uberAgent https://uberagent.com Windows, Citrix & VMware monitoring on Splunk Wed, 23 May 2018 14:03:05 +0000 en-US hourly 1 uberAgent 5.0.1: Splunk 7.1, Data Model Acceleration Auto-Skewing https://uberagent.com/blog/uberagent-5-0-1-splunk-7-1-data-model-acceleration-auto-skewing/ Thu, 03 May 2018 20:45:56 +0000 https://uberagent.com/?p=4283 We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0.1 adds support for Splunk 7.1 and brings many other improvements. For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions). Splunk 7.1 uberAgent now fully supports the significant user...

The post uberAgent 5.0.1: Splunk 7.1, Data Model Acceleration Auto-Skewing appeared first on uberAgent.

]]>
We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0.1 adds support for Splunk 7.1 and brings many other improvements.

For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions).

Splunk 7.1

uberAgent now fully supports the significant user interface updates Splunk introduced in version 7.1.

Data Model Acceleration Auto-Skewing

This is something we are particularly proud of: “our” first feature suggestion got implemented in Splunk Enterprise.

uberAgent makes extensive use of accelerated data models for greatly enhanced dashboard search speed (for details see the blog posts to Helge’s Splunk .conf 2015 session).

Put simply, when a data model is accelerated, an additional index is built that is populated by searches that run every five minutes. Without the new auto-skewing feature, all data model acceleration searches were scheduled to run at exactly the same time, which would fail due to concurrency limitations. With version 7.1 Splunk learned to distribute the acceleration searches across the available time range. This promises to effectively get rid of skipped searches – and we are very happy to report that it does exactly that!

Auto-skewing is now enabled for uberAgent’s data model. It causes a (harmless) warning message on Splunk versions prior to 7.1 during a restart of Splunkd. To remove that, simply comment out the setting acceleration.allow_skew in datamodels.conf.

About uberAgent

uberAgent is a Windows user experience analytics and application performance monitoring product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drilldowns, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events.

The post uberAgent 5.0.1: Splunk 7.1, Data Model Acceleration Auto-Skewing appeared first on uberAgent.

]]>
Monitoring Windows 10 Update Status https://uberagent.com/blog/monitoring-windows-10-update-state/ Tue, 27 Mar 2018 12:55:56 +0000 https://uberagent.com/?p=3950 Not too long ago it was next to impossible to determine a machine’s exact patch state. That changed with Microsoft’s move to the rollup model. Making patches exclusively available as cumulative monthly bundles enforces a linear update sequence, the current state of which can be represented by a single number, the UBR (update build revision)....

The post Monitoring Windows 10 Update Status appeared first on uberAgent.

]]>
Not too long ago it was next to impossible to determine a machine’s exact patch state. That changed with Microsoft’s move to the rollup model. Making patches exclusively available as cumulative monthly bundles enforces a linear update sequence, the current state of which can be represented by a single number, the UBR (update build revision).

What It Was Like Before the Monthly Rollups

For decades, Microsoft had been releasing patches individually. That offered choice, and – seemingly – stability. When a customer noticed a problem with a specific component, they could install patches for that component only, leaving the rest of the system unchanged – at least in theory.

In practice, there are many interdependencies between services, DLLs and the like. Making a change to one often requires making changes to others, too. Imagine one patch requiring a specific change to a common component like Explorer. Bundling the patch with the updated version of Explorer seems like the obvious solution. Now imagine a second patch requiring a different change to Explorer, so it is also bundled with an updated version, but the Explorer update in patch two is different from the Explorer update in patch one. What happens when customer A installs patch one before patch two, while customer B chooses the reverse order?

These kinds of dependencies are very difficult to resolve. Meaningful testing is next to impossible. In other words: it became unmanageable, things had to change.

When Did Microsoft Switch to the Rollup Model?

The switch from individual updates to cumulative rollups was introduced with the first release of Windows 10 in 2015. Windows 7, 8.1 and their server equivalents followed about 1.5 years later.

The Problem With Cumulative Rollups: Size

Cumulative rollups contain all the necessary bits to update any older version of the same OS. Consequently, cumulative updates grow in size over time. The September update will always be bigger than the August update, whereas the October update will, in turn, be bigger than the September update.

