Documentation

Contents
Contents

Default Configuration

This page lists uberAgent’s default configuration that is in effect if the endpoint agent is installed without making any changes.

uberAgent can be configured via config file or Active Directory Group Policy (see configuration options).

uberAgent’s Default Config File

#
# This is the default configuration file for uberAgent
# Place it in the same directory as uberAgent.exe
#

############################################
# General configuration
#
# Configurable settings in this section:
#
#   Setting name: DebugMode
#   Description: When in debug mode, uberAgent's log file is more verbose, providing more detail on what is going on.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: LogFileCount
#   Description: Number of log files to keep (current + historical). When exceeded, the oldest log file is deleted.
#   Valid values: any positive integer
#   Default: 5
#   Required: no
#
#   Setting name: EncryptUserNames
#   Description: If enabled, user and domain names are encrypted in the agent before being sent off to Splunk. This can be useful for compliance with privacy regulations.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: LicenseFilePath
#   Description: 
#   Valid values: Any valid path (local or UNC) where uberAgent looks for the license file(s). These license files are cached locally in "%ProgramData%\vast limits\uberAgent\License cache". If this path is not specified uberAgent looks for licenses in the installation directory.
#   Default: empty
#   Required: no
#
#   Setting name: RegisterIEAddOn
#   Description: De-/Register uberAgent's Internet Explorer add-on by the service.
#   Valid values: 0 = Do nothing, 1 = Register add-on, 2 = Deregister add-on
#   Default: 0
#   Required: no
#
############################################
[Miscellaneous]
DebugMode = true

############################################
# Data receivers
#
# uberAgent sends data to the receivers configured here.
# If multiple [Receiver] sections are specified, data will be sent to EACH receiver. This can be overridden per Timer by specifying a comma-separated list of receivers.
# To load-balance and fail over between servers specify multiple comma-separated values for "Servers" in a SINGLE receiver section
#
# Configurable settings in this section:
#
#   Setting name: Name
#   Description: Arbitrary name for the data receiver. Used only internally.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Type
#   Description: Receiver type.
#   Valid values: Splunk | Elasticsearch | OMSLogAnalytics
#   Default: Splunk
#   Required: yes
#
#   Setting name: Protocol
#   Description: How to send data to the backend.
#      TCP uses a direct TCP connection
#      HTTP sends to a REST endpoint via HTTP or HTTPS
#      "Console" prints the data on the screen
#      For type Splunk use TCP or HTTP, for type Elasticsearch use HTTP, for type OMSLogAnalytics use HTTP.
#   Valid values: TCP | HTTP | Console
#   Default: TCP
#   Required: no
#
#   Setting name: RESTToken
#   Description: Authentication token required by the Splunk HTTP Event Collector and by OMS Log Analytics.
#     For Type OMSLogAnalytics use the primary or the secondary key for the workspace.
#     For Type Elasticsearch credentials in format : can be used to authenticate to the Elasticsearch server.
#   Valid values: any string
#   Default: empty
#   Required: only for Type Splunk and Protocol HTTP
#
#   Setting name: ElasticIngestPipeline
#   Description: Name of the Elasticsearch ingest pipeline used to perform common data transformation and enrichments.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Servers
#   Description: List of target servers/URLs. Not required if Protocol is Console.
#   Valid values:
#      TCP: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
#      HTTP: comma-separated list of URLs starting with http or https.
#         Splunk example: http://server1:8088, https://server2:8088
#         OMS Log Analytics example: https://CUSTOMERID.ods.opinsights.azure.com
#   Default: empty
#   Required: yes, unless Protocol is Console
#
#   Setting name: Index
#   Description: Name of the backend index. Custom Splunk index names must be configured in macros.conf, too.
#   Valid values: any lowercase string
#   Default: uberagent
#   Required: no
#
#   Setting name: Host
#   Description: Name of the Splunk source host sending the event. Normally does not need to be changed.
#   Valid values: any string
#   Default: %computername%
#   Required: no
#
#   Setting name: Source
#   Description: Event source name. Normally does not need to be changed.
#   Valid values: any string
#   Default: uberAgent
#   Required: no
#
#   Setting name: MaxQueueSizeRamMb
#   Description: Maximum queue size in RAM in MB. If exceeded, events are discarded.
#   Valid values: any number
#   Default: 10
#   Required: no
#
############################################
[Receiver]
Name = Default
Type = Splunk
Protocol = TCP
Servers = localhost:19500
RESTToken =

