uberAgent https://uberagent.com Windows, Citrix & VMware monitoring on Splunk Sat, 28 Jul 2018 00:34:02 +0000 en-US hourly 1 Using uberAgent With Splunk Free Successfully https://uberagent.com/blog/using-uberagent-with-splunk-free-successfully/ Tue, 17 Jul 2018 11:50:03 +0000 https://uberagent.com/?p=5199 Splunk Enterprise and uberAgent is a winning combination to get visibility in end-user experience. However, for your lab or demo environment, Splunk Enterprise might be a little bit oversized. Gladly, we have Splunk Free as an alternative which gives you 500 MB indexing volume per day at no charge. Sadly, there is one feature which...

The post Using uberAgent With Splunk Free Successfully appeared first on uberAgent.

]]>
Splunk Enterprise and uberAgent is a winning combination to get visibility in end-user experience. However, for your lab or demo environment, Splunk Enterprise might be a little bit oversized. Gladly, we have Splunk Free as an alternative which gives you 500 MB indexing volume per day at no charge. Sadly, there is one feature which Splunk Free lacks: saved searches. Find out how to dodge the limitation in this article.

The problem

uberAgent relies on Splunk lookup tables, to enrich parts of its data. In Splunk Enterprise, these lookup tables are generated by saved searches, stored in uberAgent’s savedsearches.conf. Unfortunately, Splunk Free does not support saved searches. We already have a KB article online that explains how to run the searches manually to prevent empty or faulty dashboards.

uberAgent’s “Application Startup” dashboard without saved searches on Splunk Free

The solution

Doing things manually is always a bad idea. It is time-consuming and error-prone. Hence I automated it with a scheduled task, PowerShell, and Splunk’s REST API. The script gets executed by a scheduled task on a specified interval and then runs the needed searches via Splunk’s REST APIs against your Splunk Free server.

The PowerShell script accepts two parameters.

  1. Server to configure the Splunk server. The default is localhost.
  2. Earliest to configure the time range. The default is last seven days.
<# 
.SYNOPSIS 
Run searches against Splunk Free REST API to create lookup tables required by uberAgent 
.PARAMETER Server
Splunk server. Default is localhost. 
.PARAMETER Earliest
Time range. Default is last seven days.
.EXAMPLE .\Invoke-uberAgentSearches.ps1
Invokes uberAgent searches against the server localhost for the time range of seven days.
.EXAMPLE .\Invoke-uberAgentSearches.ps1 -Server 'MySplunkServer' -Earliest '-1d'
Invokes uberAgent searches against the server MySplunkServer for the time range of one day.
.NOTES
Script: Invoke-uberAgentSearches.ps1
Author: Dominik Britz, vast limits GmbH 
uberagent.com
#>

#region parameters

Param
(
    # Splunk server. Default is localhost.
    [Parameter(Mandatory=$false)]
    [ValidateNotNullOrEmpty()]
    [string]$Server = 'localhost',

    # Time range. Default is last seven days.
    [Parameter(Mandatory=$false)]
    [ValidateNotNullOrEmpty()]
    [string]$Earliest = '-7d'
)

#endregion

#region variables

[string]$Uri = "http://${Server}:8089/services/search/jobs/export"