Minimizing the Download

Express Update Delivery

Windows 10 uses a sophisticated mechanism called Express to minimize the download volume. In a nutshell it works as follows:

  1. Windows Update first downloads metadata about an update
  2. Windows Update passes the metadata to Windows Installer
  3. Windows Installer scans the system to determines which parts of the update’s files are already present
  4. Windows Installer requests Windows Update to download the changed byte ranges from the update’s files
  5. Windows Update downloads the ranges and passes them to Windows Installer so it can patch the OS

Express update delivery for quality updates (i.e. patches) is available for Windows 10 clients connected to:

  • System Center Configuration Manager 1702
  • WSUS
  • Windows Update
  • Windows Update for Business

Starting with Windows 10 1709, Express is also being used for feature updates (i.e. new OS versions) for clients connected to:

  • Windows Update
  • Windows Update for Business

Delta Updates

Delta updates are an interim mechanism only available for Windows 10 versions 1607, 1703 and 1709.

Delta updates are not cumulative; they only contain one month’s patches and can only be applied to machines that have the previous month’s update installed.

Update Linearity and UBR

Individual KB downloads are a thing of the past. This is a big step towards reducing fragmentation caused by systems containing a mix of individual updates.

With a linear update sequence, a machine is always at a well-defined point of a number line. The machine’s current position on the line reflects its update status. The corresponding number is called Update Build Revision (UBR). If you know a machine’s OS build and UBR numbers, you can easily look up its patch state on Microsoft’s Windows 10 release information site.

Monitoring the Windows 10 Patch State

uberAgent performs a daily inventory that includes installed updates as well as the operating system’s build & UBR numbers. While the list of updates can be useful for troubleshooting individual machines, the OS build allows for a great overview of the update health of the estate. The screenshot above, taken from the Update Inventory dashboard, shows the OS build distribution over time. It is easy to see how quality updates are being rolled out, replacing the previous version and incrementing the build number.

The post Monitoring Windows 10 Update Status appeared first on uberAgent.

]]>
Measuring Actual CPU Speed & Frequency https://uberagent.com/blog/measuring-actual-cpu-speed-frequency/ Tue, 20 Mar 2018 11:48:48 +0000 https://uberagent.com/?p=3937 As a good administrator, of course, you know at what speed your machines run because you have an eye on your CPU usage at any time – but do you? Modern CPUs do not make things easy. Let me go back in time a little bit. Several years ago, I was overclocking my computer’s CPU....

The post Measuring Actual CPU Speed & Frequency appeared first on uberAgent.

]]>
As a good administrator, of course, you know at what speed your machines run because you have an eye on your CPU usage at any time – but do you? Modern CPUs do not make things easy.

Let me go back in time a little bit. Several years ago, I was overclocking my computer’s CPU. I played a lot with different cooling fans and thermal greases to get the most out of my old Intel Pentium workhorse. I think two or more CPUs ended up as very expensive bricks because I did not manage the heat correctly.

However, those were simple times. A CPU with 400 MHz continually delivered 400 MHz.

Modern CPU Functionalities

Then, along came Intel Turbo Boost. It adjusts each core’s frequency dynamically according to load and thermal budget. If the CPU gets too warm, overclocking stops automatically. Thus, the risk of overheating the processor is mitigated. With Turbo Boost, overclocking was suddenly possible in the server area – where the consequences of hardware failure are even more grave.

To reduce power consumption, further functionalities found their way into modern CPUs. One of them was C-states. It lets you save energy by cutting the clock signals used inside the CPU as well as by reducing the CPU voltage.

Frequencies And Utilization

As a result of all these functionalities, one has to deal with different CPU frequencies:

  • Maximum frequency
  • Base frequency
  • Actual frequency

Your first stop to review them is Windows Task Manager (note, it uses the term “speed” instead of “frequency”). But, Task Manager is lying to you. The screenshot below displays a maximum speed of 3.50 GHz. That is wrong. The label Maximum speed should read Base speed. In fact, the maximum speed is 3.80 GHz, for this CPU model.

Here is another thing. One might assume that the 20 percent utilization refers to the base speed. It does not. The utilization always refers to the actual CPU speed, which was 2.07 GHz at the time the screenshot was taken.

Make Use of The Data With uberAgent

But don’t worry, even if you are a little confused by the different kinds of frequencies. With version 5.0, we have enhanced our Machine Performance dashboard. It now shows you the average actual CPU frequency as a percentage of the base frequency. This enables you to compare the energy efficiency of different platforms.

In addition, we have added the CPU’s base speed and the average actual speed to the Single Machine Detail dashboard, which allows you to analyze your machine’s efficiency even further.

The post Measuring Actual CPU Speed & Frequency appeared first on uberAgent.

