-
Notifications
You must be signed in to change notification settings - Fork 2
/
uberAgent.conf
1128 lines (1047 loc) · 46.7 KB
/
uberAgent.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#
# This is the default configuration file for uberAgent
# On Windows, place it in the same directory as uberAgent.exe
#
# On macOS, this file must be located in /Library/Application Support/uberAgent. Make sure to save changes to this file as uberAgent.conf.
# uberAgent-default.conf serves as a fallback, and is overwritten with the most current default configuration during updates.
#
# Documentation: https://uberagent.com/docs/uberagent/latest/installation/configuration-through-config-file/
#
############################################
#
# Products
#
# a) UXM (User Experience Monitoring)
#
# This is the default product. It is always enabled.
#
# b) ESA (Endpoint Security Analytics)
#
# ESA is an optional add-on product that requires UXM to work. Please note that ESA must be licensed independently of UXM.
#
# Configurable settings in this section:
#
# Setting name: EnableESA
# Description: Enables the Endpoint Security Analytics product
# Valid values: true | false
# Default: false
# Required: no
#
############################################
[ProductComponents]
EnableESA = true
############################################
#
# General configuration
#
# Configurable settings in this section:
#
# Setting name: DebugMode
# Description: When in debug mode, uberAgent's log file is more verbose, providing more detail on what is going on.
# Valid values: true | false
# Default: false
# Required: no
#
# Setting name: LogFileCount
# Description: Number of log files to keep (current + historical). When exceeded, the oldest log file is deleted.
# Valid values: any positive integer
# Default: 5
# Required: no
#
# Setting name: EncryptUserNames
# Description: If enabled, user and domain names are encrypted in the agent before being sent off to Splunk. This can be useful for compliance with privacy regulations.
# Valid values: true | false
# Default: false
# Required: no
#
# Setting name: LicenseFilePath
# Description: Path to a directory where uberAgent searches for license files. For more details see https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/central-license-file-management/
# Valid values: Any valid path (local or UNC)
# Default: empty
# Required: no
#
# Setting name: RegisterIEAddOn
# Description: Register or deregister uberAgent's Internet Explorer add-on through the service.
# Valid values: 0 = do nothing, 1 = register the add-on, 2 = deregister the add-on
# Default: 0
# Required: no
#
# Setting name: BrowserDataCollection
# Description: Enable or disable data collection of uberAgent's browser extensions. Currently this setting is used only in our Firefox extension.
# Valid values: 0 = do nothing, 1 = enable data collection, 2 = disable data collection
# Default: 1
# Required: no
#
# Setting name: RegistryMonitoring
# Description: When disabled (false), no registry monitoring is performed. Registry monitoring requires ESA being enabled.
# Valid values: true | false
# Default: true
# Required: no
#
# Setting name: RemoteThreadMonitoring
# Description: When disabled (false), no remote thread monitoring is performed. Remote Thread monitoring requires ESA being enabled and Threat Detection being configured.
# Valid values: true | false
# Default: true
# Required: no
#
# Setting name: ConfigFlags
# Description: Define additional implementation defined flags.
# Valid values: A comma- or semicolon-separated list of any of the following strings
# - NoGatewayCheck - disable the check for a configured Default Gateway for non-PPP network interfaces
# - IEIgnoreFrames - disable determination of performance data for frames in Internet Explorer
# - RegMonSvcDebugOutput - enable Registry Monitoring debug output to ProcMon
# - TLSRevocationChecksDisabled - disable certificate revocation checks, e.g. during testing with self-signed certificates on the backend (Windows only)
# - TLSRevocationChecksBestEffort - ignore certificate revocation checks in case of missing or offline distribution points (Windows only). If both revocation check options are configured, the option above takes precedence. For more details on these two options see https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html
# - EnableESFileSystemMonitoring - collects data for the fields ProcIOWriteCount and ProcIOPSWrite of the sourcetype ProcessDetail on macOS. May increase uberAgent's CPU utilization.
# - SessionHelperQueryDelayMs:NUMBER - delay between queries to in-session helper processes. Replace NUMBER with any integer >= 0 to specify the delay in ms.
# - TraceLogFilterExpression:REGEX - include messages matching the regular expression REGEX in the log, regardless of their log level. This includes trace-level messages not included with DebugMode = true. REGEX must match the complete source string.