#endregion

#region main

[array]$Searches = @(
    'search index=`uberAgent_index` sourcetype=uberAgent:Application:AppNameIdMapping AppId=* AppName=* | stats latest(_time) as _time mode(AppName) as AppName by AppId | inputlookup append=t lookup_appnameidmapping | stats latest(_time) as _time latest(AppName) as AppName by AppId | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields AppName AppId _time | outputlookup lookup_appnameidmapping'
    'search index=`uberAgent_index` (sourcetype=uberAgent:System:MachineInventory OR sourcetype=uberAgent:System:NetworkConfigInformation) OsVersion=* | stats latest(_time) as _time latest(OsVersion) as OsVersion latest(OsBuild) as OsBuild latest(OsType) as OsType latest(AdDomainDns) as AdDomainDns latest(AdSite) as AdSite latest(AdOu) as AdOu latest(CtxFarmName) as CtxFarmName latest(CtxMachineCatalogName) as CtxMachineCatalogName latest(CtxDeliveryGroupName) as CtxDeliveryGroupName latest(HwManufacturer) as HwManufacturer latest(HwModel) as HwModel values(NetworkConfigIPv4) as NetworkConfigIPv4 by host | inputlookup append=t lookup_hostinfo | fields - Ipv4Address | stats latest(_time) as _time latest(OsVersion) as OsVersion latest(OsBuild) as OsBuild latest(OsType) as OsType latest(AdDomainDns) as AdDomainDns latest(AdSite) as AdSite latest(AdOu) as AdOu latest(CtxFarmName) as CtxFarmName latest(CtxMachineCatalogName) as CtxMachineCatalogName latest(CtxDeliveryGroupName) as CtxDeliveryGroupName latest(HwManufacturer) as HwManufacturer latest(HwModel) as HwModel values(NetworkConfigIPv4) as Ipv4Address by host | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields host OsVersion OsBuild OsType AdDomainDns AdSite AdOu CtxFarmName CtxMachineCatalogName CtxDeliveryGroupName HwManufacturer HwModel Ipv4Address _time | outputlookup lookup_hostinfo'
    'search index=`uberAgent_index` sourcetype=uberAgent:System:MachineInventory RAMSizeGB=* | stats latest(_time) as _time latest(RAMSizeGB) as RAMSizeGB latest(IsBatteryPresent) as IsBatteryPresent latest(CPUName) as CPUName latest(CPUSockets) as CPUSockets latest(CPUCoresPhysical) as CPUCoresPhysical latest(CPUCoresLogical) as CPUCoresLogical latest(CPUMaxMhz) as CPUMaxMhz latest(HwIsVirtualMachine) as HwIsVirtualMachine latest(OsUpdateBuildRevision) as OsUpdateBuildRevision by host | inputlookup append=t lookup_hostinfo2 | stats latest(_time) as _time latest(RAMSizeGB) as RAMSizeGB latest(IsBatteryPresent) as IsBatteryPresent latest(CPUName) as CPUName latest(CPUSockets) as CPUSockets latest(CPUCoresPhysical) as CPUCoresPhysical latest(CPUCoresLogical) as CPUCoresLogical latest(CPUMaxMhz) as CPUMaxMhz latest(HwIsVirtualMachine) as HwIsVirtualMachine latest(OsUpdateBuildRevision) as OsUpdateBuildRevision by host | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields host RAMSizeGB IsBatteryPresent CPUName CPUSockets CPUCoresPhysical CPUCoresLogical CPUMaxMhz HwIsVirtualMachine OsUpdateBuildRevision _time | outputlookup lookup_hostinfo2'
    '| pivot uberAgent Process_ProcessStartup latest(_time) as LastSeen splitrow ProcName | eval ProcName = lower (ProcName) | inputlookup append=t lookup_processstartup_processlist | stats first(LastSeen) as LastSeen by ProcName | eval LastSeen = round (strptime (LastSeen, "%Y-%m-%dT%H:%M:%S.%Q%z"), 0) | eval TimeDelta=now()-LastSeen | search TimeDelta<31536000 | fields ProcName LastSeen | outputlookup lookup_processstartup_processlist'
    '| pivot uberAgent Process_NetworkTargetPerformance latest(_time) as LastSeen splitrow NetTargetRemoteNameAddress | eval ProcName = lower (NetTargetRemoteNameAddress) | inputlookup append=t lookup_networktargetperformance_targetlist | stats first(LastSeen) as LastSeen by NetTargetRemoteNameAddress | eval LastSeen = round (strptime (LastSeen, "%Y-%m-%dT%H:%M:%S.%Q%z"), 0) | eval TimeDelta=now()-LastSeen | search TimeDelta<31536000 | fields NetTargetRemoteNameAddress LastSeen | outputlookup lookup_networktargetperformance_targetlist'
)

Foreach ($Search in $Searches)
{
    $Body = @{
        search = $Search
        output_mode = 'json'
        earliest = $Earliest
    } 
    Try
    {
        Invoke-RestMethod -Method Post -Uri $Uri -Body $Body
    }
    Catch 
    {
        Write-Error -Message $_
    }
}

#endregion

Please note, the included searches are for uberAgent 5.0.1. They might change in the future, hence always check our KB article first!

Save this script somewhere. Then create and configure the scheduled task. Of course, you can use PowerShell for this. Just customize the variables in the following script to your needs and run it. I decided to run the task weekly on Sunday at 10:00 PM on my Splunk Free server. This aligns perfectly with the Invoke-uberAgentSearches.ps1 scripts’ default time range for the last seven days.

#Requires -RunAsAdministrator
$ScriptPath = 'C:\Scripts\Invoke-uberAgentSearches.ps1'
$WeekDay = 'Sunday'
$Time = '10:00PM'
$TaskName = 'Invoke uberAgent searches'

Try
{
   $Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument "-NoProfile -WindowStyle Hidden -File `"$ScriptPath`""
   $Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek $WeekDay -At $Time

   Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName $TaskName -User 'SYSTEM'
}
Catch
{
   Write-Error -Message $_
}

Hint: if your Splunk Free server does not have a valid SSL certificate installed, do not forget to allow communication via http.

Your benefit

The result is an always ready for the job Splunk Free environment for your lab. By the way, this aligns perfectly with our free one-year community edition!

uberAgent’s “Application Startup” dashboard with saved searches on Splunk Free

The post Using uberAgent With Splunk Free Successfully appeared first on uberAgent.