]]>
Monitoring GPU Usage per Engine or Application https://uberagent.com/blog/monitoring-gpu-usage-engine-application/ Tue, 13 Mar 2018 15:31:00 +0000 https://uberagent.com/?p=3857 GPUs, just like any other hardware, need to be sized properly. If there is unused capacity, money is being wasted. If, on the other hand, utilization is at maximum, the user experience is poor. Sizing requires information. In this case, about GPU usage, ideally per GPU engine and application. uberAgent delivers. GPU Architecture GPUs are...

The post Monitoring GPU Usage per Engine or Application appeared first on uberAgent.

]]>
GPUs, just like any other hardware, need to be sized properly. If there is unused capacity, money is being wasted. If, on the other hand, utilization is at maximum, the user experience is poor. Sizing requires information. In this case, about GPU usage, ideally per GPU engine and application. uberAgent delivers.

GPU Architecture

GPUs are comprised of thousands of cores that run the same instructions in parallel on multiple data. This GPU architecture was initially designed for 3D rendering but has been found to be useful for any kind of application where algorithms are highly parallelizable.

Combined, a GPU’s cores are often called the 3D engine. While 3D is typically the most important engine, GPUs also have specialized engines that add capabilities like video encoding or decoding. Without those, smartphones would never be able to record HD video or play it back in real-time.

Monitoring GPU Usage per Engine

GPU monitoring presents some unique challenges. Different GPU models have different capabilities, which results in different types and numbers of engines.

uberAgent is prepared for that. It dynamically detects a GPU’s engines and determines each engine’s utilization individually. When displayed in a chart over time, this allows a viewer to grasp any engine’s resource usage immediately:

Monitoring GPU Usage per Application

A GPU’s resources are available for all processes that are running on a machine. Being able to discern which application generates what kind of load is crucial. In some cases, similar applications are very different with regards to efficiency and GPU resource footprint. This applies to browsers, for example. In other cases, applications you would expect to make good use of the GPU don’t.

By providing GPU utilization metrics per process, uberAgent helps IT understand and optimize GPUs for their application set.

Monitoring GPU Usage per Machine

In addition to the resource consumption per GPU engine and per application uberAgent also collects the GPU usage per machine. If a machine has more than one GPU, the numbers are collected individually per GPU. This is useful for gaining an understanding of the overall GPU utilization, both in terms of GPU compute and GPU memory resources.

The post Monitoring GPU Usage per Engine or Application appeared first on uberAgent.

]]>
uberAgent 5.0: Browser UX Metrics, GPU Usage per Engine https://uberagent.com/blog/browser-ux-gpu-usage-engine/ Tue, 06 Mar 2018 15:57:01 +0000 https://uberagent.com/?p=3811 We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0 brings new features and improvements for any kind of device. So many, that we went from version 4.2 directly to 5.0. For a full list of all improvements and bugfixes, please consult the changelog. As always, upgrading is...

The post uberAgent 5.0: Browser UX Metrics, GPU Usage per Engine appeared first on uberAgent.

]]>
We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.0 brings new features and improvements for any kind of device. So many, that we went from version 4.2 directly to 5.0.

For a full list of all improvements and bugfixes, please consult the changelog. As always, upgrading is highly recommended (instructions).

Browser UX Metrics

uberAgent is the perfect solution for monitoring user experience as well as performance for classic Windows applications. It shows you details for CPU and RAM usage, IOPS and process startup time – to name a few. But, more and more of these applications are replaced by modern SaaS and web apps; most of them delivered via the cloud. If the applications change, so must the capabilities of the tool.

Since the first versions, uberAgent has been able to show the load browsers generate on your machines per website or process type. With 5.0, we extended our product to collect detailed information for page loads and background data transfers. Exactly what you need to analyze the performance of SaaS and web apps.

At this point in time, we ship the new feature for Google Chrome – more to come. The functionality requires a browser extension to be installed.

GPU Usage per Engine

GPUs are everywhere. They are not only used in mobile phones or game consoles, but also in workstations and servers. They help to calculate computer graphics and image processing, thus relieving the CPU. In recent years, the development of GPU-enabled VDI environments, in particular, has made great progress.

A GPU consists of multiple processing engines. Each dedicated to a specific task, e.g. 3D processing, or video decoding. As of version 5.0, uberAgent is able to show the usage per engine over time. In combination with the already available metrics on GPU compute and memory usage, you will not only gain a deep insight into GPU performance but also learn what the GPU is used for. This feature is supported for Windows 10 1709 and onwards.