############################################
# Metrics explanation
#
# Available metrics:
#
# a)  uberAgent timer metrics (output at regular intervals):
#
#     ProcessDetailTop5                   Performance & application data for each process, top 5 items are displayed per category. Should not be used in conjunction with ProcessDetailFull (redundancy).
#     ProcessDetailFull                   Performance & application data for each process, all processes are displayed. Generates a huge data volume! Should not be used in conjunction with ProcessDetailTop5 (redundancy).
#     ApplicationUsage                    Data for application usage calculations (how many users were running an app at any given time)
#     ApplicationInventory                Retrieves a list of all installed applications
#     SoftwareUpdateInventory             Retrieves a list of all installed updates and patches
#     MachineInventory                    Retrieves information about machines (OS, hardware model)
#     SessionCount                        Number of user sessions
#     SessionDetail                       Performance data for each session
#     SystemPerformanceSummary            Performance data for the entire system
#     BrowserPerformanceIE                Internet Explorer: browser performance per site
#     BrowserPerformanceChrome            Chrome: browser performance (tracking page loads and web requests requires the uberAgent browser extension)
#     GpuUsage                            GPU usage per machine and per process
#     NetworkTargetPerformanceProcess     Performance data per target IP address and port per process (see also [NetworkTargetPerformanceProcess_Filter])
#     SMBClientSharePerformance           Performance data per SMB share accessed by the machine's SMB client (requires Windows 8 / Server 2012 or newer)
#     NetworkConfigInformation            Retrieves information about network configuration
#
#     The following metrics are collected only if uberAgent is running on a Citrix XenApp/XenDesktop delivery controller:
#
#     CitrixDCDesktopGroup                Information on Citrix XenApp/XenDesktop delivery groups
#     CitrixDCCatalog                     Information on Citrix XenApp/XenDesktop machine catalogs
#     CitrixDCMachine                     Information on Citrix XenApp/XenDesktop machines (VDAs and DDCs)
#     CitrixDCHypervisor                  Information on Citrix XenApp/XenDesktop hypervisor connections
#     CitrixDCGeneralInformation          Information on Citrix XenApp/XenDesktop site properties like databases
#     CitrixDCLicenseInformation          Information on Citrix XenApp/XenDesktop license usage
#     CitrixDCApplication                 Information on Citrix XenApp/XenDesktop published applications
#     CitrixDCPublishedDesktops           Information on Citrix XenApp/XenDesktop published desktops
#
#
# b)  uberAgent on-demand metrics (output when it happens):
#
#     LogonDetail                         Several logon metrics like logon script processing time, group policy processing time, etc.
#     LogonProcesses                      Information about all processes run during user logon
#     BootDetail                          Boot performance data including applications/services/drivers that cause delays
#     ShutdownDetail                      Shutdown performance data including applications/services/drivers that cause delays
#     StandbyDetail                       Standby performance data including applications/services/drivers that cause delays
#     ProcessStartup                      Startup duration of processes
#     OutlookPerformanceEvents            Performance information for Microsoft Outlook
#     ApplicationErrors                   Information about application crashes and related errors
#     ApplicationUIDelay                  Application UI unresponsiveness
#
# c)  System performance counters (output at regular intervals)
#
#     Any Windows performance counter can be used. Example:
#        
#        Perf counter = \System\System Up Time
#
############################################

