This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Changelog and Release Notes
- Persistent output queue [B17]: buffering of the generated events on the endpoint’s disk before attempting to send them to the backend. Guarantees no events are lost.
- Activity monitoring (Windows) [B338]: uberAgent ESA now detects remote thread creation and process tampering (hollowing, herpaderping, doppelganging).
- Activity monitoring [B630]: the converted Sigma ruleset has been updated and now supports more categories:
- Application errors (macOS) [B585]: application crashes are now detected and reported.
- Authenticode signature verification (Windows) [B576]: Authenticode verification can now be configured per image type (processes, libraries/DLLs, or both).
- Boot duration (Windows) [I468]: boot events are now ignored if the corresponding timestamp in the trace file is invalid.
- Citrix Cloud monitoring (Windows) [I485]: improved stability and faster OData API queries for machines, catalogs, and hypervisors.
- Citrix Cloud monitoring (Windows) [I485]: multiple retries for more resilience in case of API query failures. Default: 10 attempts. Configurable via the new config flag
- Citrix site/Cloud monitoring (Windows) [I485]: the new Citrix PowerShell SDK record limits are now supported. Default: 1000 records per call. Configurable via the new config flag
- Configuration (Windows) [I487]: the configuration option
CollectCitrixCloudInformationMachinesis now logged to the configuration log, too.
- Custom scripts [B615]: all events generated from the output of a script instance now have the same timestamp.
- Daemon (macOS) [I411]: increased process and thread priorities on macOS to avoid resource starvation, and thus hanging timers, in high load scenarios like GUI session logins.
- Dashboards [I419]: all Splunk dashboards have been upgraded to Simple XML version 1.1 and jQuery 3.5.
- Dashboards [I495]: center
Lifetimecell vertically in the Single Logon/Logoff and Single Boot Duration dashboards.
- DNS query monitoring (macOS) [B549]: now supported on macOS, too.
- Installer [B621]: optimized the uberAgent installation script logic by removing an unnecessary service/daemon restart.
- Network monitoring (macOS) [B549]: the field
NetTargetRemoteNameis now available on macOS.
- Network monitoring (Windows) [I370]: further optimized network throughput and reduced the monitoring driver’s overhead.
- Session details (macOS) [B578]: improved reliability of SSH session detection.
- Splunk [B608]: added more CIM data models, datasets, and fields.
- Browsers/IE add-on (Windows) [I494]: fixed occasional crash with short-lived pages.
- Configuration (Windows) [I488]: the setting
LogFileCountwas not honored for configuration logs.
- Configuration (Windows) [I489]: the configuration option
CollectADCInformationMachinesis now processed correctly.
- Daemon (macOS) [I471]: timers configured with only the
NetworkTargetPerformanceProcessmetric would stop after their first run.
- Dashboards [I431]: historic user tags were not available in the dashboards.
- Dashboards [I436]: the selected timeframe is now shown correctly in the data table of the Process DNS dashboard. Table filters are now applied correctly, too.
- Dashboards [I495]: limit
Lifetimecell width in the Single Logon/Logoff and Single Boot Duration dashboards for long running processes.
- Event data filtering [I498]: clearing fields now works correctly.
- Logging (Windows) [I429]: localized log messages with special characters are now converted correctly.
- Network monitoring (macOS) [I460]: the field
ProcUseris now set correctly.
- Monitor inventory (macOS) [I130]:
MonitorVResfield values are only populated if the OS reports them correctly.
- Process startup (Windows) [I446]: invalid values are now dropped.
- Service (Windows) [I467]: the service hung if it was stopped while communicating with in-session helper processes.
- Service (Windows) [I478]: fixed a rare issue where a crashed
uberAgent.exeprocess would remain as a zombie process.
- Service (Windows) [I479, I486]: fixed a rare issue where the process driver could cause a BSOD.
- Configuration: changed description of stanza
ProcessDetail_SendCommandlinebecause it is actually not deprecated.
- Configuration (Windows) [B576]: the setting name
HashObjectshas been renamed to
HashObjectsis now deprecated.
- Activity monitoring (Windows) [B599]: added new event type:
Process.CreateRemoteThreadwith the specific properties:
Thread.StartFunctionName. The common event properties are available, too.
- Activity monitoring (Windows) [B338]: added new event type:
Process.TamperingEvent. The common event properties are available.
- Activity monitoring (Windows) [B601]: added new registry event property:
- Activity monitoring (Windows) [B601]: added new common event properties:
- Activity monitoring (Windows) [B567]: added new common event properties:
- Activity monitoring (Windows) [B409]: added new network event properties:
- Authenticode signature verification (Windows) [I509]: added new
- Libraries (Windows): updated curl to version 7.79.1
uberAgent:Process:NetworkTargetPerformancehas new field(s):
NetTargetSourcePort. Added it to Splunk’s CIM data model, too.
uberAgent:Application:NetworkConnectFailurehas new field(s):
NetTargetSourcePort. Added it to Splunk’s CIM data model along with already existing fields.
- Activity monitoring (Windows) [I531]: may cause a very high read disk IO. The issue causing this is cached IO access and, therefore, more a visual issue than an actual issue.
- Application errors (macOS): crash report collection is not yet supported on macOS Monterey or newer. It is supported on macOS Catalina and macOS BigSur.
- Boot duration (Windows): the metrics
PostBootTimeMscannot be determined for every system boot.
- Browsers/IE add-on (Windows): metrics are not collected on page reload.
- Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
- Browsers/IE add-on (Windows) monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
- Citrix ADC: in very rare cases the content of the Virtual Server Performance field
vServerNamecontains spaces in wrong places.
- Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
- Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
- Experience score [I377]: scheduled searches generate three warnings in Splunk’s
_internalindex every 30 minutes. The messages look like the following:
DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
- GPU (Windows) [I33]: values for the fields
ComputeUsagePercentEngine0and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
- Kafka [I291]: in rare cases sending data to Kafka results in a
SEC_E_BUFFER_TOO_SMALLerror message in the logfile. This should have no affect; the transmission is repeated and succeeds on the second try.
- NetworkTargetPerformance (macOS) [I550]: in rare cases the values for
NetTargetSendLatencyInitialMscan be calculated incorrectly which leads to huge values.
- Performance (macOS) [I372]: running uberAgent has a noticeable impact on I/O performance of small writes. If the config flag
DisableESFileSystemMonitoringis enabled, performance is not impacted, but the fields
ProcIOPSWriteare not available in
- Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
- Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.
- High CPU usage (Windows) [I539]: the processing of the libraries during hashing and or authentication code currently causes a CPU high load.