]]>
Announcing Free Community Licenses https://uberagent.com/blog/announcing-free-community-licenses/ Fri, 08 Jun 2018 15:39:43 +0000 https://uberagent.com/?p=4562 We are committed to supporting the IT community. We sponsor user groups and encourage our employees to engage, which they do enthusiastically by blogging, speaking at conferences and even organizing local meetups. Now we are adding something else entirely: free licenses. Free Community Licenses Starting immediately, we are offering free community licenses for up to...

The post Announcing Free Community Licenses appeared first on uberAgent.

]]>
We are committed to supporting the IT community. We sponsor user groups and encourage our employees to engage, which they do enthusiastically by blogging, speaking at conferences and even organizing local meetups. Now we are adding something else entirely: free licenses.

Free Community Licenses

Starting immediately, we are offering free community licenses for up to 100 users.

Where’s the catch? There is none! This offer is not limited in any way, and it is open to everybody, both individuals, and organizations.

How Does It Work?

The process is quite simple:

  • Community licenses are one-year term licenses for up to 100 users
  • There is no limit on consecutive terms. After year one you can get a second year’s license, and so on.
  • To request your free community license fill out the license request form

That’s it. Enjoy!

The post Announcing Free Community Licenses appeared first on uberAgent.

]]>
uberAgent Masterclass at E2EVC Amsterdam https://uberagent.com/blog/uberagent-masterclass-at-e2evc-amsterdam/ Thu, 31 May 2018 22:50:57 +0000 https://uberagent.com/?p=4611 We will be hosting an uberAgent masterclass at the E2EVC community conference in Amsterdam next week. E2EVC is the perfect place to learn from and network with your fellow end-user computing geek. The amount of brainpower that comes together for E2EVC several times a year in Europe, the USA, Asia and/or Africa is staggering. What...

The post uberAgent Masterclass at E2EVC Amsterdam appeared first on uberAgent.

]]>
We will be hosting an uberAgent masterclass at the E2EVC community conference in Amsterdam next week. E2EVC is the perfect place to learn from and network with your fellow end-user computing geek. The amount of brainpower that comes together for E2EVC several times a year in Europe, the USA, Asia and/or Africa is staggering. What better place for a deep-dive technical uberAgent training?

Masterclass Agenda

We have content for anybody with a solid background in end-user computing. If you are new to uberAgent you will get a thorough technical architecture overview. If you are already experienced in the product you should enjoy the deep-dives. Along the way, we want to hear about your monitoring requirements. And, as always, we are very open to feature requirements.

The specific topics to be covered are subject to change depending on the attendees’ interests. Following are some of the areas we hope to cover:

  • Architecture overview
  • Architecture deep-dive
    • How we collect user data
    • How we collect browser performance data
    • How we collect Citrix site data
    • Multi-tenancy
    • Username encryption
  • Installation
  • Configuration
  • Adding custom metrics
    • Performance counters
    • Custom scripts
  • Logging
  • Dashboards
    • uberAgent’s Splunk data model
    • Custom dashboards
    • Custom lookups

Registration

No registration necessary. Just make sure you are registered for E2EVC and show up for the masterclass at 10:00 am on Saturday.

See you soon!

The post uberAgent Masterclass at E2EVC Amsterdam appeared first on uberAgent.

]]>
Monitoring User Profile Sizes With uberAgent https://uberagent.com/blog/monitor-user-profile-sizes-with-uberagent/ Tue, 29 May 2018 13:20:38 +0000 https://uberagent.com/?p=4513 The size of user profiles is critical for logon performance, especially in SBC and VDI environments. Bloated profiles lead to slow logons and therefore unhappy users. Here is how to stay on track with your users’ profile sizes with uberAgent’s powerful script execution engine and Splunk. If you are new to uberAgent’s script execution engine...

The post Monitoring User Profile Sizes With uberAgent appeared first on uberAgent.

]]>
The size of user profiles is critical for logon performance, especially in SBC and VDI environments. Bloated profiles lead to slow logons and therefore unhappy users. Here is how to stay on track with your users’ profile sizes with uberAgent’s powerful script execution engine and Splunk.

If you are new to uberAgent’s script execution engine I recommend reading my colleague’s blog article first. It contains all the information you need to get started.

Monitoring Options and Realisation Methods

You have two options for calculating user profile sizes:

  1. On the local computer and for the current user(s) only
  2. On the file server which hosts a user profile file share for all users

Which option you choose is up to you. We will cover both below.

1. Local Computer

This option is best for fat clients and notebooks, where users typically work with local profiles. The script will be executed by uberAgent on the user’s machine.