############################################
# Timers
#
# uberAgent works with one or more timers.
# Each timer wakes up periodically. When it does, it computes the values of a configurable set of metrics and sends the results off for storage.
# Additionally there are on-demand metrics that log data when an event occurs, e.g. a user logon.
#
# Configurable settings per timer:
#
#   Setting name: Name
#   Description: Arbitrary name for the timer. Used only internally.
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Comment
#   Description: Arbitrary comment for the timer. Not used by uberAgent.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Interval
#   Description: How long to wait before collecting data again. Unit: milliseconds.
#   Valid values: any number
#   Default: [none]
#   Required: yes
#
#   Setting name: UA metric
#   Description: Name of any uberAgent timer metric to be collected through this timer. May be specified more than once per timer.
#   Valid values: any uberAgent timer metric
#   Default: empty
#   Required: no
#
#   Setting name: Perf counter
#   Description: Name of any Windows performance counter to be collected through this timer. May be specified more than once per timer.
#   Valid values: any performance counter name
#   Default: empty
#   Required: no
#
#   Setting name: Start delay
#   Description: If a start delay is configured, uberAgent waits for the given time in ms before running the timer's metrics for the first time. If no start delay is configured, uberAgent waits for the time configured with the Interval parameter.
#   Valid values: any number
#   Default: 0
#   Required: no
#
#   Setting name: Persist interval
#   Description: If this is enabled, uberAgent stores the timer's last runtime so that it does not run it more often than specified with the Interval parameter even when restarted.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: Thread priority
#   Description: Relative priority for the timer's thread.
#   Valid values: background | normal
#   Default: normal
#   Required: no
#
#   Setting name: Receivers
#   Description: List of receivers to send this timer's data to. Overrides the default (send to all receivers).
#   Valid values: Comma-separated list of receiver names configured in [Receiver] sections, e.g.: SplunkPool1, SplunkPool2
#   Default: all receivers
#   Required: no
#
#   Setting name: Script
#   Description: Run a script once or periodically, depending on the configured Interval (0 = run only once). The script's output to stdout is sent to Splunk, each line as a new event. Can be specified more than once per timer.
#   Valid values: Any valid command line, optionally including command line parameters.
#   Default: empty
#   Required: no
#
#   Setting name: ScriptContext
#   Description: The user context to run a script in.
#   Valid values: Session0AsSystem | UserSessionAsSystem | UserSessionAsUser
#   Default: Session0AsSystem
#   Required: no
#
############################################

############################################
# On-demand metrics
############################################
[OnDemand]
UA metric      = LogonDetail
UA metric      = LogonProcesses
UA metric      = BootDetail
UA metric      = ShutdownDetail
UA metric      = StandbyDetail
UA metric      = ProcessStartup
UA metric      = OutlookPerformanceEvents
UA metric      = ApplicationErrors
UA metric      = ApplicationUIDelay

############################################
# Timer 1
############################################
[Timer]
Name           = Default timer
Comment        = Metrics are placed here unless there is a reason to have them run at different frequencies or to isolate them
Interval       = 30000
UA metric      = ProcessDetailFull
UA metric      = ApplicationUsage
UA metric      = SessionCount
UA metric      = SessionDetail
UA metric      = SystemPerformanceSummary
UA metric      = SMBClientSharePerformance

############################################
# Timer 2
############################################
[Timer]
Name           = Network configuration information
Comment        = Collects network configuration information
Interval       = 300000
UA metric      = NetworkConfigInformation

############################################
# Timer 3
############################################
[Timer]
Name           = GPU usage
Comment        = Isolate GPU metrics from the other metrics
Interval       = 30000
UA metric      = GpuUsage

############################################
# Timer 4
############################################
[Timer]
Name           = Browser performance
Comment        = Isolate browser metrics from the other metrics
Interval       = 30000
UA metric      = BrowserPerformanceIE
UA metric      = BrowserPerformanceChrome

