This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Changelog and Release Notes
Version 6.2
New features
- Persistent output queue [B17]: buffering of the generated events on the endpoint’s disk before attempting to send them to the backend. Guarantees no events are lost.
- Activity monitoring (Windows) [B338]: uberAgent ESA now detects remote thread creation and process tampering (hollowing, herpaderping, doppelganging).
Improvements
- Activity monitoring [B630]: the converted Sigma ruleset has been updated and now supports more categories:
network_connection
,firewall
,create_remote_thread
,registry_event
. - Application errors (macOS) [B585]: application crashes are now detected and reported.
- Authenticode signature verification (Windows) [B576]: Authenticode verification can now be configured per image type (processes, libraries/DLLs, or both).
- Boot duration (Windows) [I468]: boot events are now ignored if the corresponding timestamp in the trace file is invalid.
- Citrix Cloud monitoring (Windows) [I485]: improved stability and faster OData API queries for machines, catalogs, and hypervisors.
- Citrix Cloud monitoring (Windows) [I485]: multiple retries for more resilience in case of API query failures. Default: 10 attempts. Configurable via the new config flag
CitrixODataAPIMaximumAttempts
. - Citrix site/Cloud monitoring (Windows) [I485]: the new Citrix PowerShell SDK record limits are now supported. Default: 1000 records per call. Configurable via the new config flag
CitrixSDKMaxRecordCount
. - Configuration (Windows) [I487]: the configuration option
CollectCitrixCloudInformationMachines
is now logged to the configuration log, too. - Custom scripts [B615]: all events generated from the output of a script instance now have the same timestamp.
- Daemon (macOS) [I411]: increased process and thread priorities on macOS to avoid resource starvation, and thus hanging timers, in high load scenarios like GUI session logins.
- Dashboards [I419]: all Splunk dashboards have been upgraded to Simple XML version 1.1 and jQuery 3.5.
- Dashboards [I495]: center
Lifetime
cell vertically in the Single Logon/Logoff and Single Boot Duration dashboards. - DNS query monitoring (macOS) [B549]: now supported on macOS, too.
- Installer [B621]: optimized the uberAgent installation script logic by removing an unnecessary service/daemon restart.
- Network monitoring (macOS) [B549]: the field
NetTargetRemoteName
is now available on macOS. - Network monitoring (Windows) [I370]: further optimized network throughput and reduced the monitoring driver’s overhead.
- Session details (macOS) [B578]: improved reliability of SSH session detection.
- Splunk [B608]: added more CIM data models, datasets, and fields.
Bugfixes
- Browsers/IE add-on (Windows) [I494]: fixed occasional crash with short-lived pages.
- Configuration (Windows) [I488]: the setting
LogFileCount
was not honored for configuration logs. - Configuration (Windows) [I489]: the configuration option
CollectADCInformationMachines
is now processed correctly. - Daemon (macOS) [I471]: timers configured with only the
NetworkTargetPerformanceProcess
metric would stop after their first run. - Dashboards [I431]: historic user tags were not available in the dashboards.
- Dashboards [I436]: the selected timeframe is now shown correctly in the data table of the Process DNS dashboard. Table filters are now applied correctly, too.
- Dashboards [I495]: limit
Lifetime
cell width in the Single Logon/Logoff and Single Boot Duration dashboards for long running processes. - Event data filtering [I498]: clearing fields now works correctly.
- Logging (Windows) [I429]: localized log messages with special characters are now converted correctly.
- Network monitoring (macOS) [I460]: the field
ProcUser
is now set correctly. - Monitor inventory (macOS) [I130]:
MonitorHRes
andMonitorVRes
field values are only populated if the OS reports them correctly. - Process startup (Windows) [I446]: invalid values are now dropped.
- Service (Windows) [I467]: the service hung if it was stopped while communicating with in-session helper processes.
- Service (Windows) [I478]: fixed a rare issue where a crashed
uberAgent.exe
process would remain as a zombie process. - Service (Windows) [I479, I486]: fixed a rare issue where the process driver could cause a BSOD.
