Documentation

 
Contents

Installing the Endpoint Agent

The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.

Expected result after the installation of the MSI: the service uberAgent is installed and running.

Manual Installation

  • Run the batch file uberAgent_endpointbinmanual-install.cmd
  • On the screen Receiver Configuration specify the name(s) of your Splunk indexer(s) and the port configured earlier (default: 19500)

Configuration

uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.

License File

If you have a license file for uberAgent copy it to the installation directory (default: C:Program Filesvast limitsuberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.

Installation Through a Software Deployment Tool

  • Install the appropriate MSI file from the directory uberAgent_endpointbin depending on the bitness of your machine: uberAgent-32.msi or uberAgent-64.msi
  • Specify the following MSI parameters:
    • SERVERS
      • Required: yes
      • Description: List of target servers/URLs
      • Valid values:
        • TCP input: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
        • HEC input: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
    • INSTALLDIR
      • Required: no
      • Description: Installation directory
      • Valid values: any local file system path
    • RECEIVER_PROTOCOL
      • Required: no
      • Description: How to send data to the backend
      • Valid values:
        • TCP uses a direct TCP connection. This is the default.
        • HTTP sends to Splunk HTTP Event Collector via HTTP or HTTPS
    • REST_TOKEN
      • Required: only when sending to Splunk HTTP Event Collector
      • Description: Application token required by the Splunk HTTP Event Collector
      • Valid values: authentication token created in Splunk
      • Documentation

Installation Through Splunk Deployment Server

Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client.

uberAgent

Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOMEetcdeployment-apps on your deployment server.

Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically C:Program FilesSplunk.

Edit $SPLUNK_HOMEetcdeployment-appsuberAgent_endpointbinsilent-install.cmd, modifying the servers variable so that it contains a list of your Splunk servers. Example:

set servers=splunk1:19500,splunk2:19500

Configuration

To deploy a customized configuration file copy it into the directory $SPLUNK_HOMEetcdeployment-appsuberAgent_endpointbin. This overwrites the default configuration file from the installation package.

License

If you have a license file for uberAgent copy it into the directory $SPLUNK_HOMEetcdeployment-appsuberAgent_endpointbin.

Serverclass

Create a file called serverclass.conf in $SPLUNK_HOMEetcsystemlocal on your deployment server. Serverclass.conf defines what to deploy where. For a quick start paste the following content into Serverclass.conf to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.

# [global]
# We cannot match by machine type here. We'll do that on the app level below.
whitelist.0 = *

# Define a serverclass 
[serverClass:windows]
# Deploy only to Windows machines
machineTypesFilter = windows-*
 
# Define which apps to deploy to the serverclass
[serverClass:windows:app:uberAgent_endpoint]
stateOnClient = enabled
restartSplunkd = true

To make Splunk read the new file serverclass.conf run the following command:

$SPLUNK_HOMEsplunk.exe reload deploy-server

Citrix Site Monitoring

If some or all of your endpoints are running the Citrix XenApp or XenDesktop VDA you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.

Alternative Architectures

Note: This is optional and not required for the recommended architecture.

If you decided to implement one of the alternative architectures you need to install Universal Forwarder on each endpoint.

Imaging / Citrix PVS

If you intend to copy the agent installation via an imaging method or Citrix PVS we recommend you remove instance-specific information. To do that follow these steps right before capturing the image:

  • Stop the service uberAgent (but leave the start type at automatic)
  • Open an administrative command prompt
  • Run the command: reg delete “HKLMSOFTWAREvast limitsuberAgent” /f /reg:64
  • Prepare the machine for cloning as necessary, but do not reboot

If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.