# - EnableSystemLog - send log entries to the system's native log system in addition to the log file. Only available on macOS.
# - CitrixSDKMaxRecordCount:NUMBER - defines the -MaxRecordCount parameter for each Citrix (Remote) PowerShell SDK call. Replace NUMBER with any integer >= 0 (default is 1000).
# - CitrixODataAPIMaximumAttempts:NUMBER - defines the maximum amount of repeating API queries if a query is responding with a not successful status code (default is 10).
# - POQSendWaitDelayMs:NUMBER - defines the delay between two send attempts if the persistent output queue is processed (default is 500ms). Valid values are between 100 and 10000.
# - NetworkCommunicationTimeoutMs:NUMBER - defines a timeout for network communication (default is 10000ms). Valid values are between 100 and 1000000.
# - LockEnterMaxWaitMs:NUMBER - defines a duration in milliseconds if an internal locking mechanism took to long to enter/succeed. A trace log message will be written. Valid values are >= 100 (default is 1000).
# - LockHeldMaxWaitMs:NUMBER - defines a duration in milliseconds if an internal locking mechanism was held for more than the defined number. A trace log message will be written. Valid values are >= 100 (default is 1000).
# - TraceLocking - enable the time measurement of the individual locks held and how long waited for a release.
# - NoInterpretedVM - disables uAQL bytecode interpreter and enables the abstract syntax tree interpreter.
# - TraceLogRotation - enables tracing to registry the state of the function performing log-file rotation
# - InternalScriptTimeoutMs:NUMBER - defines a duration in milliseconds after which an internal/hard coded script is terminated. Valid values are 0 (no timeout) or >= 100 (default is 10000).
# - RegDataMaxLength:NUMBER - set the maximum length (in bytes) of the registry entry's data that is to be retrieved, default: 4,294,967,295 bytes
# - DisableSetFilePermissionsOnExec - do not change file object permissions before executing external scripts/programs in user context.
# - BootDetailTimeoutMinutes:NUMBER - set the timeout for the trace of the boot metrics determination (default is 480).
# - DisableUserInputDelay - disables the user input delay metric for the SessionDetail and ProcessStatistics sourcetypes.
# - TLSVerifyPeerDisabled - disables the verification of the peer's TLS certificate.
# - TLSVerifyHostDisabled - disables the verification of the peer's TLS hostname.
# - CredentialStoreServiceName:NAME - sets the name of the credential store service name (macOS only, default is "uberAgent").
# Default: empty
# Required: no
#
# Setting name: WmiProvider
# Description: Specifies the provider to use to query WMI.
# Valid values: WMIC | PowerShell
# Default: WMIC
# Required: no
#
############################################
[Miscellaneous]
DebugMode = true
############################################
#
# Configuration Settings
#
# Configurable settings in this section:
#
# Setting name: ConfigCachePollInterval
# Description: Defines the delay in milliseconds between two attempts to check for changes in cached configuration files. A random value will be added for load balancing the communication with the file server.
# Valid values: 0 to disable tracking of remote configuration changes, otherwise any integer >= 60000
# Default: 3600000
# Required: no
#
# Setting name: LicenseCachePollInterval
# Description: Defines the delay in milliseconds between two attempts to check for changes in cached license files.
# Valid values: any positive integer >= 60000
# Default: 300000
# Required: no
#
# Setting name: ConfigChangeRestartTimeoutSec
# Description: The duration, in seconds, of the grace period after a local configuration change has been detected, before the agent might be restarted.
# Valid values: 0 to disable tracking of local configuration changes, otherwise any positive integer
# Default: 30
# Required: no
#
# Setting name: Version
# Description: Any free-form string. Main purpose is to force the agent to detect a configuration change.
# Valid values: any combination of characters
# Default: empty
# Required: no
#
############################################
[Configuration_Settings]
############################################
#
# Data receivers
#
# uberAgent sends data to the receivers configured here.
# If multiple [Receiver] sections are specified, data will be sent to EACH receiver. This can be overridden per Timer by specifying a comma-separated list of receivers.
# To load-balance and fail over between servers specify multiple comma-separated values for "Servers" in a SINGLE receiver section
#
# The documentation for the Persistent Output Queue options can be found here: https://uberagent.com/docs/uberagent/latest/advanced-topics/persistent-output-queue/
# The documentation for the Azure Data Explorer options can be found here: https://uberagent.com/docs/uberagent/latest/installation/backend/configuring-microsoft-azure-data-explorer-adx-event-hubs/
#
# Configurable settings in this section:
#
# Setting name: Name
# Description: Arbitrary name for the data receiver. If no persistent output queue is configured the name is used only internally. Otherwise the name is used as an appendix for the persistent output queue file name.
# Valid values: any string
# Default: empty
# Required: Required only if persistent output queue is activated for this receiver. In this case the name must be unique for all receivers.
#
# Setting name: Type
# Description: Receiver type.
# Valid values: Splunk | Elasticsearch | OMSLogAnalytics | Kafka | AzureEventHubs
# Default: Splunk
# Required: yes
#
# Setting name: Protocol
# Description: How to send data to the backend.
# TCP uses a direct TCP connection
# HTTP sends to a REST endpoint via HTTP or HTTPS
# For type Splunk use TCP or HTTP, for all other types use HTTP.
# Valid values: TCP | HTTP
# Default: TCP
# Required: no
#
# Setting name: Servers
# Description: List of target servers/URLs.
# Valid values:
# TCP: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
# HTTP: comma-separated list of URLs starting with http or https.
# Splunk example: http://server1:8088, https://server2:8088
# OMS Log Analytics example: https://CUSTOMERID.ods.opinsights.azure.com
# Default: empty
# Required: yes
#
# Setting name: RESTToken
# Description: Authentication token required by the Splunk HTTP Event Collector and by OMS Log Analytics.
# For Type OMSLogAnalytics use the primary or the secondary key for the workspace.
# For Type Elasticsearch credentials in format <username>:<password> can be used to authenticate to the Elasticsearch server.
# Valid values: any string
# Default: empty
# Required: only for type Splunk and protocol HTTP
#
# Setting name: TLSClientCertificate
# Description: Client certificate to be used in HTTPS communications with REST endpoints
# Valid values: <store location>\<store name>\<certificate thumbprint>
# <store location> can be: CurrentUser, LocalMachine, CurrentService, Services, CurrentUserGroupPolicy, LocalMachineGroupPolicy, LocalMachineEnterprise
# <store name> can be: MY, Root, Trust, CA (if in doubt, use MY)
# <certificate thumbprint> is the thumbprint of the certificate to be used to authenticate the client to the server
# Default: empty
# Required: only for type Kafka if the REST proxy requires authentication
#
# Setting name: ElasticIngestPipeline
# Description: Name of the Elasticsearch ingest pipeline used to perform common data transformation and enrichments.
# Valid values: any string
# Default: empty
# Required: no
#
# Setting name: Index
# Description: Name of the backend index. For more details see https://uberagent.com/docs/uberagent/latest/kb/splunk/how-to-change-uberagents-splunk-index-name/
# Valid values: any lowercase string
# Default: uberagent
# Required: no
#
# Setting name: Host
# Description: Name of the Splunk source host sending the event. Normally does not need to be changed.
# Valid values: any string
# Default: %computername%
# Required: no
#
# Setting name: Source
# Description: Event source name. Normally does not need to be changed.
# Valid values: any string
# Default: uberAgent for UXM metrics, uberAgentESA for ESA metrics
# Required: no
#
# Setting name: MaxQueueSizeRamMb
# Description: Maximum queue size in RAM in MB. If exceeded, events are discarded.
# Valid values: any number
# Default: 10
# Required: no
#
# Setting name: KafkaTopicName
# Description: Change the Topic Name of any Kafka event using a prefixed uAQL query.
# Valid values: e.g: uaql(set(KafkaTopicName, concat(KafkaTopicName, "_vastlimits")))
# Default: empty
# Required: no
#
# Setting name: MaxEventsPerSendOperation
# Description: Limits the number of events per send operation.
# Valid values: any positive number (0 = no limitation)
# Default: 1000
# Required: no
#
# Setting name: AzureEventHubsConfigurationId
# Description: A GUID which links to a Azure Event Hubs configuration stanza. For more information see: https://uberagent.com/docs/uberagent/7-2/installation/backend/configuring-microsoft-azure-data-explorer-adx-event-hubs/
# Valid values: any GUID
# Default: empty
# Required: no
#
############################################
[Receiver]
Name =
Type = Splunk
Protocol =
Servers =
RESTToken =
############################################
#
# Metrics explanation
#
# Available metrics:
#
# I. UXM metrics (requiring the base product User Experience Monitoring)
#
# a) Timer metrics (output at regular intervals):
#
# ProcessDetailTop5 Performance & application data for each process, top 5 items are displayed per category. Should not be used in conjunction with ProcessDetailFull (redundancy).