I decided to use PowerShell for the job. Below is the script. It gets the profile size and returns the username as well as the size in bytes as a key-value pair.

[Hashtable]$Output = @{}
$ProfileSize = Get-ChildItem -Path $(Join-Path 'C:\Users' $env:USERNAME) -Recurse -Force -ErrorAction SilentlyContinue | Measure-Object -Sum Length
$Output = @{
   'UserName' = $env:USERNAME
   'ProfileSize' = $($ProfileSize.Sum)
}
Write-Output $($Output.Keys.ForEach({"$_=$($Output.$_)"}) -join ' ')

Here is the output for my notebook:

UserName=domin ProfileSize=112288349557

I configured a new timer in the uberAgent configuration, which executes the script every 60 minutes (3600000 milliseconds) in the user’s context. 60 minutes should be sufficient to gather every user at least once per day but also keep the amount of data sent to Splunk small. I also added a start delay of 5 minutes which should be enough to ensure logon profile processing is finished.

############################################
# Timer 10
############################################
[Timer]
Name           = User profile size
Interval       = 3600000
Start delay    = 300000
Script         = powershell.exe -executionpolicy bypass -file "C:\Program Files\vast limits\uberAgent\Scripts\Get-UserProfileSize.ps1"
ScriptContext  = UserSessionAsUser

In addition to local computers, the script can also be used on terminal servers. uberAgent executes it for each user session and thus determines the profile size for each logged on user.

2. User Profile Share

This option is best for SBC and VDI environments, where users often work with roaming profiles stored on a file server. The script needs to be executed on the file server, hence you have to install uberAgent on it. The script will then enumerate all profile directories and return their names and sizes as key-value pairs. You can also use it to monitor the size of redirected user data if you are using folder redirection.

Again, I used PowerShell. The script is a little bit more complex for this option.

PARAM
(
    [Parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$Share
)

[Hashtable]$Output = @{}
Get-ChildItem -Path $Share | ForEach-Object -Process {
    $DirectorySize = Get-ChildItem -Path $PSItem.FullName -Recurse -Force -ErrorAction SilentlyContinue | Measure-Object -Sum Length
    $Output = @{
       'DirectoryName' = $($PSItem.Name)
       'DirectorySize' = $($DirectorySize.Sum)
    }
    Write-Output $($Output.Keys.ForEach({"$_=$($Output.$_)"}) -join ' ')
}

You can find a sample output below. This could easily be extended with further useful information like the directory’s last modified timestamp.

DirectoryName=user01 DirectorySize=112288349557
DirectoryName=user02 DirectorySize=1065937039508
DirectoryName=user03 DirectorySize=956380045

The configuration entry looks slightly different this time. I chose an interval of once per day, start delay is not needed and the script context has to be SYSTEM. Note that the script expects a parameter for the file share.

############################################
# Timer 10
############################################
[Timer]
Name           = User profile sizes
Interval       = 86400000
Script         = powershell.exe -executionpolicy bypass -file "C:\Program Files\vast limits\uberAgent\Scripts\Get-SubdirectorySizes.ps1" -Share "\\fileserver\profileshare"
ScriptContext  = Session0AsSystem

Purify The Data

The Splunk search result for the first option looks as follows:

However, the profile size in bytes is not very user-friendly. With Splunk’s powerful Search Processing Language, we can convert bytes to gigabytes.

index=uberAgent sourcetype="uberagent:script:user profile size" | eval ProfileSizeGB = round(ProfileSize / (1024*1024*1024),2) | table UserName ProfileSizeGB

Conclusion

Determining user profile sizes is another great example of uberAgent’s script execution engine. You are not limited to the dashboards we ship by default but can extend your monitoring solution as you want.

The post Monitoring User Profile Sizes With uberAgent appeared first on uberAgent.

]]>
uberAgent 5.0.1: Splunk 7.1, Data Model Acceleration Auto-Skewing https://uberagent.com/blog/uberagent-5-0-1-splunk-7-1-data-model-acceleration-auto-skewing/ Thu, 03 May 2018 20:45:56 +0000 https://uberagent.com/?p=4283 We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0.1 adds support for Splunk 7.1 and brings many other improvements. For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions). Splunk 7.1 uberAgent now fully supports the significant user...

The post uberAgent 5.0.1: Splunk 7.1, Data Model Acceleration Auto-Skewing appeared first on uberAgent.

]]>
We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0.1 adds support for Splunk 7.1 and brings many other improvements.

For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions).

Splunk 7.1

uberAgent now fully supports the significant user interface updates Splunk introduced in version 7.1.

Data Model Acceleration Auto-Skewing

This is something we are particularly proud of: “our” first feature suggestion got implemented in Splunk Enterprise.

uberAgent makes extensive use of accelerated data models for greatly enhanced dashboard search speed (for details see the blog posts to Helge’s Splunk .conf 2015 session).

