Skip to main content

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

User & Host Tags

uberAgent collects an extensive list of metrics. Pre-built Splunk dashboards allow you to filter the data by computer name, hardware manufacturer, IP address, or user, to name just a few of the available filtering options.

Businesses often store data about a machine’s build in the device’s registry. User information, on the other hand, is typically managed in Active Directory (e.g., the user’s department).

uberAgent’s user & host tags feature allows you to integrate custom identifiers in such a way that dashboards can be filtered by their values.

Here is an example: your organization stores the version of a machine’s OS image in a registry value on each machine. If you configure uberAgent to pick up that image build version through a host tag, you can filter the uberAgent dashboards by the version of your OS images. This allows you to determine if a new issue you are analyzing was introduced with a recent OS image, for example.

Tag Sources

Supported sources for tags are:

  • Active Directory attributes
  • Environment variables
  • Registry values

These sources can be queried either per user or per computer.

Requirements

  • uberAgent version 5.3 or later
  • Host tags are determined with the HostTags metric.
  • User tags are determined with the UserTags metric.

Configuration

To configure the tags feature you can either use the configuration file or group policy. In this article, we are using the configuration file.

The stanza of interest in the configuration file is [UserHostTagging]. You can have multiple of these, one for each tag you want to set. The configurable settings are:

Tag name
  • A user-defined unique name of the tag. Spaces are permitted.
  • This is the tag you can search for later in the dashboards.
  • Example: Department
Tag type
  • Defines if the tag is a host or a user tag
  • Valid values: Host, User
  • Example: User
Tag source
  • Defines the source where the tag data is read from. Registry values of type REG_EXPAND_SZ are automatically expanded.
  • Valid values: Registry, Environment, Ad
  • Example: Registry
Tag value
  • The source element/path to read the tag’s data from.
  • Registry format: any registry path, e.g., HKCU\Software\vast limits\Department (supported hives: HKLM and HKCU)
  • Environment variable format: the variable name enclosed in percent signs, e.g., %DEPARTMENT%
  • AD format: just the attribute name, e.g., Department

Additionally, the metric UserTags and/or HostTags need to be configured in at least one timer.

With the examples from above, you would get the following stanza:

[Timer]
Name       = User tags
Comment    = Collect configured user tags
Interval   = 60000
UA metric  = UserTags

[UserHostTagging]
Tag name   = Department
Tag type   = User
Tag source = Registry
Tag value  = HKCU\Software\vast limits\Department

Additionally, an event trigger can be defined to collect the user tag for a single user after logon.

[Timer]
Name         = User tags
Comment      = Collect configured user tags
Interval     = 60000
UA metric    = UserTags
EventTrigger = TriggerUserTags

[EventTrigger platform=Windows]
Name = TriggerUserTags
Type = UserLogon

[UserHostTagging]
Tag name   = Department
Tag type   = User
Tag source = Registry
Tag value  = HKCU\Software\vast limits\Department

Another example: group machines by roles like notebook, graphics workstation, desktop PC, virtual machine, or executive machine with an environment variable.

[Timer]
Name       = Host tags
Comment    = Collect configured host tags
Interval   = 600000
UA metric  = HostTags

[UserHostTagging]
Tag name   = Machine role
Tag type   = Host
Tag source = Environment
Tag value  = %MACHINEROLE%

You can find more examples in our practice guide on the subject.

Usage in Splunk

The capability to filter for tags is built into the dashboards since version 5.3. To filter for host tags choose the Host tags filter field and to filter for user tags choose the User tags filter field.

When using our user tag Department from above a search for all users from human resources would look like this:

You can also search for users from two or more departments by listing them comma-separated.

Interested in all users where Department has a value (is not null)?

Note the asterisks around the tag’s name. This is needed by design when searching for the tag’s name only.

Comments

Your email address will not be published. Required fields are marked *