The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.
Expected result after the installation of the MSI: the service uberAgent is installed and running.
Manual Installation
Run the batch file uberAgent_endpoint\bin\manual-install.cmd
On the screen Receiver Configuration specify the name(s) of your Splunk indexer(s) and the port configured earlier (default: 19500)
Configuration
uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.
License File
If you have a license file for uberAgent copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.
Installation Through a Software Deployment Tool
Install the appropriate MSI file from the directory uberAgent_endpoint\bin depending on the bitness of your machine: uberAgent-32.msi or uberAgent-64.msi.
MSI Parameters
Specify the following MSI parameters:
SERVERS
Required: yes
Description: list of target servers/URLs
Valid values:
TCP input: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
HEC input: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
INSTALLDIR
Required: no
Description: installation directory
Valid values: any local file system path
RECEIVER_PROTOCOL
Required: no
Description: how to send data to the backend
Valid values:
TCP uses a direct TCP connection. This is the default.
HTTP sends to Splunk HTTP Event Collector via HTTP or HTTPS
REST_TOKEN
Required: only when sending to Splunk HTTP Event Collector
Description: application token required by the Splunk HTTP Event Collector
Valid values: authentication token created in Splunk
If you have a license file for uberAgent copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.
Installation Through Splunk Deployment Server
Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.
uberAgent
Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOME\etc\deployment-apps on your deployment server.
Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically C:\Program Files\Splunk.
Edit $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin\silent-install.cmd, modifying the servers variable so that it contains a list of your Splunk servers. Example:
set servers=splunk1:19500,splunk2:19500
Configuration
To deploy a customized configuration file copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin. This overwrites the default configuration file from the installation package.
License File
If you have a license file for uberAgent copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.
Serverclass
Create a file called serverclass.conf in $SPLUNK_HOME\etc\system\local on your deployment server. Serverclass.conf defines what to deploy where. For a quick start paste the following content into Serverclass.conf to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.
# [global]
# We cannot match by machine type here. We'll do that on the app level below.
whitelist.0 = *
# Define a serverclass
[serverClass:windows]
# Deploy only to Windows machines
machineTypesFilter = windows-*
# Define which apps to deploy to the serverclass
[serverClass:windows:app:uberAgent_endpoint]
stateOnClient = enabled
restartSplunkd = true
To make Splunk read the new file serverclass.conf run the following command:
$SPLUNK_HOME\splunk.exe reload deploy-server
Citrix Site Monitoring
If some or all of your endpoints are running the Citrix XenApp or XenDesktop VDA you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.
If you decided to implement one of the alternative architectures you need to install Universal Forwarder on each endpoint.
Imaging / Citrix PVS
If you intend to copy the agent installation via an imaging method or Citrix PVS we recommend you remove instance-specific information. To do that follow these steps right before capturing the image:
Stop the service uberAgent (but leave the start type at automatic)
Open an administrative command prompt
Run the command: reg delete "HKLM\SOFTWARE\vast limits\uberAgent" /f /reg:64
Prepare the machine for cloning as necessary, but do not reboot
If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.
Installing the Windows Endpoint Agent
In this article
The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.
Expected result after the installation of the MSI: the service
uberAgentis installed and running.Manual Installation
uberAgent_endpoint\bin\manual-install.cmdConfiguration
uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.
License File
If you have a license file for uberAgent copy it to the installation directory (default:
C:\Program Files\vast limits\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.Installation Through a Software Deployment Tool
Install the appropriate MSI file from the directory
uberAgent_endpoint\bindepending on the bitness of your machine:uberAgent-32.msioruberAgent-64.msi.MSI Parameters
Specify the following MSI parameters:
localhost:19500, splunksrv:12345http://server1:8088, https://server2:8088TCPuses a direct TCP connection. This is the default.HTTPsends to Splunk HTTP Event Collector via HTTP or HTTPSLicense File
If you have a license file for uberAgent copy it to the installation directory (default:
C:\Program Files\vast limits\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.Installation Through Splunk Deployment Server
Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.
uberAgent
Copy the directory
uberAgent_endpointfrom the unzipped uberAgent download package to$SPLUNK_HOME\etc\deployment-appson your deployment server.Note:
$SPLUNK_HOMErefers to the base directory of the Splunk installation, typicallyC:\Program Files\Splunk.Edit
$SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin\silent-install.cmd, modifying theserversvariable so that it contains a list of your Splunk servers. Example:Configuration
To deploy a customized configuration file copy it into the directory
$SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin. This overwrites the default configuration file from the installation package.License File
If you have a license file for uberAgent copy it into the directory
$SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.Serverclass
Create a file called
serverclass.confin$SPLUNK_HOME\etc\system\localon your deployment server.Serverclass.confdefines what to deploy where. For a quick start paste the following content intoServerclass.confto deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.To make Splunk read the new file
serverclass.confrun the following command:Citrix Site Monitoring
If some or all of your endpoints are running the Citrix XenApp or XenDesktop VDA you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.
Alternative Architectures
Note: This is optional and not required for the recommended architecture.
If you decided to implement one of the alternative architectures you need to install Universal Forwarder on each endpoint.
Imaging / Citrix PVS
If you intend to copy the agent installation via an imaging method or Citrix PVS we recommend you remove instance-specific information. To do that follow these steps right before capturing the image:
uberAgent(but leave the start type atautomatic)reg delete "HKLM\SOFTWARE\vast limits\uberAgent" /f /reg:64If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.