Release notes
- Configuration: changed description of stanza
ProcessDetail_SendCommandline
because it is actually not deprecated. - Configuration (Windows) [B576]: the setting name
HashObjects
has been renamed toHashImageTypes
.HashObjects
is now deprecated. - Activity monitoring (Windows) [B599]: added new event type:
Process.CreateRemoteThread
with the specific properties:Thread.Id
,Thread.Timestamp
,Thread.Process.Id
,Thread.Parent.Id
,Thread.StartAddress
,Thread.StartModule
,Thread.StartFunctionName
. The common event properties are available, too. - Activity monitoring (Windows) [B338]: added new event type:
Process.TamperingEvent
. The common event properties are available. - Activity monitoring (Windows) [B601]: added new registry event property:
Reg.Key.Target
. - Activity monitoring (Windows) [B601]: added new common event properties:
Process.Hashes
,Parent.Hashes
,Image.Hashes
,Process.Id
,Parent.Id
. - Activity monitoring (Windows) [B567]: added new common event properties:
Process.IsSigned
,Parent.IsSigned
,Image.IsSigned
, Process.Signature,Parent.Signature
,Image.Signature
,Process.SignatureStatus
,Parent.SignatureStatus
,Image.SignatureStatus
. - Activity monitoring (Windows) [B409]: added new network event properties:
Net.Source.Ip
,Net.Source.Port
,Net.Source.Name
,Net.Source.PortName
,Net.Source.IpIsV6
,Net.Target.IpIsV6
,Net.Target.NetTargetPortName
. - Authenticode signature verification (Windows) [I509]: added new
SignatureStatus
values:UntrustedRoot
,TrustedRootNotInCA
,Error
. - Libraries (Windows): updated curl to version 7.79.1
- Sourcetype:
uberAgent:Process:NetworkTargetPerformance
has new field(s):NetTargetSourcePort
. Added it to Splunk’s CIM data model, too. - Sourcetype:
uberAgent:Application:NetworkConnectFailure
has new field(s):NetTargetSourcePort
. Added it to Splunk’s CIM data model along with already existing fields.
Known issues
- Activity monitoring (Windows) [I531]: may cause a very high read disk IO. The issue causing this is cached IO access and, therefore, more a visual issue than an actual issue.
- Application errors (macOS): crash report collection is not yet supported on macOS Monterey or newer. It is supported on macOS Catalina and macOS BigSur.
- Boot duration (Windows): the metrics
TotalBootTimeMs
,MainPathBootTimeMs
andPostBootTimeMs
cannot be determined for every system boot. - Browsers/IE add-on (Windows): metrics are not collected on page reload.
- Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
- Browsers/IE add-on (Windows) monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
- Citrix ADC: in very rare cases the content of the Virtual Server Performance field
vServerName
contains spaces in wrong places. - Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
- Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
- Experience score [I377]: scheduled searches generate three warnings in Splunk’s
_internal
index every 30 minutes. The messages look like the following:DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.
. However, there is no impact on uberAgent’s functionality. - GPU (Windows) [I33]: values for the fields
ComputeUsagePercentAllEngines
,ComputeUsagePercentEngine0
and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607. - Kafka [I291]: in rare cases sending data to Kafka results in a
SEC_E_BUFFER_TOO_SMALL
error message in the logfile. This should have no affect; the transmission is repeated and succeeds on the second try. - NetworkTargetPerformance (macOS) [I550]: in rare cases the values for
NetTargetSendJitterMs
,NetTargetSendLatencyMs
andNetTargetSendLatencyInitialMs
can be calculated incorrectly which leads to huge values. - Performance (macOS) [I372]: running uberAgent has a noticeable impact on I/O performance of small writes. If the config flag
DisableESFileSystemMonitoring
is enabled, performance is not impacted, but the fieldsProcIOWriteCount
andProcIOPSWrite
are not available inuberAgent:Process:ProcessDetail
. - Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
- Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.
- High CPU usage (Windows) [I539]: the processing of the libraries during hashing and or authentication code currently causes a CPU high load.