############################################
# Timer 5
############################################
[Timer]
Name           = Network performance
Comment        = Isolate in its own thread because DNS lookups are performed
Interval       = 30000
UA metric      = NetworkTargetPerformanceProcess

############################################
# Timer 6
############################################
[Timer]
Name              = Inventory
Comment           = Perform an inventory at a very low frequency
Interval          = 86400000
Start delay       = 600000
Persist interval  = true
Thread priority   = background
UA metric         = ApplicationInventory
UA metric         = SoftwareUpdateInventory
UA metric         = MachineInventory

############################################
# Timer 7
############################################
[Timer]
Name              = Citrix site - default
Comment           = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else)
Interval          = 300000
Start delay       = 240000
UA metric         = CitrixDCDesktopGroup
UA metric         = CitrixDCCatalog
UA metric         = CitrixDCHypervisor
UA metric         = CitrixDCGeneralInformation
UA metric         = CitrixDCApplication
UA metric         = CitrixDCPublishedDesktops

############################################
# Timer 8
############################################
[Timer]
Name              = Citrix site - machines
Comment           = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else)
Interval          = 300000
Start delay       = 260000
UA metric         = CitrixDCMachine

############################################
# Timer 9
############################################
[Timer]
Name              = Citrix site - licenses
Comment           = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else)
Interval          = 60000
Start delay       = 180000
UA metric         = CitrixDCLicenseInformation

############################################
# Executable to application name mappings (for overriding uberAgent's automatic application identification)
# Environment variables can be used (enclosed in percent signs: %ProgramFiles%). They are expanded first, regex matching happens second.
# Paths are specified as regular expressions. Backslashes must be escaped by prepending a second backslash. Matching is case-insensitive.
# Specifying only the file name without the full path works but is not recommended.
#
# Format: PATH_REGEX = Application name
#
# Examples:
#
#    ^C:\\DIR\\my\.exe$ = MyApp                                           # App name for C:\Dir\my.exe is "MyApp"
#    ^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender       # App name for all executables in "C:\Program Files\Windows Defender" is "Windows Defender"
#
############################################
[ProcessToApplicationMapping]

# Windows Defender
^%ProgramData%\\Microsoft\\Windows Defender\\Platform\\.+\\.+\.exe$ = Windows Defender
^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender

############################################
# Processes to ignore in application lookup
# Environment variables can be used (enclosed in percent signs: %ProgramFiles%). They are expanded first, regex matching happens second.
# Paths are specified as regular expressions. Backslashes must be escaped by prepending a second backslash. Matching is case-insensitive.
# Specifying only the file name without the full path works but is not recommended.
#
# Format: PATH_REGEX = uberAgent_ignore
#
############################################
[ApplicationMappingIgnoredProcesses]

############################################
# Process startup duration load image wait interval
#
# When uberAgent determines process startup duration, it looks for the beginning of a 30 second time interval without image (DLL) load events
# The default wait duration of 30 seconds can be adjusted either globally or for individual processes here (individual has precedence over global).
# 
# Additionally, if there are IO operations during the DLL loading phase, uberAgent calculates the average IOPS during that phase and waits until
# IOPS drop to less than 20% for at least 10 seconds after the end of the DLL loading phase. The value of 10 seconds can be adjusted here, too.
#
# Configurable settings:
#
#   Setting name: DllLoadWaitDurationGlobal
#   Description: Globally set the DLL loading phase wait duration for all processes in ms.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
#   Setting name: IopsDropoffDurationGlobal
#   Description: Globally set the IOPS dropoff phase duration for all processes in ms.
#   Valid values: any number
#   Default: 10000
#   Required: no
#
#   Setting name: 
#   Description: Set the DLL loading phase wait duration for a specific process in ms. May be specified more than once.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
############################################
[ProcessStartupDurationWaitIntervalOverride]