# ProcessDetailFull Performance & application data for each process, all processes are displayed. Generates a huge data volume! Should not be used in conjunction with ProcessDetailTop5 (redundancy).
# ApplicationInventory Retrieves a list of all installed applications
# SoftwareUpdateInventory Retrieves a list of all installed updates and patches
# MachineInventory Retrieves information about machines (OS, hardware model)
# SessionDetail Performance data for each session
# SystemPerformanceSummary Performance data for the entire system
# BrowserPerformanceCEB Citrix Enterprise Browser: browser performance (requires the uberAgent browser extension for most metrics)
# BrowserPerformanceChrome Chrome: browser performance (requires the uberAgent browser extension for most metrics)
# BrowserPerformanceEdge Edge: browser performance (requires the uberAgent browser extension)
# BrowserPerformanceFirefox Firefox: browser performance (requires the uberAgent browser extension)
# BrowserPerformanceIE Internet Explorer performance (requires the uberAgent browser extension for most metrics)
# GpuUsage GPU usage per machine and per process
# NetworkTargetPerformanceProcess Performance data per target IP address and port per process (see also [NetworkTargetPerformanceProcess_Filter])
# SMBClientSharePerformance Performance data per SMB share accessed by the machine's SMB client (requires Windows 8/Server 2012 or newer)
# NetworkConfigInformation Retrieves information about network configuration
# AppNameIdMapping Lists mappings between app IDs (short names) and app names (regular application names) for use in lookups in the backend
# ProcessStartup Process start events (including startup duration)
# UserTags Determine configured user tags (see also [UserHostTagging])
# HostTags Determine configured host tags (see also [UserHostTagging])
# ProcessStatistics Additional process data such as handle and thread count. Separate metric from ProcessDetail so that data can be collected at a longer interval, reducing the data volume.
#
# The following metrics are collected only if uberAgent is running on a Citrix Virtual Apps and Desktops delivery controller:
#
# CitrixDCDesktopGroup Information on Citrix Virtual Apps and Desktops delivery groups
# CitrixDCCatalog Information on Citrix Virtual Apps and Desktops machine catalogs
# CitrixDCMachine Information on Citrix Virtual Apps and Desktops machines (VDAs and DDCs)
# CitrixDCHypervisor Information on Citrix Virtual Apps and Desktops hypervisor connections
# CitrixDCGeneralInformation Information on Citrix Virtual Apps and Desktops site properties like databases
# CitrixDCLicenseInformation Information on Citrix Virtual Apps and Desktops license usage
# CitrixDCApplication Information on Citrix Virtual Apps and Desktops published applications
# CitrixDCPublishedDesktops Information on Citrix Virtual Apps and Desktops published desktops
#
# The following metrics are collected by default if uberAgent is running on a Citrix Virtual Apps and Desktops delivery controller, but this behavior is customizable:
#
# CitrixADCInventory CitrixADC (formerly NetScaler) inventory information for IPs, certificates and the appliance itself. Primary as well as secondary CitrixADC.
# CitrixADCPerformance CitrixADC (formerly NetScaler) performance information for the appliance itself. Primary only.
# CitrixADCvServer CitrixADC (formerly NetScaler) performance information for virtual servers. Primary only.
# CitrixADCGateways CitrixADC (formerly NetScaler) performance information for gateways. Primary only.
#
# The following metrics are collected by default if uberAgent is running on a Citrix Virtual Apps and Desktops session host, but this behavior is customizable:
#
# CitrixSessionVirtualChannelDetail
# CitrixSessionConfig
#
# b) On-demand metrics (output when it happens):
#
# LogonDetail Several logon metrics like logon script processing time, group policy processing time, etc.
# LogonProcesses Information about all processes run during user logon
# BootDetail Boot performance data including applications/services/drivers that cause delays
# ShutdownDetail Shutdown performance data including applications/services/drivers that cause delays
# StandbyDetail Standby performance data including applications/services/drivers that cause delays
# OutlookPerformanceEvents Performance information for Microsoft Outlook
# ApplicationErrors Information about application crashes and related errors
# ApplicationUIDelay Application UI unresponsiveness
#
# c) System performance counters (output at regular intervals)
#
# Any Windows performance counter can be used. Example:
#
# Perf counter = \System\System Up Time
#
############################################
#
# II. ESA metrics (requiring the optional product Endpoint Security Analytics)
#
# a) Timer metrics (output at regular intervals):
# ActivityMonitoring Enables the Threat Detection engine
# ProcessStop Process stop events
# DnsMonitoring Enables the DNS monitoring engine
#
# b) On-demand metrics (output when it happens):
#
# ScheduledTaskMonitoring Events related to the Windows Task Scheduler (Scheduled Tasks)
#
############################################
############################################
#
# Timers
#
# uberAgent works with one or more timers.
# Each timer wakes up periodically. When it does, it computes the values of a configurable set of metrics and sends the results off for storage.
# Additionally there are on-demand metrics that log data when an event occurs, e.g. a user logon.
#
# Configurable settings per timer:
#
# Setting name: Name
# Description: Arbitrary name for the timer. Used only internally.
# Valid values: any string
# Default: empty
# Required: yes
#
# Setting name: Comment
# Description: Arbitrary comment for the timer. Not used by uberAgent.
# Valid values: any string
# Default: empty
# Required: no
#
# Setting name: Interval
# Description: How long to wait before collecting data again. Unit: milliseconds.
# Valid values: any number
# Default: [none]
# Required: yes
#
# Setting name: UA metric
# Description: Name of any uberAgent timer metric to be collected through this timer. May be specified more than once per timer.
# Valid values: any uberAgent timer metric
# Default: empty
# Required: no
#
# Setting name: Perf counter
# Description: Name of any Windows performance counter to be collected through this timer. May be specified more than once per timer.
# Valid values: any performance counter name
# Default: empty
# Required: no
#
# Setting name: Start delay
# Description: If a start delay is configured, uberAgent waits for the given time in ms before running the timer's metrics for the first time. If no start delay is configured, uberAgent waits for the time configured with the Interval parameter.
# Valid values: any number
# Default: 0
# Required: no
#
# Setting name: Persist interval
# Description: If this is enabled, uberAgent stores the timer's last runtime so that it does not run it more often than specified with the Interval parameter even when restarted.
# Valid values: true | false
# Default: false
# Required: no
#
# DEPRECATED: This setting is deprecated and will be removed in a future release.
# Setting name: Thread priority
# Description: Relative priority for the timer's thread.
# Valid values: background | normal
# Default: normal
# Required: no
#
# Setting name: Receivers
# Description: List of receivers to send this timer's data to. Overrides the default (send to all receivers).
# Valid values: Comma-separated list of receiver names configured in [Receiver] sections, e.g.: SplunkPool1, SplunkPool2
# Default: all receivers
# Required: no
#
# Setting name: Script
# Description: Run a script once or periodically, depending on the configured Interval (0 = run only once). The script's output to stdout is sent to the backend, each line as a new event. Can be specified more than once per timer.
# Valid values: Any valid command line, optionally including command line parameters.
# Default: empty
# Required: no
#
# Setting name: ScriptContext
# Description: The user context to run a script in.
# Valid values:
# Windows: Session0AsSystem | UserSessionAsSystem | UserSessionAsUser
# macOS: Root | User
# Default: Windows: Session0AsSystem, macOS: Root
# Required: no
#
# Setting name: ScriptTimeout
# Description: Time in ms until a running script is stopped. (0 = no timeout)
# Valid values: 0 or >= 100
# Default: 90000ms
# Required: no
#
############################################
############################################
# On-demand metrics
############################################
[OnDemand]
UA metric = LogonDetail
UA metric = LogonProcesses
UA metric = BootDetail
UA metric = ShutdownDetail
UA metric = StandbyDetail
UA metric = OutlookPerformanceEvents
UA metric = ApplicationErrors
UA metric = ApplicationUIDelay
# ESA metrics
UA metric = ScheduledTaskMonitoring
############################################
# Timer 1
############################################
[Timer]
Name = Default
Comment = Metrics are placed here unless there is a reason to have them run at different frequencies or to isolate them
Interval = 30000
UA metric = ProcessDetailFull
UA metric = SessionDetail
UA metric = CitrixSessionVirtualChannelDetail
UA metric = SystemPerformanceSummary
UA metric = SMBClientSharePerformance
UA metric = NetworkTargetPerformanceProcess
UA metric = ProcessStartup
# ESA metrics
UA metric = ProcessStop
UA metric = ActivityMonitoring
UA metric = DnsMonitoring
############################################
# Timer 2
############################################
[Timer]
Name = Network config & AppNameIdMapping
Comment = Collects network configuration information and lists mappings between app IDs and app names for use in lookups in the backend
Interval = 300000
UA metric = NetworkConfigInformation
UA metric = AppNameIdMapping
############################################
# Timer 3
############################################
[Timer]
Name = GPU usage
Comment = Isolate GPU metrics from the other metrics
Interval = 30000
UA metric = GpuUsage
############################################
# Timer 4
############################################
[Timer]
Name = Browser performance
Comment = Isolate browser metrics from the other metrics
Interval = 30000
UA metric = BrowserPerformanceCEB
UA metric = BrowserPerformanceChrome
UA metric = BrowserPerformanceEdge
UA metric = BrowserPerformanceFirefox
UA metric = BrowserPerformanceIE
############################################
# Timer 5
############################################
[Timer]
Name = Inventory
Comment = Perform an inventory at a very low frequency
Interval = 86400000
Start delay = 600000
Persist interval = true
UA metric = ApplicationInventory
UA metric = SoftwareUpdateInventory
UA metric = MachineInventory
UA metric = CitrixADCInventory
############################################
# Timer 6
############################################
[Timer]
Name = Citrix site - default
Comment = Collect Citrix Virtual Apps and Desktops site information
Interval = 300000
Start delay = 240000
UA metric = CitrixDCDesktopGroup
UA metric = CitrixDCCatalog
UA metric = CitrixDCHypervisor
UA metric = CitrixDCGeneralInformation
UA metric = CitrixDCApplication
UA metric = CitrixDCPublishedDesktops
############################################
# Timer 7
############################################
[Timer]
Name = Citrix site - machines
Comment = Collect Citrix Virtual Apps and Desktops site information
Interval = 300000
Start delay = 260000
UA metric = CitrixDCMachine
############################################
# Timer 8
############################################
[Timer]
Name = Citrix site - licenses
Comment = Collect Citrix Virtual Apps and Desktops site information
Interval = 60000
Start delay = 180000
UA metric = CitrixDCLicenseInformation
############################################
# Timer 9
############################################
[Timer]
Name = CitrixADC - performance
Comment = Collect CitrixADC performance information for virtual servers, gateways and the appliance itself. Primary CitrixADC only.
Interval = 60000
Start delay = 300000
UA metric = CitrixADCPerformance
UA metric = CitrixADCvServer
UA metric = CitrixADCGateways
############################################
# Timer 10
############################################
[Timer platform=Windows]
Name = Citrix session configuration details
Comment = Collect Citrix HDX metrics
Interval = 900000
UA metric = CitrixSessionConfig
EventTrigger = TriggerCitrixSessionConfig
############################################
# Timer 11
############################################
[Timer]
Name = Process statistics
Comment = Collect process statistics metrics at a longer interval than ProcessDetail to keep the data volume low.
Interval = 300000
UA metric = ProcessStatistics
############################################
# EventTrigger configuration
############################################
[EventTrigger platform=Windows]
Name = TriggerCitrixSessionConfig
Type = UserLogon
Type = SessionConnectionStateChange
Type = SessionRoaming
Query = BrokerType == "Citrix"
############################################
#
# Executable to application name mappings (for overriding uberAgent's automatic application identification)
#
# Format: PATH_REGEX = Application name
#
# See the definition of PATH_REGEX above.
#
# Examples:
#
# App name for C:\Dir\my.exe is "MyApp"
# ^C:\\DIR\\my\.exe$ = MyApp
#
# App name for all executables in "C:\Program Files\Windows Defender" is "Windows Defender"
# ^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender
#
# Example macOS:
#
# App name for all executables in "/Applications/MyApp Bundle.app" is "My App"
# ^\/Applications\/MyApp Bundle\.app.*$ = My App
#
############################################
[ProcessToApplicationMapping]
# Windows Defender
^%ProgramData%\\Microsoft\\Windows Defender\\Platform\\.+\\.+\.exe$ = Windows Defender
^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender
############################################
#
# Processes to ignore in application lookup
#
# Format: PATH_REGEX = uberAgent_ignore
#
# See the definition of PATH_REGEX above.
#
############################################
[ApplicationMappingIgnoredProcesses]
############################################
#
# Process startup duration load image wait interval
#
# When uberAgent determines process startup duration, it looks for the beginning of a 30 second time interval without library load events
# The default wait duration of 30 seconds can be adjusted either globally or for individual processes here (individual has precedence over global).
#
# Additionally, if there are IO operations during the library loading phase, uberAgent calculates the average IOPS during that phase and waits until
# IOPS drop to less than 20% for at least 10 seconds after the end of the library loading phase. The value of 10 seconds can be adjusted here, too.
#
# Configurable settings:
#
# Setting name: DllLoadWaitDurationGlobal
# Description: Globally set the library loading phase wait duration for all processes in ms.
# Valid values: any number
# Default: 30000
# Required: no
#
# Setting name: IopsDropoffDurationGlobal
# Description: Globally set the IOPS dropoff phase duration for all processes in ms.
# Valid values: any number
# Default: 10000
# Required: no
#
# Setting name: <process.exe>
# Description: Set the library loading phase wait duration for a specific process in ms. May be specified more than once.
# Valid values: any number
# Default: 30000
# Required: no
#
############################################
[ProcessStartupDurationWaitIntervalOverride]
AcroRd32.exe = 15000
############################################
#
# Optional settings for Process startup metrics
#
# Setting name: EnableExtendedInfo
# Description: Send detailed information about each started process to the backend, e.g. path, command line, process ID, parent ID. This also enables population of the ProcGUID field in other sourcetypes, which can be used for detailed process instance tracking.
# Valid values: true | false
# Default: false
# Required: no
#
# Setting name: EnableCalculateHash
# Description: Enables hash calculation for processes and libraries.
# Requires: ESA
# Valid values: true | false
# Default: true
# Required: no
#
# Setting name: EnableCdHash
# Description: Enables the collection of an application's code directory hash. macOS only.
# Requires: ESA
# Valid values: true | false
# Default: true
# Required: no
#
# Setting name: HashImageTypes
# Description: Defines on which objects to calculate hash values.
# Requires: ESA
# Valid values: Processes | Libraries | ProcessesAndLibraries
# Default: Processes
# Required: no
#
# Setting name: HashAlgorithm
# Description: Defines which hash algorithm should be used to calculate the hash.
# Requires: ESA
# Valid values: SHA-1 | SHA-256 | MD5 | ImpHash
# Default: MD5
# Required: no
#
# Setting name: HashesCacheMaxSize
# Description: The maximum number of elements of images (.EXE and .DLL) to store in hash cache.
# Requires: ESA
# Valid values: any number between 1 and 2000000
# Default: 3000
# Required: no
#
# Setting name: EnableAuthenticode
# Description: The following information will be read out: Authenticode signature present? Is from OS vendor e.g. Microsoft? Is signature valid and the name of the signer.
# Requires: ESA
# Valid values: true | false
# Default: true
# Required: no
#
# Setting name: AuthenticodeImageTypes
# Description: Defines on which objects to check Authenticode values.
# Requires: ESA
# Valid values: Processes | Libraries | ProcessesAndLibraries
# Default: Processes
# Required: no
#
# Setting name: AuthenticodeCacheMaxSize
# Description: The maximum number of elements to store in the Authenticode information cache.
# Requires: ESA
# Valid values: any number between 1 and 2000000
# Default: 1500
# Required: no
#
# Setting name: EnableProcessTampering
# Description: Enables verifying process starts and checks whether a process was tampered or not. Evaluates an ESA Threat Detection event if detected.
# Requires: ESA
# Valid values: true | false
# Default: true
# Required: no
#
############################################
[ProcessStartupSettings]
############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metrics ProcessStartup and ProcessStop
#
# Format: PATH_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PATH_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude "conhost.exe" (typically started from the path: \??\C:\WINDOWS\system32\conhost.exe)
# ^(\\\?\?\\)?%SystemRoot%\\System32\\conhost\.exe$ = uberAgent_denylist
#
############################################
[ProcessStartStop_Filter]
############################################
#
# Optional filter for browser web app metrics (sourcetype uberAgent:Application:BrowserWebRequests2) and the SessionFgBrowserActiveTabHost field of sourcetype uberAgent:Session:SessionDetail.
#
# Format: URL_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of URL_REGEX in the documentation)
#
# URLs can be allowed or denied.
# If an allowlist is defined, any URLs not on that list are ignored.
# When a URL has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any URLs on that list are ignored.
#
# Only tab URLs are filtered. This filter is not applied to request URLs.
#
# Examples:
#
# Allow only .com domains:
# .*\.com/.*$ = uberAgent_allowlist
#
# Deny vastlimits.com and subdomains over http or https:
# ^https?://.*\.?vastlimits\.com/.*$ = uberAgent_denylist
#
############################################
[BrowserWebAppURL_Filter]
############################################
#
# Documentation for BrowserWebAppURL_ComponentDetail: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/web-app-monitoring/
#
############################################
[BrowserWebAppURL_ComponentDetail]
############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metric ProcessDetailFull
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
# ^process\.exe$ = uberAgent_denylist
#
# Include only .EXE files whose name starts with "c"
# ^c.*\.exe$ = uberAgent_allowlist
#
############################################
[ProcessDetailFull_Filter]
############################################
#
# Optionally add the command line to the ProcessDetail* metrics
# This can significantly increase the data volume, so use with caution
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
# ^process\.exe$ = uberAgent_denylist
#
# Include only .EXE files whose name starts with "c"
# ^c.*\.exe$ = uberAgent_allowlist
#
############################################
[ProcessDetail_SendCommandline]
############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metric NetworkTargetPerformanceProcess
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
# ^process\.exe$ = uberAgent_denylist
#
# Allow only .EXE whose name starts with "c"
# ^c.*\.exe$ = uberAgent_allowlist
#
############################################
[NetworkTargetPerformanceProcess_Filter]
############################################
#
# Documentation for NetworkTargetPerformanceProcess_Config: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/per-application-network-monitoring/
#
############################################
[NetworkTargetPerformanceProcess_Config]
############################################
#
# Configuration for CitrixADC
# If multiple [CitrixADC_Config] sections are specified, the configured metrics will be determined for each of them.
# Use one [CitrixADC_Config] section for each of your CitrixADC pairs.
#
# Configurable settings:
#
# Setting name: Server
# Description: List of Citrix ADC servers/appliances. The secondary appliance is optional.
# Valid values: primary appliance, secondary appliance
# Default: empty
# Required: yes
#
# Examples:
#
# Server = 10.1.1.21
# Server = Server1.domain.local,Server2.domain.local
#
# Setting name: Username
# Description: The username to connect to the Citrix ADC server
# Valid values: any string
# Default: empty
# Required: yes
#
# Setting name: Password
# Description: The password to connect to the Citrix ADC server
# Valid values: any string
# Default: empty
# Required: yes
#
# Setting name: Https
# Description: Defines the connection type (HTTP or HTTPS). If HTTPS is used, the entries in the setting "Server" must match those in the CitrixADC management certificate.
# Valid values: true | false
# Default: false
# Required: no
#
# Setting name: CollectADCInformation
# Description: CitrixADC information is collected only on Citrix Virtual Apps and Desktops delivery controllers (DDCs) by default. With this setting, you can overwrite that behavior.
# True collects the Citrix ADC information on every machine. False disables data collection.
# MachineList defines, that Citrix ADC information is determined from a set of machines. See: CollectADCInformationMachines
# Valid values: DDCOnly | True | False | MachineList
# Default: DDCOnly
# Required: no
#
# Setting name: CollectADCInformationMachines
# Description: A set of machine names where the Citrix ADC information will be collected. A comma-separated list of machine names.
# Valid values: any string
# Default: empty
# Required: no
#
#############################################
[CitrixADC_Config platform=Windows]
############################################
#
# Configuration for Citrix cloud
# If multiple [CitrixCloud_Config] sections are specified, the configured metrics will be determined for each of them.
#
# Configurable settings:
#