More Improvements

VMware Horizon

We always cared about virtual desktop infrastructures. It’s important for administrators to know which client versions are used in their environment. Therefore, uberAgent now collects the version numbers of VMware Horizon clients.

Windows 10

On Windows 10 the OS build includes the UBR (update build revision), which represents a machine’s exact patch state in a single number. uberAgent now collects this information and presents it in its Update Inventory dashboard.

CPU Usage

Ever heard of Turbo Boost and C states? Both are power saving functionalities of modern CPUs. uberAgent now calculates the relative CPU frequency so that the effects of these CPU features can be analyzed.

Network configuration

uberAgent now collects information about all active network interfaces which enables you to analyze the usage of network adapters, interface types (e.g. VPN, WiFi) and (wireless) networks.

Elasticsearch

uberAgent now supports Elasticsearch 6.x.

About uberAgent

uberAgent is a Windows user experience analytics and application performance monitoring product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drilldowns, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events like Citrix Synergy, Splunk .conf, BriForum or E2EVC.

The post uberAgent 5.0: Browser UX Metrics, GPU Usage per Engine appeared first on uberAgent.

]]>
Monitoring RDP Session Hijacking https://uberagent.com/blog/monitoring-rdp-session-hijacking/ Thu, 18 Jan 2018 15:48:13 +0000 https://uberagent.com/?p=3540 In addition to all the fuss around Spectre and Meltdown, there are several other security flaws which are worth mentioning. One of these is RDP session hijacking. How RDP Session Hijacking Works In his excellent article, Kevin Beaumont explains in great detail what RDP session hijacking is and how to do it. Here is a...

The post Monitoring RDP Session Hijacking appeared first on uberAgent.

]]>
In addition to all the fuss around Spectre and Meltdown, there are several other security flaws which are worth mentioning. One of these is RDP session hijacking.

How RDP Session Hijacking Works

In his excellent article, Kevin Beaumont explains in great detail what RDP session hijacking is and how to do it.
Here is a summary:

  • Windows lets you connect to other user’s RDP sessions via tscon.exe. You typically need the other user’s password for this.
  • If you run tscon.exe with SYSTEM privileges, you can connect to any other RDP session without a password.
  • There are several ways to get SYSTEM privileges if you have administrator permissions
    • PSEXEC from the Sysinternals suite
    • Create and start a service
    • Use a scheduled task
  • There are even RDP backdoor methods to get SYSTEM privileges. Mimikatz is probably the best-known example.
  • It is hard to monitor because there isn’t a specific Windows event log entry

How to Monitor Session Hijacking

Eric from XenAppBlog.com asked if it is possible to monitor RDP session hijacking with uberAgent. It is. Here is one way to do it.

Requirements

uberAgent uses Splunk to visualize collected data from your endpoints. As Splunk is licensed by daily indexed traffic, we have a strong incentive for keeping the amount of indexed data as small as possible. Therefore, we do not store command line information about each started process by default. One can enable this via the setting EnableExtendedInfo=true in our configuration. Keep in mind that your daily indexed traffic will increase.

The Simplest Solution

As stated above, you have to run tscon.exe with SYSTEM privileges to connect to another RDP session without the need to enter the user’s password. That is easy to accomplish with uberAgent and Splunk.

First, we have a look at all process startups and choose the fields host, SessionID, and ProcCmdline.

| pivot uberAgent Process_ProcessStartup
   values(ProcCmdline) as "Command line(s)" 
   splitrow 
      host as "Machine name"
   splitrow 
      SessionID as "Session ID"

In the second step, we filter the events for the process name tscon.exe and the process user SYSTEM. We do some sorting, too.

| pivot uberAgent Process_ProcessStartup
   values(ProcCmdline) as "Command line(s)" 
   splitrow 
      host as "Machine name"
   splitrow       
      SessionID as "Session ID"
   filter ProcName is "tscon.exe"
   filter ProcUser is "SYSTEM" 
| eval sortfield=lower('Machine name')
| sort limit=0 sortfield
| table
   "Machine name"
   "Session ID"
   "Command line(s)"

The result may look like this.

Goal achieved! But we only see session IDs, not usernames. It would be laborious to manually figure out the right username for the ID.

The More Sophisticated Solution

Not only does uberAgent give you details like name or id for the tscon.exe process but also for its parent. With this information, you can see how tscon.exe was started.

| pivot uberAgent Process_ProcessStartup
   values(ProcCmdline) as "Command line(s)"   
   splitrow 
      host as "Machine name"
   splitrow 
      SessionID as "Session ID"
   splitrow 
      ProcParentName as "Parent process name"
   filter ProcName is "tscon.exe"
   filter ProcUser is "SYSTEM" 
| eval sortfield=lower('Machine name')
| sort limit=0 sortfield
| table
   "Machine name"
   "Session ID"
   "Parent process name"   
   "Command line(s)"

Additionally, uberAgent can combine different datasets. By combining process startup data with session detail data, we can find out the usernames of the attacking and target sessions.

| pivot uberAgent Process_ProcessStartup
   latest(_time) as Time
   splitrow 
      host as "Machine name"
   splitrow 
      SessionID as "Attacking session ID"
   splitrow 
      ProcParentName as "Attacking session process name"
   splitrow
      ProcCmdline as "Command line"
   filter ProcName is "tscon.exe"
   filter ProcUser is "SYSTEM"
| eval Time = strftime (strptime (Time, "%Y-%m-%dT%H:%M:%S.%Q%z"), "%Y-%m-%d %H:%M:%S")
| rex field="Command line" "(?<temp>\d+)"
| rename temp as "Target session ID"
| join type=outer "Machine name" "Target session ID"
[
   | pivot uberAgent Session_SessionDetail_Users 
      latest(User) as "Target session username"
      splitrow 
         host as "Machine name"
      splitrow 
         SessionID as "Target session ID"
   | fields + "Target session username" "Machine name" "Target session ID"
]
| join type=outer "Machine name" "Attacking session ID"
[
   | pivot uberAgent Session_SessionDetail_Users 
      latest(User) as "Attacking session username"
      splitrow 
         host as "Machine name"
      splitrow 
         SessionID as "Attacking session ID"
   | fields + "Attacking session username" "Machine name" "Attacking session ID" 
]
| eval sortfield=lower('Machine name')
| sort limit=0 sortfield
| table
   Time
   "Machine name"
   "Attacking session ID"
   "Attacking session username"
   "Attacking session process name"   
   "Command line"   
   "Target session ID"
   "Target session username"

The result may look like this.

Conclusion

RDP session hijacking really is a thing. It could do massive damage, cannot be prevented and is hard to monitor. At least with the monitoring part, uberAgent may help.

The post Monitoring RDP Session Hijacking appeared first on uberAgent.

]]>
Creating a Foreground Application Usage Report https://uberagent.com/blog/creating-foreground-application-usage-report/ Wed, 13 Dec 2017 13:39:34 +0000 https://uberagent.com/?p=3422 Would you like to find out which applications your users spend most of their time with? Which application versions are being run? How long ago applications were last used? You have come to the right place. Application Inventory, Usage – and the Foreground App Of the hundreds of applications that may be installed on a...

The post Creating a Foreground Application Usage Report appeared first on uberAgent.

]]>
Would you like to find out which applications your users spend most of their time with? Which application versions are being run? How long ago applications were last used? You have come to the right place.

Application Inventory, Usage – and the Foreground App

Of the hundreds of applications that may be installed on a machine, only a few dozen are typically running concurrently. Of those applications that are running there is always one that has a special role: it receives the keyboard input. That is the active foreground application. That is the application the user is currently interacting with.

uberAgent determines application inventory and usage on several different levels. It regularly runs an inventory scan, identifying all applications that are installed. uberAgent also monitors all running applications, for which it collects detailed information, e.g., the version number. Last, but not least, uberAgent reports which application currently is the foreground app.

In this post, we are going to make use of the latter two information sets to create a report that lists all running applications along with their versions, when they were last seen and how often each application was the foreground app.

uberAgent’s Pre-Built Dashboards

Before we dive into custom searches let’s take a look at what uberAgent’s dashboards have to offer. The Application Usage dashboard, for example, shows which applications I used most recently:

It seems I am spending a lot of time – more than two thirds – in the browser. When I don’t, I am using an editor, keeping the screen locked, playing video or organizing files, to name the most relevant applications for yours truly.

The above is only a fraction of what is available out of the box, of course. uberAgent’s dashboards let you dive right in to figure out how applications are used over time, which application versions are used by how many people, and much more.

A Custom Application Usage Report

Requirements

This blog post was inspired by a customer who asked how to create an application usage report that also showed for each app whether it was being run in the foreground. We have tweaked those requirements slightly and are going to present a Splunk search that generates a report with the following fields:

  • Application name
  • Application version(s)
  • Application last run date
  • Application in foreground (%)

The Splunk Search

uberAgent collects detailed information on all running applications every 30 seconds in the ProcessDetail sourcetype. The currently active foreground application, however, is determined per user session in the sourcetype SessionDetail.

Translated to the accelerated data model which we typically use for searches due to the vastly superior performance, that corresponds to the datasets Process_ProcessDetail and Session_SessionDetail_Users.

The search we are going to build consists of three parts:

  1. For each running application, get us the name, version(s) and last run time
  2. For each of the resulting applications, determine how often they were in the foreground
  3. Format the output nicely

Without further ado, here is the search:

| pivot uberAgent Process_ProcessDetail
   latest(_time) as LastRun
   values(AppVersion) as AppVersions
   splitrow
      AppName
| eval LastRun=strftime (strptime (LastRun, "%Y-%m-%dT%H:%M:%S.%Q%z"), "%Y-%m-%d %H:%M:%S")
| join type=outer AppName
[
   | pivot uberAgent Session_SessionDetail_Users
      count(SessionFgAppName) as CountSessionFgAppName
      splitrow
         SessionFgAppName
   | eventstats sum(CountSessionFgAppName) as EventCount
   | eval "Application in foreground (%)"= round(CountSessionFgAppName / EventCount * 100, 1)
   | rename SessionFgAppName as AppName
   | fields AppName "Application in foreground (%)"
]
| eval sortfield = lower('AppName')
| sort limit=0 sortfield
| rename
   AppName as "Application name"
   AppVersions as "Application version(s)"
   LastRun as "Application last run date"
| table
  "Application name"
  "Application version(s)"
  "Application last run date"
  "Application in foreground (%)"

The Output

The resulting table can easily be exported in various formats or scheduled for regular automated report generation:

The post Creating a Foreground Application Usage Report appeared first on uberAgent.

]]>
Getting Started with uberAgent & Splunk https://uberagent.com/blog/getting-started-uberagent-splunk/ https://uberagent.com/blog/getting-started-uberagent-splunk/#comments Wed, 06 Dec 2017 15:26:56 +0000 https://uberagent.com/?p=3381 A new hire’s journey into the world of user experience monitoring. Hi, my name is Dominik Britz. I’m from Cologne, Germany and the latest team member of vast limits, the uberAgent company. I’d like to introduce myself, tell you why I’m here and what I’m going to do. I started my career as a consultant...

The post Getting Started with uberAgent & Splunk appeared first on uberAgent.

]]>
A new hire’s journey into the world of user experience monitoring.

Hi, my name is Dominik Britz. I’m from Cologne, Germany and the latest team member of vast limits, the uberAgent company. I’d like to introduce myself, tell you why I’m here and what I’m going to do.

dominik

I started my career as a consultant in the end user computing space, building Citrix, Microsoft and VMware implementations from small to big. My focus was the automation of these deployments with PowerShell (you should always automate your environments, of course! Only automation guarantees quality and reproducibility). I also worked as a Citrix administrator for some time.

A few weeks ago I started as a customer success engineer at vast limits. I’ll do support, partner onboarding, webinars and pretty much anything that will make our customers’ and partners’ implementations successful.

This Is Why I Am at vast limits

Two things have to fit for me when I start a new career path: the people and the technology. As I know most of my new colleagues from my former consultant life, they aren’t “new” colleagues per se. They are all awesome and brilliant people, and I’m thrilled to work with them, again.

On to the second point: technology. uberAgent is such a great product! It collects all the relevant metrics from your endpoints without drowning you in numbers. And that’s not what marketing is saying, that is what our customers are telling me and what I am hearing from our partners as I am getting in touch with them in my first days at vast limits.

Learning Splunk as an EUC Guy

We use Splunk to visualize the data collected by uberAgent (we have experimental support for Elasticsearch and Microsoft OMS Log Analytics, too). As an end user computing guy, I had not worked with Splunk before. It is better known in the security space, e.g., to collect firewall logs. However, it can do so much more, and one learns it fast. My PowerShell obsession helped me a lot because the principle of piping was known to me.

Here is an example of how piping works. You want to know the top five hosts where Mozilla Firefox is crashing.

Top five hosts were firefox.exe is crashing

You start a search in the data collected by uberAgent (index=uberAgent) but you only want application error information (sourcetype=uberAgent:Application:Errors). In addition, you only want data for Mozilla Firefox (ProcName=firefox.exe).

In the next step, you pipe the resulting data from the previous commands to the Splunk top command, which displays the most common values of a field. You limit the output to five results (limit=5) and group it by the host field. The timeframe for the search is configurable with the time picker next to the search field.

