Installing the Windows Endpoint Agent
The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.
Securing the Configuration Directory
To preserve configurations across upgrades, uberAgent can be configured via a %ProgramData%
directory (details). It is important to secure this directory, or standard users might be able to elevate their privileges to SYSTEM and/or abuse uberAgent.
Starting with version 7.0.2, uberAgent’s installer secures the agent’s %ProgramData%
directories automatically. Two new MSI parameters provide control over the process: PROGRAMDATA_CONFIGDIR_RESETPERMISSIONS
and PROGRAMDATA_CONFIGDIR_DELETEFILES
(see below).
We recommend disabling those MSI parameters only if you’re managing the security of %ProgramData%\vast limits
and its subdirectories via other means. We recommend the following permissions:
- Administrators: full control
- SYSTEM: full control
Optionally provide read access to standard users on scripts that are to be executed in user context:
- Users: read
Manual Installation
- Run the batch file
uberAgent_endpoint\bin\manual-install.cmd
. - On the screen Receiver Configuration, specify the name(s) of your Splunk indexer(s) and the port configured earlier (default: 19500).
Configuration
uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.
License File
If you have a license file for uberAgent, copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent
). Without a license file, uberAgent displays a splash screen during logon. Contact us for an evaluation license.
Installation Through a Software Deployment Tool
Install the appropriate MSI file from the directory uberAgent_endpoint\bin
depending on the bitness of your machine: uberAgent-32.msi
or uberAgent-64.msi
.
MSI Parameters
Specify the following MSI parameters:
SERVERS
- Required: yes
- Description: list of target servers/URLs
- Valid values:
- TCP input: comma-separated list of
server:port
, e.g.,localhost:19500, splunksrv:12345
- HEC input: comma-separated list of URLs starting with
http
orhttps
, e.g.,http://server1:8088, https://server2:8088
- TCP input: comma-separated list of
INSTALLDIR
- Required: no
- Description: installation directory
- Valid values: any local file system path
RECEIVER_PROTOCOL
- Required: no
- Description: how to send data to the backend
- Valid values:
TCP
uses a direct TCP connection. This is the default.HTTP
sends to Splunk HTTP Event Collector via HTTP or HTTPS
REST_TOKEN
- Required: only when sending to Splunk HTTP Event Collector
- Description: application token required by the Splunk HTTP Event Collector
- Valid values: authentication token created in Splunk
Note: see our documentation on Configuring Splunk’s HTTP Event Collector.
PROGRAMDATA_CONFIGDIR_RESETPERMISSIONS
- Required: no
- Default:
1
- Description: Set secure permissions on uberAgent’s ProgramData directory (
%ProgramData%\vast limits\uberAgent
). - Valid values:
0
: disabled1
: enabled
PROGRAMDATA_CONFIGDIR_DELETEFILES
- Required: no
- Default:
1
- Description: Delete existing config files in uberAgent’s ProgramData directory (
%ProgramData%\vast limits\uberAgent
). Disable this setting only if you’re removing potentially malicious existing config files as part of your own deployment package logic. - Valid values:
0
: disabled1
: enabled
License File
If you have a license file for uberAgent, copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent
). Without a license file, uberAgent displays a splash screen during logon. Contact us for an evaluation license.
Installation Through Splunk Deployment Server
Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.
uberAgent
Copy the directory uberAgent_endpoint
from the unzipped uberAgent download package to $SPLUNK_HOME\etc\deployment-apps
on your deployment server.
Edit $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin\silent-install.cmd
, modifying the servers
variable so that it contains a list of your Splunk servers. Example:
set servers=splunk1:19500,splunk2:19500
Note: $SPLUNK_HOME
refers to the base directory of the Splunk installation, typically C:\Program Files\Splunk
.
Configuration
To deploy a customized configuration file, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin
. This overwrites the default configuration file from the installation package.
License File
If you have a license file for uberAgent, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin
.
Serverclass
Create a file called serverclass.conf
in $SPLUNK_HOME\etc\system\local
on your deployment server. Serverclass.conf
defines what to deploy where. For a quick start paste the following content into Serverclass.conf
to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.
# [global]
# We cannot match by machine type here. We'll do that on the app level below.
whitelist.0 = *
# Define a serverclass
[serverClass:windows]
# Deploy only to Windows machines
machineTypesFilter = windows-*
# Define which apps to deploy to the serverclass
[serverClass:windows:app:uberAgent_endpoint]
stateOnClient = enabled
restartSplunkd = true
To make Splunk read the new file serverclass.conf
, run the following command:
$SPLUNK_HOME\splunk.exe reload deploy-server
Citrix Site Monitoring
If some or all of your endpoints are running the Citrix Virtual Apps and Desktops (CVAD) VDA, you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.
Endpoint to Backend Communication Via Splunk Universal Forwarder
Note: This is optional and not required for the recommended architecture.
If you decided to implement the alternative endpoint to backend communication path via Splunk Universal Forwarder, you need to install Universal Forwarder on each endpoint.
Imaging & Citrix PVS
If you intend to copy the agent installation via an imaging method or Citrix PVS, we recommend you remove instance-specific information. To do that, follow these steps right before capturing the image:
- Stop the service
uberAgent
(but leave the start type atautomatic
). - Open an administrative command prompt.
- Run the command:
reg delete "HKLM\SOFTWARE\vast limits\uberAgent" /f /reg:64
. - Prepare the machine for cloning as necessary, but do not reboot.
If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.