Skip to main content

Documentation

Version

  1. uberAgent
  2. 7.0.2
  3. Installation
  4. Installing uberAgent
  5. Installing the Windows Endpoint Agent
Previous document Next document

Installing the Windows Endpoint Agent

In this article

The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.

Securing the Configuration Directory

To preserve configurations across upgrades, uberAgent can be configured via a %ProgramData% directory (details). It is important to secure this directory, or standard users might be able to elevate their privileges to SYSTEM and/or abuse uberAgent.

Starting with version 7.0.2, uberAgent’s installer secures the agent’s %ProgramData% directories automatically. Two new MSI parameters provide control over the process: PROGRAMDATA_CONFIGDIR_RESETPERMISSIONS and PROGRAMDATA_CONFIGDIR_DELETEFILES (see below).

We recommend disabling those MSI parameters only if you’re managing the security of %ProgramData%\vast limits and its subdirectories via other means. We recommend the following permissions:

  • Administrators: full control
  • SYSTEM: full control

Optionally provide read access to standard users on scripts that are to be executed in user context:

  • Users: read

Manual Installation

  1. Run the batch file uberAgent_endpoint\bin\manual-install.cmd.
  2. On the screen Receiver Configuration, specify the name(s) of your Splunk indexer(s) and the port configured earlier (default: 19500).

Configuration

uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.

License File

If you have a license file for uberAgent, copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file, uberAgent displays a splash screen during logon. Contact us for an evaluation license.

Installation Through a Software Deployment Tool

Install the appropriate MSI file from the directory uberAgent_endpoint\bin depending on the bitness of your machine: uberAgent-32.msi or uberAgent-64.msi.

MSI Parameters

Specify the following MSI parameters:

SERVERS

  • Required: yes
  • Description: list of target servers/URLs
  • Valid values:
    • TCP input: comma-separated list of server:port, e.g., localhost:19500, splunksrv:12345
    • HEC input: comma-separated list of URLs starting with http or https, e.g., http://server1:8088, https://server2:8088

INSTALLDIR

  • Required: no
  • Description: installation directory
  • Valid values: any local file system path

RECEIVER_PROTOCOL

  • Required: no
  • Description: how to send data to the backend
  • Valid values:
    • TCP uses a direct TCP connection. This is the default.
    • HTTP sends to Splunk HTTP Event Collector via HTTP or HTTPS

REST_TOKEN

  • Required: only when sending to Splunk HTTP Event Collector
  • Description: application token required by the Splunk HTTP Event Collector
  • Valid values: authentication token created in Splunk

Note: see our documentation on Configuring Splunk’s HTTP Event Collector.

PROGRAMDATA_CONFIGDIR_RESETPERMISSIONS

  • Required: no
  • Default: 1
  • Description: Set secure permissions on uberAgent’s ProgramData directory (%ProgramData%\vast limits\uberAgent).
  • Valid values:
    • 0: disabled
    • 1: enabled

PROGRAMDATA_CONFIGDIR_DELETEFILES

  • Required: no
  • Default: 1
  • Description: Delete existing config files in uberAgent’s ProgramData directory (%ProgramData%\vast limits\uberAgent). Disable this setting only if you’re removing potentially malicious existing config files as part of your own deployment package logic.
  • Valid values:
    • 0: disabled
    • 1: enabled

License File

If you have a license file for uberAgent, copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file, uberAgent displays a splash screen during logon. Contact us for an evaluation license.

Installation Through Splunk Deployment Server

Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.

uberAgent

Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOME\etc\deployment-apps on your deployment server.

Edit $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin\silent-install.cmd, modifying the servers variable so that it contains a list of your Splunk servers. Example:

set servers=splunk1:19500,splunk2:19500

Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically C:\Program Files\Splunk.

Configuration

To deploy a customized configuration file, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin. This overwrites the default configuration file from the installation package.

License File

If you have a license file for uberAgent, copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.

Serverclass

Create a file called serverclass.conf in $SPLUNK_HOME\etc\system\local on your deployment server. Serverclass.conf defines what to deploy where. For a quick start paste the following content into Serverclass.conf to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.

# [global]
# We cannot match by machine type here. We'll do that on the app level below.
whitelist.0 = *

# Define a serverclass 
[serverClass:windows]
# Deploy only to Windows machines
machineTypesFilter = windows-*
 
# Define which apps to deploy to the serverclass
[serverClass:windows:app:uberAgent_endpoint]
stateOnClient = enabled
restartSplunkd = true

To make Splunk read the new file serverclass.conf, run the following command:

$SPLUNK_HOME\splunk.exe reload deploy-server

Citrix Site Monitoring

If some or all of your endpoints are running the Citrix Virtual Apps and Desktops (CVAD) VDA, you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.

Endpoint to Backend Communication Via Splunk Universal Forwarder

Note: This is optional and not required for the recommended architecture.

If you decided to implement the alternative endpoint to backend communication path via Splunk Universal Forwarder, you need to install Universal Forwarder on each endpoint.

Imaging & Citrix PVS

If you intend to copy the agent installation via an imaging method or Citrix PVS, we recommend you remove instance-specific information. To do that, follow these steps right before capturing the image:

  • Stop the service uberAgent (but leave the start type at automatic).
  • Open an administrative command prompt.
  • Run the command: reg delete "HKLM\SOFTWARE\vast limits\uberAgent" /f /reg:64.
  • Prepare the machine for cloning as necessary, but do not reboot.

If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.

Comments

Your email address will not be published. Required fields are marked *