Easy, isn’t it?

That was my two cents about my first weeks at vast limits. I’m happy to get in touch with you to talk about user experience monitoring with uberAgent and to discuss, how to make our product even better.

The post Getting Started with uberAgent & Splunk appeared first on uberAgent.

]]>
https://uberagent.com/blog/getting-started-uberagent-splunk/feed/ 1
Listing Users who are Launching Applications Often https://uberagent.com/blog/listing-users-launching-applications-often/ Wed, 25 Oct 2017 12:54:15 +0000 https://uberagent.com/?p=3216 One of our customers wanted to identify users who launch a specific executable more often than n times in a given time range. That is easy to accomplish, given that uberAgent monitors process starts. This article describes multiple ways to query for that information. The following walkthroughs illustrate how to identify processes by executable or...

The post Listing Users who are Launching Applications Often appeared first on uberAgent.

]]>
One of our customers wanted to identify users who launch a specific executable more often than n times in a given time range. That is easy to accomplish, given that uberAgent monitors process starts. This article describes multiple ways to query for that information.

The following walkthroughs illustrate how to identify processes by executable or by application name, counting process/application launches per user for any time range. We will start with a “traditional” Splunk SPL search, followed by a second implementation that makes use of the uberAgent data model.

Splunk SPL Search

Let’s build the Splunk SPL search step by step.

Step 1

We start with all events from uberAgent’s index.

Note: to facilitate changing the index name used by uberAgent, all our dashboards make use of the uberAgent_index macro which contains the actual index name. The macro is defined in macros.conf of the uberAgent searchhead app.

index=`uberAgent_index`

Step 2

We filter for the process startup sourcetype which contains one event per started process.

Note: The documentation of uberAgent’s sourcetypes and fields can be found here.

index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup

Step 3

We ignore processes started by SYSTEM, LOCAL SERVICE and NETWORK SERVICE.

Note: The pseudo-users sys, lvc and nvc are defined in the lookup table systemusers.csv of the uberAgent searchhead app. They are auto-expanded to the proper user names SYSTEM, LOCAL SERVICE and NETWORK SERVICE in uberAgent’s data model.

index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup ProcUser!=sys ProcUser!=lvc ProcUser!=nvc

Step 4

We add a filter for the name of the process we are interested in, Winword.exe in this example.

index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup ProcUser!=sys ProcUser!=lvc ProcUser!=nvc ProcName=Winword.exe

Step 5

We count the number of (start) events per user.

Note: The only purpose of adding the field ProcName to the stats command is to make it part of the results table, too.

index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup ProcUser!=sys ProcUser!=lvc ProcUser!=nvc ProcName=Winword.exe | stats count as Starts by ProcName ProcUser

Step 6

We only keep users with more than five starts in the results list.

index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup ProcUser!=sys ProcUser!=lvc ProcUser!=nvc ProcName=Winword.exe | stats count as Starts by ProcName ProcUser | where Starts > 5

Step 7

We rename fields to make them look nicer.

index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup ProcUser!=sys ProcUser!=lvc ProcUser!=nvc ProcName=Winword.exe | stats count as Starts by ProcName ProcUser | where Starts > 5 | rename ProcUser as User ProcName as Process

Step 8

We sort the results so that the user with the highest number of starts is listed first. The 0 in the sort command ensures that the output is not truncated after the 10,000th result.

index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup ProcUser!=sys ProcUser!=lvc ProcUser!=nvc ProcName=Winword.exe | stats count as Starts by ProcName ProcUser | where Starts > 5 | rename ProcUser as User ProcName as Process | sort 0 -Starts

The Result

This is what the final Splunk SPL search for users with more than five starts of Winword.exe looks like. The screenshot below shows the search being run over the past 30 days. In practice, you would adjust the time range to any relevant time interval.

Accelerated Data Model Search

uberAgent comes with an accelerated data model. Searching an accelerated data model is a lot faster than searching the underlying index (by “a lot” we mean at least 50x), but requires a different search syntax based on the pivot or tstats commands. We are using pivot because of the easier syntax compared to tstats.

In this second example, we demonstrate how to search for starts of a “modern” UWP app, specifically the weather app that is part of Windows. Most UWP apps cannot be identified by process name – which is simply backgroundTaskHost.exe. Luckily uberAgent determines the real app name automatically.

Step 1

We start with a count of all process starts.

