uberAgent for Splunk – Installation and Configuration

With this second blog post regarding Splunk and Helge´s uberAgent I want to share my experiences during installation and configuration.
I will start with an overview of the uberAgent installation, will then switch to some configuration settings and give you a quick overview about how it can be licensed and which operating systems are supported. At the end I will describe how you can clean up your Splunk server to start with a fresh data collection.

Automated Installation of uberAgent
The installation is simple and quickly done. As I am a friend of automation and PowerShell you can download a PowerShell AppDeployment Toolkit package of uberAgent here.

Manual installation
If you still want to do it manually. Here´s how it goes…

Start “uberAgent-32.msi” or “uberAgent-64.msi” from the Files\bin folder or use one of the prepared batch files.

uberAgent_Files

Let´s use “uberAgent-64.msi” for this example.

The first screen comes up. NEXT.

1_uberAgent

We accept the License Agreement. NEXT.

2_uberAgent

Now we can change the installation directory. I will leave it as it is. NEXT.

3_uberAgent

At this point we need to insert the Splunk Indexers or forwarders with the desired port. I inserted my Splunk server with the default port. NEXT.

4_uberAgent

That is all. INSTALL.

5_uberAgent

The installation is done and we complete the process with FINISH.

6_uberAgent

We now have a new Service running on the machine.

7_uberAgent

The details show which executable is run.

9_uberAgent

When we switch to the path to the executable stated above we see a total of three files in the installation directory. If you don´t insert a valid license key after the installation a fourth file (HKSplash.exe) can be found in that directory. This is the Splash screen that will come up every time you log on to a machine with uberAgent.

uberAgent_directory

If we now switch to the registry we can see a handfull of keys like the specified install location and the Splunk Indexers or Forwarders with the desired port.

10_uberAgent

One key further we see information about uberAgents Last timestamps.

11_uberAgent

Data Collection
UberAgent directly starts to gather the following data:

  • Logon duration
  • Computer startup duration
  • Machine performance
  • Session performance
  • Process Performance
  • Application performance
  • Application usage
  • Application versions
  • Process startup duration
  • GPU usage
  • Browser performance per website
  • And many more

A full list of the collected metrics can be found here: https://helgeklein.com/uberagent-for-splunk/list-metrics/

Supported Systems
uberAgent works on Windows Vista, Windows Server 2008 and above.

Licensing
The agent comes with two licensing modes

  • Client licenses
  • Server licenses

Both types are available as perpetual, term and service provider licenses. The server license explicitly covers Remote Desktop Services servers and similar systems, too (e.g. Citrix XenApp, Microsoft RDS).
You also need a Splunk license if you choose to collect more then 500 MB data per day. Everything below is covered by a free license. For small POCs and performance tests on RDS systems this should be sufficent.

DebugMode
DebugMode is enabled by default on the endpoints. Two logfiles are created in C:\Windows\temp:

  • uberAgent.log
  • uAInSessionHelper.log

If you want to disable it you need to change the entry in the config file “uberAgent.conf” in the installation directory. A restart of the uberAgent service commits the changes.

[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][Miscellaneous]
DebugMode = true

Changing the Splunk Server Adress after installation
If you want to change the Splunk server adress after the initial installation be sure to change the Computername value in the registry AND in the config file. When you are done restart the uberAgent service for the changes to take effect.

Cleaning Splunk Eventdata
Sometimes it might be usefull to clean up the Splunk server data in order to start with a fresh Index. You can do that by using the CLI on the Splunk server. Here´s how to do it:

First we need to stop Splunk…

Splunk stop

Then we clean up the index data…

Splunk clean eventdata

And when the command is done we start Splunk…

Splunk start

In PowerShell this will look someway like this: 

PS C:\Program Files\Splunk\bin> .\splunk.exe stop
Splunkd: Stopped
PS C:\Program Files\Splunk\bin> .\splunk.exe clean eventdata
This action will permanently erase all events from ALL indexes; it cannot be undone.
Are you sure you want to continue [y/n]? y
Cleaning database _audit.
Cleaning database _blocksignature.
Cleaning database _internal.
Cleaning database _introspection.
Cleaning database _thefishbucket.
Cleaning database history.
Cleaning database main.
Cleaning database msad.
Cleaning database perfmon.
Cleaning database summary.
Cleaning database uberagent.
Cleaning database windows.
Cleaning database wineventlog.
Cleaning database winevents.
Cleaning database xd.
Cleaning database xd_alerts.
Cleaning database xd_perfmon.
Cleaning database xd_winevents.
Disabled database 'splunklogger': will not clean.
PS C:\Program Files\Splunk\bin> .\splunk.exe start

Splunk> The IT Search Engine.