Put simply, when a data model is accelerated, an additional index is built that is populated by searches that run every five minutes. Without the new auto-skewing feature, all data model acceleration searches were scheduled to run at exactly the same time, which would fail due to concurrency limitations. With version 7.1 Splunk learned to distribute the acceleration searches across the available time range. This promises to effectively get rid of skipped searches – and we are very happy to report that it does exactly that!

Auto-skewing is now enabled for uberAgent’s data model. It causes a (harmless) warning message on Splunk versions prior to 7.1 during a restart of Splunkd. To remove that, simply comment out the setting acceleration.allow_skew in datamodels.conf.

About uberAgent

uberAgent is a Windows user experience analytics and application performance monitoring product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drilldowns, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events.

The post uberAgent 5.0.1: Splunk 7.1, Data Model Acceleration Auto-Skewing appeared first on uberAgent.

]]>
Monitoring Windows 10 Update Status https://uberagent.com/blog/monitoring-windows-10-update-state/ Tue, 27 Mar 2018 12:55:56 +0000 https://uberagent.com/?p=3950 Not too long ago it was next to impossible to determine a machine’s exact patch state. That changed with Microsoft’s move to the rollup model. Making patches exclusively available as cumulative monthly bundles enforces a linear update sequence, the current state of which can be represented by a single number, the UBR (update build revision)....

The post Monitoring Windows 10 Update Status appeared first on uberAgent.

]]>
Not too long ago it was next to impossible to determine a machine’s exact patch state. That changed with Microsoft’s move to the rollup model. Making patches exclusively available as cumulative monthly bundles enforces a linear update sequence, the current state of which can be represented by a single number, the UBR (update build revision).

What It Was Like Before the Monthly Rollups

For decades, Microsoft had been releasing patches individually. That offered choice, and – seemingly – stability. When a customer noticed a problem with a specific component, they could install patches for that component only, leaving the rest of the system unchanged – at least in theory.

In practice, there are many interdependencies between services, DLLs and the like. Making a change to one often requires making changes to others, too. Imagine one patch requiring a specific change to a common component like Explorer. Bundling the patch with the updated version of Explorer seems like the obvious solution. Now imagine a second patch requiring a different change to Explorer, so it is also bundled with an updated version, but the Explorer update in patch two is different from the Explorer update in patch one. What happens when customer A installs patch one before patch two, while customer B chooses the reverse order?

These kinds of dependencies are very difficult to resolve. Meaningful testing is next to impossible. In other words: it became unmanageable, things had to change.

When Did Microsoft Switch to the Rollup Model?

The switch from individual updates to cumulative rollups was introduced with the first release of Windows 10 in 2015. Windows 7, 8.1 and their server equivalents followed about 1.5 years later.

The Problem With Cumulative Rollups: Size

Cumulative rollups contain all the necessary bits to update any older version of the same OS. Consequently, cumulative updates grow in size over time. The September update will always be bigger than the August update, whereas the October update will, in turn, be bigger than the September update.

Minimizing the Download

Express Update Delivery

Windows 10 uses a sophisticated mechanism called Express to minimize the download volume. In a nutshell it works as follows:

  1. Windows Update first downloads metadata about an update
  2. Windows Update passes the metadata to Windows Installer
  3. Windows Installer scans the system to determines which parts of the update’s files are already present
  4. Windows Installer requests Windows Update to download the changed byte ranges from the update’s files
  5. Windows Update downloads the ranges and passes them to Windows Installer so it can patch the OS

Express update delivery for quality updates (i.e. patches) is available for Windows 10 clients connected to:

  • System Center Configuration Manager 1702
  • WSUS
  • Windows Update
  • Windows Update for Business

Starting with Windows 10 1709, Express is also being used for feature updates (i.e. new OS versions) for clients connected to:

  • Windows Update
  • Windows Update for Business

Delta Updates

Delta updates are an interim mechanism only available for Windows 10 versions 1607, 1703 and 1709.

Delta updates are not cumulative; they only contain one month’s patches and can only be applied to machines that have the previous month’s update installed.

Update Linearity and UBR

Individual KB downloads are a thing of the past. This is a big step towards reducing fragmentation caused by systems containing a mix of individual updates.

With a linear update sequence, a machine is always at a well-defined point of a number line. The machine’s current position on the line reflects its update status. The corresponding number is called Update Build Revision (UBR). If you know a machine’s OS build and UBR numbers, you can easily look up its patch state on Microsoft’s Windows 10 release information site.

Monitoring the Windows 10 Patch State

uberAgent performs a daily inventory that includes installed updates as well as the operating system’s build & UBR numbers. While the list of updates can be useful for troubleshooting individual machines, the OS build allows for a great overview of the update health of the estate. The screenshot above, taken from the Update Inventory dashboard, shows the OS build distribution over time. It is easy to see how quality updates are being rolled out, replacing the previous version and incrementing the build number.

