The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.

Manual Installation

1. Run the batch file uberAgent_endpoint\bin\manual-install.cmd.
2. On the screen Receiver Configuration, specify the name(s) of your Splunk indexer(s) and the port configured earlier (default: 19500).

Configuration

uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.

License File

If you have a license file for uberAgent, copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file, uberAgent displays a splash screen during logon. Contact us for an evaluation license.

Installation Through a Software Deployment Tool

Install the appropriate MSI file from the directory uberAgent_endpoint\bin depending on the bitness of your machine: uberAgent-32.msi or uberAgent-64.msi.

MSI Parameters

Specify the following MSI parameters:

SERVERS

• Required: yes
• Description: list of target servers/URLs
• Valid values:
  • TCP input: comma-separated list of server:port, e.g., localhost:19500, splunksrv:12345
  • HEC input: comma-separated list of URLs starting with http or https, e.g., http://server1:8088, https://server2:8088

INSTALLDIR

• Required: no
• Description: installation directory
• Valid values: any local file system path

RECEIVER_PROTOCOL

• Required: no
• Description: how to send data to the backend
• Valid values:
  • TCP uses a direct TCP connection. This is the default.
  • HTTP sends to Splunk HTTP Event Collector via HTTP or HTTPS

REST_TOKEN

• Required: only when sending to Splunk HTTP Event Collector
• Description: application token required by the Splunk HTTP Event Collector
• Valid values: authentication token created in Splunk

Note: see our documentation on Configuring Splunk’s HTTP Event Collector.

PROGRAMDATA_CONFIGDIR_RESETPERMISSIONS

• Required: no
• Default: 1
• Description: Set secure permissions on uberAgent’s ProgramData directory (%ProgramData%\vast limits\uberAgent).
• Valid values:
  • 0: disabled
  • 1: enabled

PROGRAMDATA_CONFIGDIR_DELETEFILES

• Required: no
• Default: 1
• Description: Delete existing config files in uberAgent’s ProgramData directory (%ProgramData%\vast limits\uberAgent). Disable this setting only if you’re removing potentially malicious existing config files as part of your own deployment package logic.
• Valid values:
  • 0: disabled
  • 1: enabled

License File

If you have a license file for uberAgent, copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file, uberAgent displays a splash screen during logon. Contact us for an evaluation license.

Installation Through Splunk Deployment Server

Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.

uberAgent

Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOME\etc\deployment-apps on your deployment server.

Edit $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin\silent-install.cmd, modifying the servers variable so that it contains a list of your Splunk servers. Example:

set servers=splunk1:19500,splunk2:19500

Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically C:\Program Files\Splunk.

Configuration

To deploy a customized configuration file, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin. This overwrites the default configuration file from the installation package.

License File

If you have a license file for uberAgent, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.

Serverclass

Create a file called serverclass.conf in $SPLUNK_HOME\etc\system\local on your deployment server. Serverclass.conf defines what to deploy where. For a quick start paste the following content into Serverclass.conf to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.

# [global]
# We cannot match by machine type here. We'll do that on the app level below.
whitelist.0 = *

# Define a serverclass 
[serverClass:windows]
# Deploy only to Windows machines
machineTypesFilter = windows-*
 
# Define which apps to deploy to the serverclass
[serverClass:windows:app:uberAgent_endpoint]
stateOnClient = enabled
restartSplunkd = true

To make Splunk read the new file serverclass.conf, run the following command:

$SPLUNK_HOME\splunk.exe reload deploy-server

Imaging & Citrix PVS

If you intend to copy the agent installation via an imaging method or Citrix PVS, we recommend you remove instance-specific information. To do that, follow these steps right before capturing the image:

• Stop the service uberAgent (but leave the start type at automatic).
• Open an administrative command prompt.
• Run the command: reg delete "HKLM\SOFTWARE\vast limits\uberAgent" /f /reg:64.
• Optionally: delete existing log files.
• Optionally: delete existing Persistent Output Queue files/folders.
• Prepare the machine for cloning as necessary, but do not reboot.

If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.