With this second blog post regarding Splunk and Helge´s uberAgent I want to share my experiences during installation and configuration.
I will start with an overview of the uberAgent installation, will then switch to some configuration settings and give you a quick overview about how it can be licensed and which operating systems are supported. At the end I will describe how you can clean up your Splunk server to start with a fresh data collection.
Automated Installation of uberAgent
The installation is simple and quickly done. As I am a friend of automation and PowerShell you can download a PowerShell AppDeployment Toolkit package of uberAgent here.
If you still want to do it manually. Here´s how it goes…
Start “uberAgent-32.msi” or “uberAgent-64.msi” from the Files\bin folder or use one of the prepared batch files.
Let´s use “uberAgent-64.msi” for this example.
The first screen comes up. NEXT.
We accept the License Agreement. NEXT.
Now we can change the installation directory. I will leave it as it is. NEXT.
At this point we need to insert the Splunk Indexers or forwarders with the desired port. I inserted my Splunk server with the default port. NEXT.
That is all. INSTALL.
The installation is done and we complete the process with FINISH.
We now have a new Service running on the machine.
The details show which executable is run.
When we switch to the path to the executable stated above we see a total of three files in the installation directory. If you don´t insert a valid license key after the installation a fourth file (HKSplash.exe) can be found in that directory. This is the Splash screen that will come up every time you log on to a machine with uberAgent.
If we now switch to the registry we can see a handfull of keys like the specified install location and the Splunk Indexers or Forwarders with the desired port.
One key further we see information about uberAgents Last timestamps.
UberAgent directly starts to gather the following data:
- Logon duration
- Computer startup duration
- Machine performance
- Session performance
- Process Performance
- Application performance
- Application usage
- Application versions
- Process startup duration
- GPU usage
- Browser performance per website
- And many more
A full list of the collected metrics can be found here: https://helgeklein.com/uberagent-for-splunk/list-metrics/
uberAgent works on Windows Vista, Windows Server 2008 and above.
The agent comes with two licensing modes
- Client licenses
- Server licenses
Both types are available as perpetual, term and service provider licenses. The server license explicitly covers Remote Desktop Services servers and similar systems, too (e.g. Citrix XenApp, Microsoft RDS).
You also need a Splunk license if you choose to collect more then 500 MB data per day. Everything below is covered by a free license. For small POCs and performance tests on RDS systems this should be sufficent.
DebugMode is enabled by default on the endpoints. Two logfiles are created in C:\Windows\temp:
If you want to disable it you need to change the entry in the config file “uberAgent.conf” in the installation directory. A restart of the uberAgent service commits the changes.