown correctly in the data table of the Process DNS dashboard. Table filters are now applied correctly, too.
  • Dashboards [I495]: limit Lifetime cell width in the Single Logon/Logoff and Single Boot Duration dashboards for long running processes.
  • Event data filtering [I498]: clearing fields now works correctly.
  • Logging (Windows) [I429]: localized log messages with special characters are now converted correctly.
  • Network monitoring (macOS) [I460]: the field ProcUser is now set correctly.
  • Monitor inventory (macOS) [I130]: MonitorHRes and MonitorVRes field values are only populated if the OS reports them correctly.
  • Process startup (Windows) [I446]: invalid values are now dropped.
  • Service (Windows) [I467]: the service hung if it was stopped while communicating with in-session helper processes.
  • Service (Windows) [I478]: fixed a rare issue where a crashed uberAgent.exe process would remain as a zombie process.
  • Service (Windows) [I479, I486]: fixed a rare issue where the process driver could cause a BSOD.

Release notes

  • Configuration: changed description of stanza ProcessDetail_SendCommandline because it is actually not deprecated.
  • Configuration (Windows) [B576]: the setting name HashObjects has been renamed to HashImageTypes. HashObjects is now deprecated.
  • Activity monitoring (Windows) [B599]: added new event type: Process.CreateRemoteThread with the specific properties: Thread.Id, Thread.Timestamp, Thread.Process.Id, Thread.Parent.Id, Thread.StartAddress, Thread.StartModule, Thread.StartFunctionName. The common event properties are available, too.
  • Activity monitoring (Windows) [B338]: added new event type: Process.TamperingEvent. The common event properties are available.
  • Activity monitoring (Windows) [B601]: added new registry event property: Reg.Key.Target.
  • Activity monitoring (Windows) [B601]: added new common event properties: Process.Hashes, Parent.Hashes, Image.Hashes, Process.Id, Parent.Id.
  • Activity monitoring (Windows) [B567]: added new common event properties: Process.IsSigned, Parent.IsSigned, Image.IsSigned, Process.Signature, Parent.Signature, Image.Signature, Process.SignatureStatus, Parent.SignatureStatus, Image.SignatureStatus.
  • Activity monitoring (Windows) [B409]: added new network event properties: Net.Source.Ip, Net.Source.Port, Net.Source.Name, Net.Source.PortName, Net.Source.IpIsV6, Net.Target.IpIsV6, Net.Target.NetTargetPortName.
  • Authenticode signature verification (Windows) [I509]: added new SignatureStatus values: UntrustedRoot, TrustedRootNotInCA, Error.
  • Libraries (Windows): updated curl to version 7.79.1
  • Sourcetype: uberAgent:Process:NetworkTargetPerformance has new field(s): NetTargetSourcePort. Added it to Splunk’s CIM data model, too.
  • Sourcetype: uberAgent:Application:NetworkConnectFailure has new field(s): NetTargetSourcePort. Added it to Splunk’s CIM data model along with already existing fields.

Known issues

  • Activity monitoring (Windows) [I531]: may cause a very high read disk IO. The issue causing this is cached IO access and, therefore, more a visual issue than an actual issue.
  • Application errors (macOS): crash report collection is not yet supported on macOS Monterey or newer. It is supported on macOS Catalina and macOS BigSur.
  • Boot duration (Windows): the metrics TotalBootTimeMs, MainPathBootTimeMs and PostBootTimeMs cannot be determined for every system boot.
  • Browsers/IE add-on (Windows): metrics are not collected on page reload.
  • Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
  • Browsers/IE add-on (Windows) monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
  • Citrix ADC: in very rare cases the content of the Virtual Server Performance field vServerName contains spaces in wrong places.
  • Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
  • Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
  • Experience score [I377]: scheduled searches generate three warnings in Splunk’s _internal index every 30 minutes. The messages look like the following: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
  • GPU (Windows) [I33]: values for the fields ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0 and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
  • Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no affect; the transmission is repeated and succeeds on the second try.
  • NetworkTargetPerformance (macOS) [I550]: in rare cases the values for NetTargetSendJitterMs, NetTargetSendLatencyMs and NetTargetSendLatencyInitialMs can be calculated incorrectly which leads to huge values.
  • Performance (macOS) [I372]: running uberAgent has a noticeable impact on I/O performance of small writes. If the config flag DisableESFileSystemMonitoring is enabled, performance is not impacted, but the fields ProcIOWriteCount and ProcIOPSWrite are not available in uberAgent:Process:ProcessDetail.
  • Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
  • Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.
  • High CPU usage (Windows) [I539]: the processing of the libraries during hashing and or authentication code currently causes a CPU high load.


Your email address will not be published. Required fields are marked *