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _blocksignature _internal _introspection _thefishbucket history main msad perfmon summ
ary uberagent windows wineventlog winevents xd xd_alerts xd_perfmon xd_winevents
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
                Value in stanza [eventtype=uberAgent:Logon:SessionLogonTime] in C:\Program Files\Splunk\etc\apps\uberAge
nt\default\tags.conf, line 1 not URI encoded: eventtype = uberAgent:Logon:SessionLogonTime
                Value in stanza [eventtype=uberAgent:Logon:ProfileLoadTimeMs] in C:\Program Files\Splunk\etc\apps\uberAg
ent\default\tags.conf, line 5 not URI encoded: eventtype = uberAgent:Logon:ProfileLoadTimeMs
                Value in stanza [eventtype=uberAgent:Logon:GroupPolicyProcessingTimes] in C:\Program Files\Splunk\etc\ap
ps\uberAgent\default\tags.conf, line 9 not URI encoded: eventtype = uberAgent:Logon:GroupPolicyProcessingTimes
                Value in stanza [eventtype=uberAgent:Logon:GroupPolicyCSEDetail] in C:\Program Files\Splunk\etc\apps\ube
rAgent\default\tags.conf, line 13 not URI encoded: eventtype = uberAgent:Logon:GroupPolicyCSEDetail
                Value in stanza [eventtype=uberAgent:Logon:GroupPolicyLogonScriptTimeMs] in C:\Program Files\Splunk\etc\
apps\uberAgent\default\tags.conf, line 17 not URI encoded: eventtype = uberAgent:Logon:GroupPolicyLogonScriptTimeMs
                Value in stanza [eventtype=uberAgent:Logon:ADLogonScriptTimeMs] in C:\Program Files\Splunk\etc\apps\uber
Agent\default\tags.conf, line 21 not URI encoded: eventtype = uberAgent:Logon:ADLogonScriptTimeMs
                Value in stanza [eventtype=uberAgent:Logon:ShellStartupTimeMs] in C:\Program Files\Splunk\etc\apps\uberA
gent\default\tags.conf, line 25 not URI encoded: eventtype = uberAgent:Logon:ShellStartupTimeMs
                Value in stanza [eventtype=uberAgent:Logon:TotalLogonTimeMs] in C:\Program Files\Splunk\etc\apps\uberAge
nt\default\tags.conf, line 29 not URI encoded: eventtype = uberAgent:Logon:TotalLogonTimeMs
                Value in stanza [eventtype=uberAgent:Logon:SessionEnd] in C:\Program Files\Splunk\etc\apps\uberAgent\def
ault\tags.conf, line 33 not URI encoded: eventtype = uberAgent:Logon:SessionEnd
                Value in stanza [eventtype=uberAgent:Application:BrowserPerformanceIE] in C:\Program Files\Splunk\etc\ap
ps\uberAgent\default\tags.conf, line 37 not URI encoded: eventtype = uberAgent:Application:BrowserPerformanceIE
                Value in stanza [eventtype=uberAgent:Application:BrowserPerformanceChrome] in C:\Program Files\Splunk\et
c\apps\uberAgent\default\tags.conf, line 43 not URI encoded: eventtype = uberAgent:Application:BrowserPerformanceChrome
                Value in stanza [eventtype=uberAgent:Application:OutlookPluginLoad] in C:\Program Files\Splunk\etc\apps\
uberAgent\default\tags.conf, line 49 not URI encoded: eventtype = uberAgent:Application:OutlookPluginLoad
                Value in stanza [eventtype=uberAgent:System:SystemPerformanceSummary] in C:\Program Files\Splunk\etc\app
s\uberAgent\default\tags.conf, line 55 not URI encoded: eventtype = uberAgent:System:SystemPerformanceSummary
                Value in stanza [eventtype=uberAgent:System:GpuUsage] in C:\Program Files\Splunk\etc\apps\uberAgent\defa
ult\tags.conf, line 67 not URI encoded: eventtype = uberAgent:System:GpuUsage
                Value in stanza [eventtype=uberAgent:System:MachineInventory] in C:\Program Files\Splunk\etc\apps\uberAg
ent\default\tags.conf, line 71 not URI encoded: eventtype = uberAgent:System:MachineInventory
                Value in stanza [eventtype=uberAgent:Process:NetworkTargetPerformance] in C:\Program Files\Splunk\etc\ap
ps\uberAgent\default\tags.conf, line 77 not URI encoded: eventtype = uberAgent:Process:NetworkTargetPerformance
                Value in stanza [eventtype=uberAgent:Session:SessionDetail] in C:\Program Files\Splunk\etc\apps\uberAgen
t\default\tags.conf, line 83 not URI encoded: eventtype = uberAgent:Session:SessionDetail
                Value in stanza [eventtype=uberAgent:Application:ApplicationDetail] in C:\Program Files\Splunk\etc\apps\
uberAgent\default\tags.conf, line 93 not URI encoded: eventtype = uberAgent:Application:ApplicationDetail
                Value in stanza [eventtype=uberAgent:Application:ApplicationInventory] in C:\Program Files\Splunk\etc\ap
ps\uberAgent\default\tags.conf, line 105 not URI encoded: eventtype = uberAgent:Application:ApplicationInventory
                Value in stanza [eventtype=uberAgent:Process:ProcessDetail] in C:\Program Files\Splunk\etc\apps\uberAgen
t\default\tags.conf, line 109 not URI encoded: eventtype = uberAgent:Process:ProcessDetail
                Value in stanza [eventtype=uberAgent:Process:ProcessStartup] in C:\Program Files\Splunk\etc\apps\uberAge
nt\default\tags.conf, line 123 not URI encoded: eventtype = uberAgent:Process:ProcessStartup