The post Monitoring Windows 10 Update Status appeared first on uberAgent.

]]>
Measuring Actual CPU Speed & Frequency https://uberagent.com/blog/measuring-actual-cpu-speed-frequency/ Tue, 20 Mar 2018 11:48:48 +0000 https://uberagent.com/?p=3937 As a good administrator, of course, you know at what speed your machines run because you have an eye on your CPU usage at any time – but do you? Modern CPUs do not make things easy. Let me go back in time a little bit. Several years ago, I was overclocking my computer’s CPU....

The post Measuring Actual CPU Speed & Frequency appeared first on uberAgent.

]]>
As a good administrator, of course, you know at what speed your machines run because you have an eye on your CPU usage at any time – but do you? Modern CPUs do not make things easy.

Let me go back in time a little bit. Several years ago, I was overclocking my computer’s CPU. I played a lot with different cooling fans and thermal greases to get the most out of my old Intel Pentium workhorse. I think two or more CPUs ended up as very expensive bricks because I did not manage the heat correctly.

However, those were simple times. A CPU with 400 MHz continually delivered 400 MHz.

Modern CPU Functionalities

Then, along came Intel Turbo Boost. It adjusts each core’s frequency dynamically according to load and thermal budget. If the CPU gets too warm, overclocking stops automatically. Thus, the risk of overheating the processor is mitigated. With Turbo Boost, overclocking was suddenly possible in the server area – where the consequences of hardware failure are even more grave.

To reduce power consumption, further functionalities found their way into modern CPUs. One of them was C-states. It lets you save energy by cutting the clock signals used inside the CPU as well as by reducing the CPU voltage.

Frequencies And Utilization

As a result of all these functionalities, one has to deal with different CPU frequencies:

  • Maximum frequency
  • Base frequency
  • Actual frequency

Your first stop to review them is Windows Task Manager (note, it uses the term “speed” instead of “frequency”). But, Task Manager is lying to you. The screenshot below displays a maximum speed of 3.50 GHz. That is wrong. The label Maximum speed should read Base speed. In fact, the maximum speed is 3.80 GHz, for this CPU model.

Here is another thing. One might assume that the 20 percent utilization refers to the base speed. It does not. The utilization always refers to the actual CPU speed, which was 2.07 GHz at the time the screenshot was taken.

Make Use of The Data With uberAgent

But don’t worry, even if you are a little confused by the different kinds of frequencies. With version 5.0, we have enhanced our Machine Performance dashboard. It now shows you the average actual CPU frequency as a percentage of the base frequency. This enables you to compare the energy efficiency of different platforms.

In addition, we have added the CPU’s base speed and the average actual speed to the Single Machine Detail dashboard, which allows you to analyze your machine’s efficiency even further.

The post Measuring Actual CPU Speed & Frequency appeared first on uberAgent.

]]>
Monitoring GPU Usage per Engine or Application https://uberagent.com/blog/monitoring-gpu-usage-engine-application/ Tue, 13 Mar 2018 15:31:00 +0000 https://uberagent.com/?p=3857 GPUs, just like any other hardware, need to be sized properly. If there is unused capacity, money is being wasted. If, on the other hand, utilization is at maximum, the user experience is poor. Sizing requires information. In this case, about GPU usage, ideally per GPU engine and application. uberAgent delivers. GPU Architecture GPUs are...

The post Monitoring GPU Usage per Engine or Application appeared first on uberAgent.

]]>
GPUs, just like any other hardware, need to be sized properly. If there is unused capacity, money is being wasted. If, on the other hand, utilization is at maximum, the user experience is poor. Sizing requires information. In this case, about GPU usage, ideally per GPU engine and application. uberAgent delivers.

GPU Architecture

GPUs are comprised of thousands of cores that run the same instructions in parallel on multiple data. This GPU architecture was initially designed for 3D rendering but has been found to be useful for any kind of application where algorithms are highly parallelizable.

Combined, a GPU’s cores are often called the 3D engine. While 3D is typically the most important engine, GPUs also have specialized engines that add capabilities like video encoding or decoding. Without those, smartphones would never be able to record HD video or play it back in real-time.

Monitoring GPU Usage per Engine

GPU monitoring presents some unique challenges. Different GPU models have different capabilities, which results in different types and numbers of engines.

uberAgent is prepared for that. It dynamically detects a GPU’s engines and determines each engine’s utilization individually. When displayed in a chart over time, this allows a viewer to grasp any engine’s resource usage immediately:

Monitoring GPU Usage per Application

A GPU’s resources are available for all processes that are running on a machine. Being able to discern which application generates what kind of load is crucial. In some cases, similar applications are very different with regards to efficiency and GPU resource footprint. This applies to browsers, for example. In other cases, applications you would expect to make good use of the GPU don’t.