Note: The documentation for the Splunk pivot command can be found here.

| pivot uberAgent Process_ProcessStartup count(Process_ProcessStartup) as Starts

Step 2

We filter for the weather app.

Note: An easy way to identify the name of the weather app is to dig around with a search like the following: index=`uberAgent_index` sourcetype=uberAgent:Process:ProcessStartup AppName=*Weather*

| pivot uberAgent Process_ProcessStartup count(Process_ProcessStartup) as Starts filter AppName is “Microsoft.BingWeather”

Step 3

We split by user so that we get a count of process starts per user (renaming the ProcUser field to User in the process).

| pivot uberAgent Process_ProcessStartup count(Process_ProcessStartup) as Starts filter AppName is “Microsoft.BingWeather” splitrow ProcUser as User

Step 4

We only keep users with more than five starts in the results list. We also sort the results so that the user with the highest number of starts is listed first. The 0 in the sort command ensures that the output is not truncated after the 10,000th result.

| pivot uberAgent Process_ProcessStartup count(Process_ProcessStartup) as Starts filter AppName is “Microsoft.BingWeather” splitrow ProcUser as User | where Starts > 5 | sort 0 -Starts

Step 5

We add the application name as a row to the results table.

| pivot uberAgent Process_ProcessStartup count(Process_ProcessStartup) as Starts latest(AppName) as Application filter AppName is “Microsoft.BingWeather” splitrow ProcUser as User | where Starts > 5 | sort 0 -Starts | table Application User Starts

The Result

The resulting output is very similar to the first example above: a table with the application, the users and the number of starts that can easily be exported to CSV or otherwise be processed further.

The post Listing Users who are Launching Applications Often appeared first on uberAgent.

]]>
uberAgent 4.2: Splunk 7.0, Simplified Operations, Elasticsearch Improvements https://uberagent.com/blog/uberagent-4-2-splunk-7-0-simplified-operations-elasticsearch-improvements/ Mon, 16 Oct 2017 20:19:31 +0000 https://uberagent.com/?p=3190 We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 4.2 brings new features and improvements for any kind of device. For a full list of all improvements and bugfixes please consult the change log. As always, upgrading is highly recommended (instructions). Splunk 7.0 uberAgent 4.2 adds...

The post uberAgent 4.2: Splunk 7.0, Simplified Operations, Elasticsearch Improvements appeared first on uberAgent.

]]>
We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 4.2 brings new features and improvements for any kind of device.

For a full list of all improvements and bugfixes please consult the change log. As always, upgrading is highly recommended (instructions).

Splunk 7.0

uberAgent 4.2 adds full support for the latest version 7.0 of Splunk Enterprise and Splunk Cloud.

Central License File Management

Before uberAgent 4.2 license files had to be distributed along with the agent installation package. That was easy in environments with a single master image file, like Citrix PVS. Customers with tens of thousands of laptops, however, found it a lot harder to roll out new licenses to their endpoints.

uberAgent 4.2 greatly simplifies license file management. All you have to do is set up a file share with read permissions for computer accounts, drop your uberAgent license there and configure the share path in uberAgent’s new configuration option LicenseFilePath. Endpoints will periodically check LicenseFilePath for new licenses. If any are found that are not yet cached locally, the new license files are copied to the local license cache directory.

There is no need for the configured license file path to be available all of the time. Endpoints always use the local license cache for license validation. Of course, there is no requirement to set up a central license file path, either. If deploying the license file along with the agent installation package works for you: great, you are all set.

Elasticsearch Improvements

uberAgent 4.2 comes with important improvements for our Elasticsearch customers.

Security

uberAgent now supports X-Pack authentication. This ensures that only validated endpoints can send data to the backend.

Ingest Pipelines

The ability to modify and enrich data before the indexing stage adds a great deal of flexibility to the Elasticsearch platform. Customers can new reference their ingest pipelines from uberAgent so that uberAgent data traverses the pipeline before being indexed.

More Improvements

Custom Scripts

uberAgent’s custom script execution engine, capable of running user-supplied scripts in machine or user context, now supports Elasticsearch as well as Splunk HTTP Event Collector (HEC) backends.

Monitor Inventory

uberAgent’s hardware inventory now collects information about the physical monitors attached to the machine along with their respective resolutions.

About uberAgent

uberAgent is a Windows user experience analytics and application performance monitoring product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drilldowns, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events like Citrix Synergy, Splunk .conf, BriForum or E2EVC.

The post uberAgent 4.2: Splunk 7.0, Simplified Operations, Elasticsearch Improvements appeared first on uberAgent.

]]>