Installing the Endpoint Agent
The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.
Expected result after the installation of the MSI: the service uberAgent is installed and running.
- Run the batch file uberAgent_endpoint\bin\manual-install.cmd
- On the screen Receiver Configuration specify the name(s) of your Splunk indexer(s) and the port configured earlier (default: 19500)
If you have a license file for uberAgent copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.
- Install the appropriate MSI file from the directory uberAgent_endpoint\bin depending on the bitness of your machine: uberAgent-32.msi or uberAgent-64.msi
- Specify the following MSI parameters:
- Required: yes
- Description: List of target servers/URLs
- Valid values:
- TCP input: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
- HEC input: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
- Required: no
- Description: Installation directory
- Valid values: any local file system path
- Required: no
- Description: How to send data to the backend
- Valid values:
- TCP uses a direct TCP connection. This is the default.
- HTTP sends to Splunk HTTP Event Collector via HTTP or HTTPS
- Required: only when sending to Splunk HTTP Event Collector
- Description: Application token required by the Splunk HTTP Event Collector
- Valid values: authentication token created in Splunk
Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.
Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOME\etc\deployment-apps on your deployment server.
Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically C:\Program Files\Splunk.
Edit $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin\silent-install.cmd, modifying the servers variable so that it contains a list of your Splunk servers. Example:
To deploy a customized configuration file copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin. This overwrites the default configuration file from the installation package.
If you have a license file for uberAgent copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.
Create a file called serverclass.conf in $SPLUNK_HOME\etc\system\local on your deployment server. Serverclass.conf defines what to deploy where. For a quick start paste the following content into Serverclass.conf to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.
# [global] # We cannot match by machine type here. We'll do that on the app level below. whitelist.0 = * # Define a serverclass [serverClass:windows] # Deploy only to Windows machines machineTypesFilter = windows-* # Define which apps to deploy to the serverclass [serverClass:windows:app:uberAgent_endpoint] stateOnClient = enabled restartSplunkd = true
To make Splunk read the new file serverclass.conf run the following command:
$SPLUNK_HOME\splunk.exe reload deploy-server
If some or all of your endpoints are running the Citrix XenApp or XenDesktop VDA you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.
Note: This is optional and not required for the recommended architecture.
If you decided to implement one of the alternative architectures you need to install Universal Forwarder on each endpoint.
If you intend to copy the agent installation via an imaging method or Citrix PVS we recommend you remove instance-specific information. To do that follow these steps right before capturing the image:
- Stop the service uberAgent (but leave the start type at automatic)
- Open an administrative command prompt
- Run the command: reg delete “HKLM\SOFTWARE\vast limits\uberAgent” /f /reg:64
- Prepare the machine for cloning as necessary, but do not reboot
If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.