By providing GPU utilization metrics per process, uberAgent helps IT understand and optimize GPUs for their application set.

Monitoring GPU Usage per Machine

In addition to the resource consumption per GPU engine and per application uberAgent also collects the GPU usage per machine. If a machine has more than one GPU, the numbers are collected individually per GPU. This is useful for gaining an understanding of the overall GPU utilization, both in terms of GPU compute and GPU memory resources.

The post Monitoring GPU Usage per Engine or Application appeared first on uberAgent.

]]>
uberAgent 5.0: Browser UX Metrics, GPU Usage per Engine https://uberagent.com/blog/browser-ux-gpu-usage-engine/ Tue, 06 Mar 2018 15:57:01 +0000 https://uberagent.com/?p=3811 We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0 brings new features and improvements for any kind of device. So many, that we went from version 4.2 directly to 5.0. For a full list of all improvements and bugfixes, please consult the changelog. As always, upgrading is...

The post uberAgent 5.0: Browser UX Metrics, GPU Usage per Engine appeared first on uberAgent.

]]>
We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0 brings new features and improvements for any kind of device. So many, that we went from version 4.2 directly to 5.0.

For a full list of all improvements and bugfixes, please consult the changelog. As always, upgrading is highly recommended (instructions).

Browser UX Metrics

uberAgent is the perfect solution for monitoring user experience as well as performance for classic Windows applications. It shows you details for CPU and RAM usage, IOPS and process startup time – to name a few. But, more and more of these applications are replaced by modern SaaS and web apps; most of them delivered via the cloud. If the applications change, so must the capabilities of the tool.

Since the first versions, uberAgent has been able to show the load browsers generate on your machines per website or process type. With 5.0, we extended our product to collect detailed information for page loads and background data transfers. Exactly what you need to analyze the performance of SaaS and web apps.

At this point in time, we ship the new feature for Google Chrome – more to come. The functionality requires a browser extension to be installed.

GPU Usage per Engine

GPUs are everywhere. They are not only used in mobile phones or game consoles, but also in workstations and servers. They help to calculate computer graphics and image processing, thus relieving the CPU. In recent years, the development of GPU-enabled VDI environments, in particular, has made great progress.

A GPU consists of multiple processing engines. Each dedicated to a specific task, e.g. 3D processing, or video decoding. As of version 5.0, uberAgent is able to show the usage per engine over time. In combination with the already available metrics on GPU compute and memory usage, you will not only gain a deep insight into GPU performance but also learn what the GPU is used for. This feature is supported for Windows 10 1709 and onwards.

More Improvements

VMware Horizon

We always cared about virtual desktop infrastructures. It’s important for administrators to know which client versions are used in their environment. Therefore, uberAgent now collects the version numbers of VMware Horizon clients.

Windows 10

On Windows 10 the OS build includes the UBR (update build revision), which represents a machine’s exact patch state in a single number. uberAgent now collects this information and presents it in its Update Inventory dashboard.

CPU Usage

Ever heard of Turbo Boost and C states? Both are power saving functionalities of modern CPUs. uberAgent now calculates the relative CPU frequency so that the effects of these CPU features can be analyzed.

Network configuration

uberAgent now collects information about all active network interfaces which enables you to analyze the usage of network adapters, interface types (e.g. VPN, WiFi) and (wireless) networks.

Elasticsearch

uberAgent now supports Elasticsearch 6.x.

About uberAgent

uberAgent is a Windows user experience analytics and application performance monitoring product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drilldowns, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events like Citrix Synergy, Splunk .conf, BriForum or E2EVC.

The post uberAgent 5.0: Browser UX Metrics, GPU Usage per Engine appeared first on uberAgent.

]]>
Monitoring RDP Session Hijacking https://uberagent.com/blog/monitoring-rdp-session-hijacking/ Thu, 18 Jan 2018 15:48:13 +0000 https://uberagent.com/?p=3540 In addition to all the fuss around Spectre and Meltdown, there are several other security flaws which are worth mentioning. One of these is RDP session hijacking. How RDP Session Hijacking Works In his excellent article, Kevin Beaumont explains in great detail what RDP session hijacking is and how to do it. Here is a...

The post Monitoring RDP Session Hijacking appeared first on uberAgent.

]]>
In addition to all the fuss around Spectre and Meltdown, there are several other security flaws which are worth mentioning. One of these is RDP session hijacking.

