Configuration

uberAgent is a flexible product that can be customized easily. Whether you want to change the metrics that are collected or modify the frequency at which data is logged, you can do so through editing the configuration.

Configuration Options

uberAgent can be configured by means of a configuration file or via Group Policy. If you simply install the agent you get a default configuration file. Optionally that configuration file can be overridden via Group Policy. An alternative configuration optimized for data volume is available, too.

Group Policy

If you prefer to configure uberAgent via Group Policy please follow these steps:

  • Copy the Group Policy AMDX/ADMX templates included in the uberAgent download package to your PolicyDefinitions directory
  • Create a new GPO that applies to the computers uberAgent is installed on
  • Import the default configuration from the directory uberAgent components\Group Policy\GPO backup of the download package, choosing either the default configuration or the version optimized for data volume.
  • Adjust the imported default configuration as required
  • The local configuration file on the endpoints is ignored and policy settings are used exclusively

The necessary steps are described in detail in this knowledge base article.

uberagent-user-logon-duration

Configuration File uberAgent.conf

Location

The configuration file uberAgent.conf is located in the installation directory, typically C:\Program Files\vast limits\uberAgent.

To switch to the configuration optimized for data volume back up uberAgent.conf and rename uberAgent-data-volume-optimized.conf to uberAgent.conf. Apply the changes by restarting the uberAgent service.

Content

The easiest way to understand the configuration file is to look at the default that comes with uberAgent:

#
# This is the default configuration file for uberAgent
# Place it in the same directory as uberAgent.exe
#

############################################
# General configuration
#
# Configurable settings in this section:
#
#   Setting name: DebugMode
#   Description: When in debug mode, uberAgent's log file is more verbose, providing more detail on what is going on.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: LogFileCount
#   Description: Number of log files to keep (current + historical). When exceeded, the oldest log file is deleted.
#   Valid values: any positive integer
#   Default: 5
#   Required: no
#
#   Setting name: EncryptUserNames
#   Description: If enabled, user and domain names are encrypted in the agent before being sent off to Splunk. This can be useful for compliance with privacy regulations.
#   Valid values: true | false
#   Default: false
#   Required: no
#
############################################
[Miscellaneous]
DebugMode = true

############################################
# Data receivers
#
# uberAgent sends data to the receivers configured here.
# If multiple [Receiver] sections are specified, data will be sent to EACH receiver. This can be overridden per Timer by specifying a comma-separated list of receivers.
# To load-balance and fail over between servers specify multiple comma-separated values for "Servers" in a SINGLE receiver section
#
# Configurable settings in this section:
#
#   Setting name: Name
#   Description: Arbitrary name for the data receiver. Used only internally.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Type
#   Description: Receiver type.
#   Valid values: Splunk | Elasticsearch | OMSLogAnalytics
#   Default: Splunk
#   Required: yes
#
#   Setting name: Protocol
#   Description: How to send data to the backend.
#      TCP uses a direct TCP connection
#      HTTP sends to a REST endpoint via HTTP or HTTPS
#      "Console" prints the data on the screen
#      For type Splunk use TCP or HTTP, for type Elasticsearch use HTTP, for type OMSLogAnalytics use HTTP.
#   Valid values: TCP | HTTP | Console
#   Default: TCP
#   Required: no
#
#   Setting name: RESTToken
#   Description: Authentication token required by the Splunk HTTP Event Collector and by OMS Log Analytics.
#     For Type OMSLogAnalytics use the primary or the secondary key for the workspace.
#   Valid values: any string
#   Default: empty
#   Required: only for Type Splunk and Protocol HTTP
#
#   Setting name: Servers
#   Description: List of target servers/URLs. Not required if Protocol is Console.
#   Valid values:
#      TCP: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
#      HTTP: comma-separated list of URLs starting with http or https.
#         Splunk example: http://server1:8088, https://server2:8088
#         OMS Log Analytics example: https://CUSTOMERID.ods.opinsights.azure.com
#   Default: empty
#   Required: yes, unless Protocol is Console
#
#   Setting name: Index
#   Description: Name of the backend index. Custom Splunk index names must be configured in macros.conf, too.
#   Valid values: any lowercase string
#   Default: uberagent
#   Required: no
#
#   Setting name: Host
#   Description: Name of the Splunk source host sending the event. Normally does not need to be changed.
#   Valid values: any string
#   Default: %computername%
#   Required: no
#
#   Setting name: Source
#   Description: Event source name. Normally does not need to be changed.
#   Valid values: any string
#   Default: uberAgent
#   Required: no
#
#   Setting name: MaxQueueSizeRamMb
#   Description: Maximum queue size in RAM in MB. If exceeded, events are discarded.
#   Valid values: any number
#   Default: 10
#   Required: no
#
############################################
[Receiver]
Name = Default
Type = Splunk
Protocol = TCP
Servers = localhost:19500
RESTToken =

############################################
# Metrics explanation
#
# Available metrics:
#
# a)  uberAgent timer metrics (output at regular intervals):
#
#     ProcessDetailTop5                   Performance & application data for each process, top 5 items are displayed per category. Should not be used in conjunction with ProcessDetailFull (redundancy).
#     ProcessDetailFull                   Performance & application data for each process, all processes are displayed. Generates a huge data volume! Should not be used in conjunction with ProcessDetailTop5 (redundancy).
#     ApplicationUsage                    Data for application usage calculations (how many users were running an app at any given time)
#     ApplicationInventory                Retrieves a list of all installed applications
#     ApplicationUILatency                Determines the responsiveness of applications' user interfaces
#     SoftwareUpdateInventory             Retrieves a list of all installed updates and patches
#     MachineInventory                    Retrieves information about machines (OS, hardware model)
#     SessionCount                        Number of user sessions
#     SessionDetail                       Performance data for each session
#     SystemPerformanceSummary            Performance data for the entire system
#     BrowserPerformanceIE                Internet Explorer: browser performance per site
#     BrowserPerformanceChrome            Chrome: browser performance
#     GpuUsage                            GPU usage per machine and per process
#     NetworkTargetPerformanceProcess     Performance data per target IP address and port per process (see also [NetworkTargetPerformanceProcess_Filter])
#     SMBClientSharePerformance           Performance data per SMB share accessed by the machine's SMB client
#
#     The following metrics are collected only if uberAgent is running on a Citrix XenApp/XenDesktop delivery controller:
#
#     CitrixDCDesktopGroup                Information on Citrix XenApp/XenDesktop delivery groups
#     CitrixDCCatalog                     Information on Citrix XenApp/XenDesktop machine catalogs
#     CitrixDCMachine                     Information on Citrix XenApp/XenDesktop machines (VDAs and DDCs)
#     CitrixDCHypervisor                  Information on Citrix XenApp/XenDesktop hypervisor connections
#     CitrixDCGeneralInformation          Information on Citrix XenApp/XenDesktop site properties like databases
#     CitrixDCLicenseInformation          Information on Citrix XenApp/XenDesktop license usage
#     CitrixDCApplication                 Information on Citrix XenApp/XenDesktop published applications
#     CitrixDCPublishedDesktops           Information on Citrix XenApp/XenDesktop published desktops
#
#
# b)  uberAgent on-demand metrics (output when it happens):
#
#     LogonDetail                   Several logon metrics like logon script processing time, group policy processing time, etc.
#     LogonProcesses                Information about all processes run during user logon
#     BootDetail                    Boot performance data including applications/services/drivers that cause delays
#     ShutdownDetail                Shutdown performance data including applications/services/drivers that cause delays
#     StandbyDetail                 Standby performance data including applications/services/drivers that cause delays
#     ProcessStartup                Startup duration of processes
#     OutlookPerformanceEvents      Performance information for Microsoft Outlook
#     ApplicationErrors             Information about application crashes and related errors
#
# c)  System performance counters (output at regular intervals)
#
#     Any Windows performance counter can be used. Example:
#        
#        Perf counter = \System\System Up Time
#
############################################

############################################
# Timers
#
# uberAgent works with one or more timers.
# Each timer wakes up periodically. When it does, it computes the values of a configurable set of metrics and sends the results off for storage.
# Additionally there are on-demand metrics that log data when an event occurs, e.g. a user logon.
#
# Configurable settings per timer:
#
#   Setting name: Name
#   Description: Arbitrary name for the timer. Used only internally.
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Comment
#   Description: Arbitrary comment for the timer. Not used by uberAgent.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Interval
#   Description: How long to wait before collecting data again. Unit: milliseconds.
#   Valid values: any number
#   Default: [none]
#   Required: yes
#
#   Setting name: UA metric
#   Description: Name of any uberAgent timer metric to be collected through this timer. May be specified more than once per timer.
#   Valid values: any uberAgent timer metric
#   Default: empty
#   Required: no
#
#   Setting name: Perf counter
#   Description: Name of any Windows performance counter to be collected through this timer. May be specified more than once per timer.
#   Valid values: any performance counter name
#   Default: empty
#   Required: no
#
#   Setting name: Start delay
#   Description: If a start delay is configured, uberAgent waits for the given time in ms before running the timer's metrics for the first time. If no start delay is configured, uberAgent waits for the time configured with the Interval parameter.
#   Valid values: any number
#   Default: 0
#   Required: no
#
#   Setting name: Persist interval
#   Description: If this is enabled, uberAgent stores the timer's last runtime so that it does not run it more often than specified with the Interval parameter even when restarted.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: Thread priority
#   Description: Relative priority for the timer's thread.
#   Valid values: background | normal
#   Default: normal
#   Required: no
#
#   Setting name: Receivers
#   Description: List of receivers to send this timer's data to. Overrides the default (send to all receivers).
#   Valid values: Comma-separated list of receiver names configured in [Receiver] sections, e.g.: SplunkPool1, SplunkPool2
#   Default: all receivers
#   Required: no
#
#   Setting name: Script
#   Description: Run a script once or periodically, depending on the configured Interval (0 = run only once). The script's output to stdout is sent to Splunk, each line as a new event. Can be specified more than once per timer.
#   Valid values: Any valid command line, optionally including command line parameters.
#   Default: empty
#   Required: no
#
#   Setting name: ScriptContext
#   Description: The user context to run a script in.
#   Valid values: Session0AsSystem | UserSessionAsSystem | UserSessionAsUser
#   Default: Session0AsSystem
#   Required: no
#
############################################

############################################
# On-demand metrics
############################################
[OnDemand]
UA metric      = LogonDetail
UA metric      = LogonProcesses
UA metric      = BootDetail
UA metric      = ShutdownDetail
UA metric      = StandbyDetail
UA metric      = ProcessStartup
UA metric      = OutlookPerformanceEvents
UA metric      = ApplicationErrors

############################################
# Timer 1
############################################
[Timer]
Name           = Default timer
Comment        = Metrics are placed here unless there is a reason to have them run at different frequencies or to isolate them
Interval       = 30000
UA metric      = ProcessDetailFull
UA metric      = ApplicationUsage
UA metric      = SessionCount
UA metric      = SessionDetail
UA metric      = SystemPerformanceSummary
UA metric      = SMBClientSharePerformance

############################################
# Timer 2
############################################
[Timer]
Name           = Application UI latency
Comment        = Isolate application UI latency metrics from the other metrics
Interval       = 15000
UA metric      = ApplicationUILatency

############################################
# Timer 3
############################################
[Timer]
Name           = GPU usage
Comment        = Isolate GPU metrics from the other metrics
Interval       = 30000
UA metric      = GpuUsage

############################################
# Timer 4
############################################
[Timer]
Name           = Browser performance
Comment        = Isolate browser metrics from the other metrics
Interval       = 30000
UA metric      = BrowserPerformanceIE
UA metric      = BrowserPerformanceChrome

############################################
# Timer 5
############################################
[Timer]
Name           = Network performance
Comment        = Isolate in its own thread because DNS lookups are performed
Interval       = 30000
UA metric      = NetworkTargetPerformanceProcess

############################################
# Timer 6
############################################
[Timer]
Name              = Inventory
Comment           = Perform an inventory at a very low frequency
Interval          = 86400000
Start delay       = 600000
Persist interval  = true
Thread priority   = background
UA metric         = ApplicationInventory
UA metric         = SoftwareUpdateInventory
UA metric         = MachineInventory

############################################
# Timer 7
############################################
[Timer]
Name              = Citrix site - default
Comment           = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else)
Interval          = 300000
Start delay       = 240000
UA metric         = CitrixDCDesktopGroup
UA metric         = CitrixDCCatalog
UA metric         = CitrixDCHypervisor
UA metric         = CitrixDCGeneralInformation
UA metric         = CitrixDCApplication
UA metric         = CitrixDCPublishedDesktops

############################################
# Timer 8
############################################
[Timer]
Name              = Citrix site - machines
Comment           = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else)
Interval          = 300000
Start delay       = 260000
UA metric         = CitrixDCMachine

############################################
# Timer 9
############################################
[Timer]
Name              = Citrix site - licenses
Comment           = Collect Citrix XenApp/XenDesktop site information (active on delivery controllers only, inactive anywhere else)
Interval          = 60000
Start delay       = 180000
UA metric         = CitrixDCLicenseInformation

############################################
# List of core Windows processes that also (sometimes) run in user sessions
#
# The sole effect of listing core Windows processes here is to enable uberAgent to calculate the resource usage of the OS
#
############################################
[WindowsProcesses]

audiodg.exe=Microsoft Windows OS
conhost.exe=Microsoft Windows OS
csrss.exe=Microsoft Windows OS
dllhost.exe=Microsoft Windows OS
dwm.exe=Microsoft Windows OS
lsass.exe=Microsoft Windows OS
lsm.exe=Microsoft Windows OS
ntoskrnl.exe=Microsoft Windows OS
services.exe=Microsoft Windows OS
smss.exe=Microsoft Windows OS
spoolsv.exe=Microsoft Windows OS
svchost.exe=Microsoft Windows OS
taskhost.exe=Microsoft Windows OS
WmiPrvSE.exe=Microsoft Windows OS
wininit.exe=Microsoft Windows OS
winlogon.exe=Microsoft Windows OS


############################################
# Executable to application name mappings (for overriding uberAgent's automatic application identification)
#
# Format: C:\Full path to\process.exe = Application name
#
# Specifying only the file name without the full path only works in specific cases and is not recommended.
#
############################################
[ProcessToApplicationMapping]

## Windows Search
SearchFilterHost.exe=Microsoft Windows Search
SearchIndexer.exe=Microsoft Windows Search
SearchProtocolHost.exe=Microsoft Windows Search

## Protected processes
MsMpEng.exe=Microsoft Malware Protection
NisSrv.exe=Microsoft Malware Protection
Services.exe=Microsoft Windows OS
fontdrvhost.exe=Microsoft Windows OS


############################################
# Processes to ignore in application lookup
#
# Format: process.exe = uberAgent_ignore
#
############################################
[ApplicationMappingIgnoredProcesses]

############################################
# Process startup duration load image wait interval
#
# When uberAgent determines process startup duration, it looks for the beginning of a 30 second time interval without image (DLL) load events
# The default wait duration of 30 seconds can be adjusted either globally or for individual processes here (individual has precedence over global).
# 
# Additionally, if there are IO operations during the DLL loading phase, uberAgent calculates the average IOPS during that phase and waits until
# IOPS drop to less than 20% for at least 10 seconds after the end of the DLL loading phase. The value of 10 seconds can be adjusted here, too.
#
# Configurable settings:
#
#   Setting name: DllLoadWaitDurationGlobal
#   Description: Globally set the DLL loading phase wait duration for all processes in ms.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
#   Setting name: IopsDropoffDurationGlobal
#   Description: Globally set the IOPS dropoff phase duration for all processes in ms.
#   Valid values: any number
#   Default: 10000
#   Required: no
#
#   Setting name: 
#   Description: Set the DLL loading phase wait duration for a specific process in ms. May be specified more than once.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
############################################
[ProcessStartupDurationWaitIntervalOverride]

AcroRd32.exe = 15000

############################################
# Optional settings for Process startup metrics
#
#   Setting name: EnableExtendedInfo
#   Description: Send detailed information about each started process to the backend, e.g. path, command line, process ID, parent ID. This also enables population of the ProcGUID field in other sourcetypes, which can be used for detailed process instance tracking.
#   Valid values: true | false
#   Default: false
#   Required: no
#
############################################
[ProcessStartupSettings]

############################################
# Optional filter for the metric ProcessDetailFull
#
# Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
#
# Format: process.exe = uberAgent_blacklist | uberAgent_whitelist
#
############################################
[ProcessDetailFull_Filter]

cmd.exe = uberAgent_blacklist
conhost.exe = uberAgent_blacklist
csrss.exe = uberAgent_blacklist
lsm.exe = uberAgent_blacklist
smss.exe = uberAgent_blacklist
wininit.exe = uberAgent_blacklist
winlogon.exe = uberAgent_blacklist

############################################
# Optionally add the command line to the ProcessDetail* metrics
# This can significantly increase the data volume, so use with caution
#
# Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
# Default: disabled for all processes
#
# Format: process.exe = uberAgent_blacklist | uberAgent_whitelist
#
############################################
[ProcessDetail_SendCommandline]

############################################
# Optional filter for the metric NetworkTargetPerformanceProcess
#
# Processes can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
#
# Format: process.exe = uberAgent_blacklist | uberAgent_whitelist
#
############################################
[NetworkTargetPerformanceProcess_Filter]

############################################
# Optional configuration for the metric NetworkTargetPerformanceProcess
#
# Configurable settings:
#
#   Setting name: Key
#   Description: What to group by: process name or ID
#   Valid values: name | id
#   Default: name
#   Required: no
#
#   Setting name: IgnoreLowActivity
#   Description: Whether to ignore processes with very low activity during a collection interval
#   Valid values: true | false
#   Default: true
#   Required: no
#
############################################
[NetworkTargetPerformanceProcess_Config]

Questions?

Do you have questions that were not answered here? Please ask us, we are happy to help!