AcroRd32.exe = 15000

############################################
# Optional settings for Process startup metrics
#
#   Setting name: EnableExtendedInfo
#   Description: Send detailed information about each started process to the backend, e.g. path, command line, process ID, parent ID. This also enables population of the ProcGUID field in other sourcetypes, which can be used for detailed process instance tracking.
#   Valid values: true | false
#   Default: false
#   Required: no
#
############################################
[ProcessStartupSettings]

############################################
# Optional filter for browser web app metrics (sourcetype uberAgent:Application:BrowserWebRequests2) and the SessionFgBrowserActiveTabHost field of sourcetype uberAgent:Session:SessionDetail
#
# URLs can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
# URLs are specified as regular expressions. Format: origin and path (without query segment), e.g.: "https://uberagent.com/download/".
# Port numbers are stripped from the URL if they match the default port number.
# Matching is case-sensitive.
#
# Format: URL_REGEX = uberAgent_blacklist | uberAgent_whitelist
#
# Examples:
#
#    .*\.com/.*$ = uberAgent_whitelist                            # Whitelist all .com domains
#    ^https?://.*\.?vastlimits\.com/.*$ = uberAgent_blacklist     # Blacklist vastlimits.com and subdomains over http or https
#
############################################
[BrowserWebAppURL_Filter]

############################################
# Optional filter for the metric ProcessDetailFull
#
# Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
# Process names are specified as regular expressions. Matching is case-insensitive.
#
# Format: PROCESS_NAME_REGEX = uberAgent_blacklist | uberAgent_whitelist
#
# Examples:
#
#    ^process\.exe$ = uberAgent_blacklist          # Process name is exactly "process.exe"
#    ^c.*\.exe$ = uberAgent_whitelist              # Any .EXE whose name starts with "c"
#
############################################
[ProcessDetailFull_Filter]

^cmd\.exe$ = uberAgent_blacklist
^conhost\.exe$ = uberAgent_blacklist
^csrss\.exe$ = uberAgent_blacklist
^lsm\.exe$ = uberAgent_blacklist
^smss\.exe$ = uberAgent_blacklist
^wininit\.exe$ = uberAgent_blacklist
^winlogon\.exe$ = uberAgent_blacklist

############################################
# Optionally add the command line to the ProcessDetail* metrics
# This can significantly increase the data volume, so use with caution
#
# Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
# Process names are specified as regular expressions. Matching is case-insensitive.
# Default: disabled for all processes
#
# Format: PROCESS_NAME_REGEX = uberAgent_blacklist | uberAgent_whitelist
#
# Examples:
#
#    ^process\.exe$ = uberAgent_blacklist          # Process name is exactly "process.exe"
#    ^c.*\.exe$ = uberAgent_whitelist              # Any .EXE whose name starts with "c"
#
############################################
[ProcessDetail_SendCommandline]

############################################
# Optional filter for the metric NetworkTargetPerformanceProcess
#
# Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
# Process names are specified as regular expressions. Matching is case-insensitive.
#
# Format: PROCESS_NAME_REGEX = uberAgent_blacklist | uberAgent_whitelist
#
# Examples:
#
#    ^process\.exe$ = uberAgent_blacklist          # Process name is exactly "process.exe"
#    ^c.*\.exe$ = uberAgent_whitelist              # Any .EXE whose name starts with "c"
#
############################################
[NetworkTargetPerformanceProcess_Filter]

############################################
# Optional configuration for the metric NetworkTargetPerformanceProcess
#
# Configurable settings:
#
#   Setting name: Key
#   Description: What to group by: process name or ID
#   Valid values: name | id
#   Default: name
#   Required: no
#
#   Setting name: IgnoreLowActivity
#   Description: Whether to ignore processes with very low activity during a collection interval
#   Valid values: true | false
#   Default: true
#   Required: no
#
############################################
[NetworkTargetPerformanceProcess_Config]