How RDP Session Hijacking Works

In his excellent article, Kevin Beaumont explains in great detail what RDP session hijacking is and how to do it.
Here is a summary:

  • Windows lets you connect to other user’s RDP sessions via tscon.exe. You typically need the other user’s password for this.
  • If you run tscon.exe with SYSTEM privileges, you can connect to any other RDP session without a password.
  • There are several ways to get SYSTEM privileges if you have administrator permissions
    • PSEXEC from the Sysinternals suite
    • Create and start a service
    • Use a scheduled task
  • There are even RDP backdoor methods to get SYSTEM privileges. Mimikatz is probably the best-known example.
  • It is hard to monitor because there isn’t a specific Windows event log entry

How to Monitor Session Hijacking

Eric from XenAppBlog.com asked if it is possible to monitor RDP session hijacking with uberAgent. It is. Here is one way to do it.

Requirements

uberAgent uses Splunk to visualize collected data from your endpoints. As Splunk is licensed by daily indexed traffic, we have a strong incentive for keeping the amount of indexed data as small as possible. Therefore, we do not store command line information about each started process by default. One can enable this via the setting EnableExtendedInfo=true in our configuration. Keep in mind that your daily indexed traffic will increase.

The Simplest Solution

As stated above, you have to run tscon.exe with SYSTEM privileges to connect to another RDP session without the need to enter the user’s password. That is easy to accomplish with uberAgent and Splunk.

First, we have a look at all process startups and choose the fields host, SessionID, and ProcCmdline.

| pivot uberAgent Process_ProcessStartup
   values(ProcCmdline) as "Command line(s)" 
   splitrow 
      host as "Machine name"
   splitrow 
      SessionID as "Session ID"

In the second step, we filter the events for the process name tscon.exe and the process user SYSTEM. We do some sorting, too.

| pivot uberAgent Process_ProcessStartup
   values(ProcCmdline) as "Command line(s)" 
   splitrow 
      host as "Machine name"
   splitrow       
      SessionID as "Session ID"
   filter ProcName is "tscon.exe"
   filter ProcUser is "SYSTEM" 
| eval sortfield=lower('Machine name')
| sort limit=0 sortfield
| table
   "Machine name"
   "Session ID"
   "Command line(s)"

The result may look like this.

Goal achieved! But we only see session IDs, not usernames. It would be laborious to manually figure out the right username for the ID.

The More Sophisticated Solution

Not only does uberAgent give you details like name or id for the tscon.exe process but also for its parent. With this information, you can see how tscon.exe was started.

| pivot uberAgent Process_ProcessStartup
   values(ProcCmdline) as "Command line(s)"   
   splitrow 
      host as "Machine name"
   splitrow 
      SessionID as "Session ID"
   splitrow 
      ProcParentName as "Parent process name"
   filter ProcName is "tscon.exe"
   filter ProcUser is "SYSTEM" 
| eval sortfield=lower('Machine name')
| sort limit=0 sortfield
| table
   "Machine name"
   "Session ID"
   "Parent process name"   
   "Command line(s)"

Additionally, uberAgent can combine different datasets. By combining process startup data with session detail data, we can find out the usernames of the attacking and target sessions.

| pivot uberAgent Process_ProcessStartup
   latest(_time) as Time
   splitrow 
      host as "Machine name"
   splitrow 
      SessionID as "Attacking session ID"
   splitrow 
      ProcParentName as "Attacking session process name"
   splitrow
      ProcCmdline as "Command line"
   filter ProcName is "tscon.exe"
   filter ProcUser is "SYSTEM"
| eval Time = strftime (strptime (Time, "%Y-%m-%dT%H:%M:%S.%Q%z"), "%Y-%m-%d %H:%M:%S")
| rex field="Command line" "(?<temp>\d+)"
| rename temp as "Target session ID"
| join type=outer "Machine name" "Target session ID"
[
   | pivot uberAgent Session_SessionDetail_Users 
      latest(User) as "Target session username"
      splitrow 
         host as "Machine name"
      splitrow 
         SessionID as "Target session ID"
   | fields + "Target session username" "Machine name" "Target session ID"
]
| join type=outer "Machine name" "Attacking session ID"
[
   | pivot uberAgent Session_SessionDetail_Users 
      latest(User) as "Attacking session username"
      splitrow 
         host as "Machine name"
      splitrow 
         SessionID as "Attacking session ID"
   | fields + "Attacking session username" "Machine name" "Attacking session ID" 
]
| eval sortfield=lower('Machine name')
| sort limit=0 sortfield
| table
   Time
   "Machine name"
   "Attacking session ID"
   "Attacking session username"
   "Attacking session process name"   
   "Command line"   
   "Target session ID"
   "Target session username"

The result may look like this.

Conclusion

RDP session hijacking really is a thing. It could do massive damage, cannot be prevented and is hard to monitor. At least with the monitoring part, uberAgent may help.

The post Monitoring RDP Session Hijacking appeared first on uberAgent.

]]>