                Value in stanza [eventtype=uberAgent:Application:SoftwareUpdateInventory] in C:\Program Files\Splunk\etc
\apps\uberAgent\default\tags.conf, line 131 not URI encoded: eventtype = uberAgent:Application:SoftwareUpdateInventory
                Value in stanza [eventtype=uberAgent:OnOffTransition:BootDetail] in C:\Program Files\Splunk\etc\apps\ube
rAgent\default\tags.conf, line 135 not URI encoded: eventtype = uberAgent:OnOffTransition:BootDetail
                Value in stanza [eventtype=uberAgent:OnOffTransition:BootIODetail] in C:\Program Files\Splunk\etc\apps\u
berAgent\default\tags.conf, line 139 not URI encoded: eventtype = uberAgent:OnOffTransition:BootIODetail
                Value in stanza [eventtype=uberAgent:OnOffTransition:BootProcessDetail] in C:\Program Files\Splunk\etc\a
pps\uberAgent\default\tags.conf, line 143 not URI encoded: eventtype = uberAgent:OnOffTransition:BootProcessDetail
                Value in stanza [eventtype=uberAgent:OnOffTransition:ShutdownDetail] in C:\Program Files\Splunk\etc\apps
\uberAgent\default\tags.conf, line 147 not URI encoded: eventtype = uberAgent:OnOffTransition:ShutdownDetail
                Value in stanza [eventtype=uberAgent:OnOffTransition:StandbyDetail] in C:\Program Files\Splunk\etc\apps\
uberAgent\default\tags.conf, line 151 not URI encoded: eventtype = uberAgent:OnOffTransition:StandbyDetail
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowAppStartup] in C:\Program Files\Splunk\etc\apps
\uberAgent\default\tags.conf, line 155 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowAppStartup
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowAppShutdown] in C:\Program Files\Splunk\etc\app
s\uberAgent\default\tags.conf, line 159 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowAppShutdown
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowAppStandby] in C:\Program Files\Splunk\etc\apps
\uberAgent\default\tags.conf, line 163 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowAppStandby
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowServiceStartup] in C:\Program Files\Splunk\etc\
apps\uberAgent\default\tags.conf, line 167 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowServiceStartup
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowServiceShutdown] in C:\Program Files\Splunk\etc
\apps\uberAgent\default\tags.conf, line 171 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowServiceShutdown
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowServiceHybridStandby] in C:\Program Files\Splun
k\etc\apps\uberAgent\default\tags.conf, line 175 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowServiceHybri
dStandby
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowDriverStartup] in C:\Program Files\Splunk\etc\a
pps\uberAgent\default\tags.conf, line 179 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowDriverStartup
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowDriverShutdown] in C:\Program Files\Splunk\etc\
apps\uberAgent\default\tags.conf, line 183 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowDriverShutdown
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowDriverStandby] in C:\Program Files\Splunk\etc\a
pps\uberAgent\default\tags.conf, line 187 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowDriverStandby
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowDriverResume] in C:\Program Files\Splunk\etc\ap
ps\uberAgent\default\tags.conf, line 191 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowDriverResume
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowUserPolicy] in C:\Program Files\Splunk\etc\apps
\uberAgent\default\tags.conf, line 195 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowUserPolicy
                Value in stanza [eventtype=uberAgent:OnOffTransition:SlowSMSSInit] in C:\Program Files\Splunk\etc\apps\u
berAgent\default\tags.conf, line 199 not URI encoded: eventtype = uberAgent:OnOffTransition:SlowSMSSInit
                Value in stanza [eventtype=uberAgent:System:PerformanceCounter] in C:\Program Files\Splunk\etc\apps\uber
Agent\default\tags.conf, line 203 not URI encoded: eventtype = uberAgent:System:PerformanceCounter
                Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk
btool check --debug'
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Splunkd: Starting (pid 3680)
Done


Waiting for web server at https://127.0.0.1:8000 to be available..... Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at https://SERVERNAME:8000

I hope this is a good start for you to understand were uberAgent is installed and how you can change basic settings.

The next blog post will deal with the customization of data collection and more detail how to minimize the amount of data sent to the Splunk server.

All information as always without warranty for any failures in your environment.

Cheers,
Sinisa
[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

By:

sinisasokolic

Posted in: