config/uberAgent.conf

#
# This is the default configuration file for uberAgent
# On Windows, place it in the same directory as uberAgent.exe
#
# On macOS, this file must be located in /Library/Application Support/uberAgent. Make sure to save changes to this file as uberAgent.conf.
# uberAgent-default.conf serves as a fallback, and is overwritten with the most current default configuration during updates.

#
# Documentation: https://uberagent.com/docs/uberagent/latest/installation/configuration-through-config-file/
#

############################################
#
# Products
#
# a)  UXM (User Experience Monitoring)
#
#     This is the default product. It is always enabled.
#
# b)  ESA (Endpoint Security Analytics)
#
#     ESA is an optional add-on product that requires UXM to work. Please note that ESA must be licensed independently of UXM.
#
# Configurable settings in this section:
#
#   Setting name: EnableESA
#   Description: Enables the Endpoint Security Analytics product
#   Valid values: true | false
#   Default: false
#   Required: no
#
############################################

[ProductComponents]
EnableESA = true

############################################
#
# General configuration
#
# Configurable settings in this section:
#
#   Setting name: DebugMode
#   Description: When in debug mode, uberAgent's log file is more verbose, providing more detail on what is going on.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: LogFileCount
#   Description: Number of log files to keep (current + historical). When exceeded, the oldest log file is deleted.
#   Valid values: any positive integer
#   Default: 5
#   Required: no
#
#   Setting name: EncryptUserNames
#   Description: If enabled, user and domain names are encrypted in the agent before being sent off to Splunk. This can be useful for compliance with privacy regulations.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: LicenseFilePath
#   Description: Path to a directory where uberAgent searches for license files. For more details see https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/central-license-file-management/
#   Valid values: Any valid path (local or UNC)
#   Default: empty
#   Required: no
#
#   Setting name: RegisterIEAddOn
#   Description: Register or deregister uberAgent's Internet Explorer add-on through the service.
#   Valid values: 0 = do nothing, 1 = register the add-on, 2 = deregister the add-on
#   Default: 0
#   Required: no
#
#   Setting name: BrowserDataCollection
#   Description: Enable or disable data collection of uberAgent's browser extensions. Currently this setting is used only in our Firefox extension.
#   Valid values: 0 = do nothing, 1 = enable data collection, 2 = disable data collection
#   Default: 1
#   Required: no
#
#   Setting name: RegistryMonitoring
#   Description: When disabled (false), no registry monitoring is performed. Registry monitoring requires ESA being enabled.
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: RemoteThreadMonitoring
#   Description: When disabled (false), no remote thread monitoring is performed. Remote Thread monitoring requires ESA being enabled and Threat Detection being configured.
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: ConfigFlags
#   Description: Define additional implementation defined flags.
#   Valid values: A comma- or semicolon-separated list of any of the following strings
#     - NoGatewayCheck                       - disable the check for a configured Default Gateway for non-PPP network interfaces
#     - IEIgnoreFrames                       - disable determination of performance data for frames in Internet Explorer
#     - RegMonSvcDebugOutput                 - enable Registry Monitoring debug output to ProcMon
#     - TLSRevocationChecksDisabled          - disable certificate revocation checks, e.g. during testing with self-signed certificates on the backend (Windows only)
#     - TLSRevocationChecksBestEffort        - ignore certificate revocation checks in case of missing or offline distribution points (Windows only). If both revocation check options are configured, the option above takes precedence. For more details on these two options see https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html
#     - EnableESFileSystemMonitoring         - collects data for the fields ProcIOWriteCount and ProcIOPSWrite of the sourcetype ProcessDetail on macOS. May increase uberAgent's CPU utilization.
#     - SessionHelperQueryDelayMs:NUMBER     - delay between queries to in-session helper processes. Replace NUMBER with any integer >= 0 to specify the delay in ms.
#     - TraceLogFilterExpression:REGEX       - include messages matching the regular expression REGEX in the log, regardless of their log level. This includes trace-level messages not included with DebugMode = true. REGEX must match the complete source string.
#     - EnableSystemLog                      - send log entries to the system's native log system in addition to the log file. Only available on macOS.
#     - CitrixSDKMaxRecordCount:NUMBER       - defines the -MaxRecordCount parameter for each Citrix (Remote) PowerShell SDK call. Replace NUMBER with any integer >= 0 (default is 1000).
#     - CitrixODataAPIMaximumAttempts:NUMBER - defines the maximum amount of repeating API queries if a query is responding with a not successful status code (default is 10).
#     - POQSendWaitDelayMs:NUMBER            - defines the delay between two send attempts if the persistent output queue is processed (default is 500ms). Valid values are between 100 and 10000.
#     - NetworkCommunicationTimeoutMs:NUMBER - defines a timeout for network communication (default is 10000ms). Valid values are between 100 and 1000000.
#     - LockEnterMaxWaitMs:NUMBER            - defines a duration in milliseconds if an internal locking mechanism took to long to enter/succeed. A trace log message will be written. Valid values are >= 100 (default is 1000).
#     - LockHeldMaxWaitMs:NUMBER             - defines a duration in milliseconds if an internal locking mechanism was held for more than the defined number. A trace log message will be written. Valid values are >= 100 (default is 1000).
#     - TraceLocking                         - enable the time measurement of the individual locks held and how long waited for a release.
#     - NoInterpretedVM                      - disables uAQL bytecode interpreter and enables the abstract syntax tree interpreter.
#     - TraceLogRotation                     - enables tracing to registry the state of the function performing log-file rotation
#     - InternalScriptTimeoutMs:NUMBER       - defines a duration in milliseconds after which an internal/hard coded script is terminated. Valid values are 0 (no timeout) or >= 100 (default is 10000).
#     - RegDataMaxLength:NUMBER              - set the maximum length (in bytes) of the registry entry's data that is to be retrieved, default: 4,294,967,295 bytes
#     - DisableSetFilePermissionsOnExec      - do not change file object permissions before executing external scripts/programs in user context.
#     - BootDetailTimeoutMinutes:NUMBER      - set the timeout for the trace of the boot metrics determination (default is 480).
#     - DisableUserInputDelay                - disables the user input delay metric for the SessionDetail and ProcessStatistics sourcetypes.
#     - TLSVerifyPeerDisabled                - disables the verification of the peer's TLS certificate.
#     - TLSVerifyHostDisabled                - disables the verification of the peer's TLS hostname.
#     - CredentialStoreServiceName:NAME      - sets the name of the credential store service name (macOS only, default is "uberAgent").
#   Default: empty
#   Required: no
#
#   Setting name: WmiProvider
#   Description: Specifies the provider to use to query WMI.
#   Valid values: WMIC | PowerShell
#   Default: WMIC
#   Required: no
#
############################################

[Miscellaneous]
DebugMode = true

############################################
#
# Configuration Settings
#
# Configurable settings in this section:
#
#   Setting name: ConfigCachePollInterval
#   Description: Defines the delay in milliseconds between two attempts to check for changes in cached configuration files. A random value will be added for load balancing the communication with the file server.
#   Valid values: 0 to disable tracking of remote configuration changes, otherwise any integer >= 60000
#   Default: 3600000
#   Required: no
#
#   Setting name: LicenseCachePollInterval
#   Description: Defines the delay in milliseconds between two attempts to check for changes in cached license files.
#   Valid values: any positive integer >= 60000
#   Default: 300000
#   Required: no
#
#   Setting name: ConfigChangeRestartTimeoutSec
#   Description: The duration, in seconds, of the grace period after a local configuration change has been detected, before the agent might be restarted.
#   Valid values: 0 to disable tracking of local configuration changes, otherwise any positive integer
#   Default: 30
#   Required: no
#
#   Setting name: Version
#   Description: Any free-form string. Main purpose is to force the agent to detect a configuration change.
#   Valid values: any combination of characters
#   Default: empty
#   Required: no
#
############################################

[Configuration_Settings]

############################################
#
# Data receivers
#
# uberAgent sends data to the receivers configured here.
# If multiple [Receiver] sections are specified, data will be sent to EACH receiver. This can be overridden per Timer by specifying a comma-separated list of receivers.
# To load-balance and fail over between servers specify multiple comma-separated values for "Servers" in a SINGLE receiver section
#
# The documentation for the Persistent Output Queue options can be found here: https://uberagent.com/docs/uberagent/latest/advanced-topics/persistent-output-queue/
# The documentation for the Azure Data Explorer options can be found here: https://uberagent.com/docs/uberagent/latest/installation/backend/configuring-microsoft-azure-data-explorer-adx-event-hubs/
#
# Configurable settings in this section:
#
#   Setting name: Name
#   Description: Arbitrary name for the data receiver. If no persistent output queue is configured the name is used only internally. Otherwise the name is used as an appendix for the persistent output queue file name.
#   Valid values: any string
#   Default: empty
#   Required: Required only if persistent output queue is activated for this receiver. In this case the name must be unique for all receivers.
#
#   Setting name: Type
#   Description: Receiver type.
#   Valid values: Splunk | Elasticsearch | OMSLogAnalytics | Kafka | AzureEventHubs
#   Default: Splunk
#   Required: yes
#
#   Setting name: Protocol
#   Description: How to send data to the backend.
#      TCP uses a direct TCP connection
#      HTTP sends to a REST endpoint via HTTP or HTTPS
#      For type Splunk use TCP or HTTP, for all other types use HTTP.
#   Valid values: TCP | HTTP
#   Default: TCP
#   Required: no
#
#   Setting name: Servers
#   Description: List of target servers/URLs.
#   Valid values:
#      TCP: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
#      HTTP: comma-separated list of URLs starting with http or https.
#         Splunk example: http://server1:8088, https://server2:8088
#         OMS Log Analytics example: https://CUSTOMERID.ods.opinsights.azure.com
#   Default: empty
#   Required: yes
#
#   Setting name: RESTToken
#   Description: Authentication token required by the Splunk HTTP Event Collector and by OMS Log Analytics.
#     For Type OMSLogAnalytics use the primary or the secondary key for the workspace.
#     For Type Elasticsearch credentials in format <username>:<password> can be used to authenticate to the Elasticsearch server.
#   Valid values: any string
#   Default: empty
#   Required: only for type Splunk and protocol HTTP
#
#   Setting name: TLSClientCertificate
#   Description: Client certificate to be used in HTTPS communications with REST endpoints
#   Valid values: <store location>\<store name>\<certificate thumbprint>
#     <store location> can be: CurrentUser, LocalMachine, CurrentService, Services, CurrentUserGroupPolicy, LocalMachineGroupPolicy, LocalMachineEnterprise
#     <store name> can be: MY, Root, Trust, CA (if in doubt, use MY)
#     <certificate thumbprint> is the thumbprint of the certificate to be used to authenticate the client to the server
#   Default: empty
#   Required: only for type Kafka if the REST proxy requires authentication
#
#   Setting name: ElasticIngestPipeline
#   Description: Name of the Elasticsearch ingest pipeline used to perform common data transformation and enrichments.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Index
#   Description: Name of the backend index. For more details see https://uberagent.com/docs/uberagent/latest/kb/splunk/how-to-change-uberagents-splunk-index-name/
#   Valid values: any lowercase string
#   Default: uberagent
#   Required: no
#
#   Setting name: Host
#   Description: Name of the Splunk source host sending the event. Normally does not need to be changed.
#   Valid values: any string
#   Default: %computername%
#   Required: no
#
#   Setting name: Source
#   Description: Event source name. Normally does not need to be changed.
#   Valid values: any string
#   Default: uberAgent for UXM metrics, uberAgentESA for ESA metrics
#   Required: no
#
#   Setting name: MaxQueueSizeRamMb
#   Description: Maximum queue size in RAM in MB. If exceeded, events are discarded.
#   Valid values: any number
#   Default: 10
#   Required: no
#
#   Setting name: KafkaTopicName
#   Description: Change the Topic Name of any Kafka event using a prefixed uAQL query.
#   Valid values: e.g: uaql(set(KafkaTopicName, concat(KafkaTopicName, "_vastlimits")))
#   Default: empty
#   Required: no
#
#   Setting name: MaxEventsPerSendOperation
#   Description: Limits the number of events per send operation.
#   Valid values: any positive number (0 = no limitation)
#   Default: 1000
#   Required: no
#
#   Setting name: AzureEventHubsConfigurationId
#   Description: A GUID which links to a Azure Event Hubs configuration stanza. For more information see: https://uberagent.com/docs/uberagent/7-2/installation/backend/configuring-microsoft-azure-data-explorer-adx-event-hubs/
#   Valid values: any GUID
#   Default: empty
#   Required: no
#
############################################

[Receiver]
Name =
Type = Splunk
Protocol =
Servers =
RESTToken =

############################################
#
# Metrics explanation
#
# Available metrics:
#
# I.  UXM metrics (requiring the base product User Experience Monitoring)
#
# a)  Timer metrics (output at regular intervals):
#
#     ProcessDetailTop5                   Performance & application data for each process, top 5 items are displayed per category. Should not be used in conjunction with ProcessDetailFull (redundancy).
#     ProcessDetailFull                   Performance & application data for each process, all processes are displayed. Generates a huge data volume! Should not be used in conjunction with ProcessDetailTop5 (redundancy).
#     ApplicationInventory                Retrieves a list of all installed applications
#     SoftwareUpdateInventory             Retrieves a list of all installed updates and patches
#     MachineInventory                    Retrieves information about machines (OS, hardware model)
#     SessionDetail                       Performance data for each session
#     SystemPerformanceSummary            Performance data for the entire system
#     BrowserPerformanceCEB               Citrix Enterprise Browser: browser performance (requires the uberAgent browser extension for most metrics)
#     BrowserPerformanceChrome            Chrome: browser performance (requires the uberAgent browser extension for most metrics)
#     BrowserPerformanceEdge              Edge: browser performance (requires the uberAgent browser extension)
#     BrowserPerformanceFirefox           Firefox: browser performance (requires the uberAgent browser extension)
#     BrowserPerformanceIE                Internet Explorer performance (requires the uberAgent browser extension for most metrics)
#     GpuUsage                            GPU usage per machine and per process
#     NetworkTargetPerformanceProcess     Performance data per target IP address and port per process (see also [NetworkTargetPerformanceProcess_Filter])
#     SMBClientSharePerformance           Performance data per SMB share accessed by the machine's SMB client (requires Windows 8/Server 2012 or newer)
#     NetworkConfigInformation            Retrieves information about network configuration
#     AppNameIdMapping                    Lists mappings between app IDs (short names) and app names (regular application names) for use in lookups in the backend
#     ProcessStartup                      Process start events (including startup duration)
#     UserTags                            Determine configured user tags (see also [UserHostTagging])
#     HostTags                            Determine configured host tags (see also [UserHostTagging])
#     ProcessStatistics                   Additional process data such as handle and thread count. Separate metric from ProcessDetail so that data can be collected at a longer interval, reducing the data volume.
#
#     The following metrics are collected only if uberAgent is running on a Citrix Virtual Apps and Desktops delivery controller:
#
#     CitrixDCDesktopGroup                Information on Citrix Virtual Apps and Desktops delivery groups
#     CitrixDCCatalog                     Information on Citrix Virtual Apps and Desktops machine catalogs
#     CitrixDCMachine                     Information on Citrix Virtual Apps and Desktops machines (VDAs and DDCs)
#     CitrixDCHypervisor                  Information on Citrix Virtual Apps and Desktops hypervisor connections
#     CitrixDCGeneralInformation          Information on Citrix Virtual Apps and Desktops site properties like databases
#     CitrixDCLicenseInformation          Information on Citrix Virtual Apps and Desktops license usage
#     CitrixDCApplication                 Information on Citrix Virtual Apps and Desktops published applications
#     CitrixDCPublishedDesktops           Information on Citrix Virtual Apps and Desktops published desktops
#
#     The following metrics are collected by default if uberAgent is running on a Citrix Virtual Apps and Desktops delivery controller, but this behavior is customizable:
#
#     CitrixADCInventory                  CitrixADC (formerly NetScaler) inventory information for IPs, certificates and the appliance itself. Primary as well as secondary CitrixADC.
#     CitrixADCPerformance                CitrixADC (formerly NetScaler) performance information for the appliance itself. Primary only.
#     CitrixADCvServer                    CitrixADC (formerly NetScaler) performance information for virtual servers. Primary only.
#     CitrixADCGateways                   CitrixADC (formerly NetScaler) performance information for gateways. Primary only.
#
#     The following metrics are collected by default if uberAgent is running on a Citrix Virtual Apps and Desktops session host, but this behavior is customizable:
#
#     CitrixSessionVirtualChannelDetail
#     CitrixSessionConfig
#
# b)  On-demand metrics (output when it happens):
#
#     LogonDetail                         Several logon metrics like logon script processing time, group policy processing time, etc.
#     LogonProcesses                      Information about all processes run during user logon
#     BootDetail                          Boot performance data including applications/services/drivers that cause delays
#     ShutdownDetail                      Shutdown performance data including applications/services/drivers that cause delays
#     StandbyDetail                       Standby performance data including applications/services/drivers that cause delays
#     OutlookPerformanceEvents            Performance information for Microsoft Outlook
#     ApplicationErrors                   Information about application crashes and related errors
#     ApplicationUIDelay                  Application UI unresponsiveness
#
# c)  System performance counters (output at regular intervals)
#
#     Any Windows performance counter can be used. Example:
#
#        Perf counter = \System\System Up Time
#
############################################
#
# II. ESA metrics (requiring the optional product Endpoint Security Analytics)
#
# a)  Timer metrics (output at regular intervals):
#     ActivityMonitoring                  Enables the Threat Detection engine
#     ProcessStop                         Process stop events
#     DnsMonitoring                       Enables the DNS monitoring engine
#
# b)  On-demand metrics (output when it happens):
#
#     ScheduledTaskMonitoring             Events related to the Windows Task Scheduler (Scheduled Tasks)
#
############################################

############################################
#
# Timers
#
# uberAgent works with one or more timers.
# Each timer wakes up periodically. When it does, it computes the values of a configurable set of metrics and sends the results off for storage.
# Additionally there are on-demand metrics that log data when an event occurs, e.g. a user logon.
#
# Configurable settings per timer:
#
#   Setting name: Name
#   Description: Arbitrary name for the timer. Used only internally.
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Comment
#   Description: Arbitrary comment for the timer. Not used by uberAgent.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Interval
#   Description: How long to wait before collecting data again. Unit: milliseconds.
#   Valid values: any number
#   Default: [none]
#   Required: yes
#
#   Setting name: UA metric
#   Description: Name of any uberAgent timer metric to be collected through this timer. May be specified more than once per timer.
#   Valid values: any uberAgent timer metric
#   Default: empty
#   Required: no
#
#   Setting name: Perf counter
#   Description: Name of any Windows performance counter to be collected through this timer. May be specified more than once per timer.
#   Valid values: any performance counter name
#   Default: empty
#   Required: no
#
#   Setting name: Start delay
#   Description: If a start delay is configured, uberAgent waits for the given time in ms before running the timer's metrics for the first time. If no start delay is configured, uberAgent waits for the time configured with the Interval parameter.
#   Valid values: any number
#   Default: 0
#   Required: no
#
#   Setting name: Persist interval
#   Description: If this is enabled, uberAgent stores the timer's last runtime so that it does not run it more often than specified with the Interval parameter even when restarted.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   DEPRECATED: This setting is deprecated and will be removed in a future release.
#   Setting name: Thread priority
#   Description: Relative priority for the timer's thread.
#   Valid values: background | normal
#   Default: normal
#   Required: no
#
#   Setting name: Receivers
#   Description: List of receivers to send this timer's data to. Overrides the default (send to all receivers).
#   Valid values: Comma-separated list of receiver names configured in [Receiver] sections, e.g.: SplunkPool1, SplunkPool2
#   Default: all receivers
#   Required: no
#
#   Setting name: Script
#   Description: Run a script once or periodically, depending on the configured Interval (0 = run only once). The script's output to stdout is sent to the backend, each line as a new event. Can be specified more than once per timer.
#   Valid values: Any valid command line, optionally including command line parameters.
#   Default: empty
#   Required: no
#
#   Setting name: ScriptContext
#   Description: The user context to run a script in.
#   Valid values:
#      Windows:   Session0AsSystem | UserSessionAsSystem | UserSessionAsUser
#      macOS:     Root | User
#   Default: Windows: Session0AsSystem, macOS: Root
#   Required: no
#
#   Setting name: ScriptTimeout
#   Description: Time in ms until a running script is stopped. (0 = no timeout)
#   Valid values: 0 or >= 100
#   Default: 90000ms
#   Required: no
#
############################################

############################################
# On-demand metrics
############################################

[OnDemand]
UA metric      = LogonDetail
UA metric      = LogonProcesses
UA metric      = BootDetail
UA metric      = ShutdownDetail
UA metric      = StandbyDetail
UA metric      = OutlookPerformanceEvents
UA metric      = ApplicationErrors
UA metric      = ApplicationUIDelay

# ESA metrics
UA metric      = ScheduledTaskMonitoring

############################################
# Timer 1
############################################

[Timer]
Name           = Default
Comment        = Metrics are placed here unless there is a reason to have them run at different frequencies or to isolate them
Interval       = 30000
UA metric      = ProcessDetailFull
UA metric      = SessionDetail
UA metric      = CitrixSessionVirtualChannelDetail
UA metric      = SystemPerformanceSummary
UA metric      = SMBClientSharePerformance
UA metric      = NetworkTargetPerformanceProcess
UA metric      = ProcessStartup

# ESA metrics
UA metric      = ProcessStop
UA metric      = ActivityMonitoring
UA metric      = DnsMonitoring

############################################
# Timer 2
############################################

[Timer]
Name           = Network config & AppNameIdMapping
Comment        = Collects network configuration information and lists mappings between app IDs and app names for use in lookups in the backend
Interval       = 300000
UA metric      = NetworkConfigInformation
UA metric      = AppNameIdMapping

############################################
# Timer 3
############################################

[Timer]
Name           = GPU usage
Comment        = Isolate GPU metrics from the other metrics
Interval       = 30000
UA metric      = GpuUsage

############################################
# Timer 4
############################################

[Timer]
Name           = Browser performance
Comment        = Isolate browser metrics from the other metrics
Interval       = 30000
UA metric      = BrowserPerformanceCEB
UA metric      = BrowserPerformanceChrome
UA metric      = BrowserPerformanceEdge
UA metric      = BrowserPerformanceFirefox
UA metric      = BrowserPerformanceIE

############################################
# Timer 5
############################################

[Timer]
Name              = Inventory
Comment           = Perform an inventory at a very low frequency
Interval          = 86400000
Start delay       = 600000
Persist interval  = true
UA metric         = ApplicationInventory
UA metric         = SoftwareUpdateInventory
UA metric         = MachineInventory
UA metric         = CitrixADCInventory

############################################
# Timer 6
############################################

[Timer]
Name              = Citrix site - default
Comment           = Collect Citrix Virtual Apps and Desktops site information
Interval          = 300000
Start delay       = 240000
UA metric         = CitrixDCDesktopGroup
UA metric         = CitrixDCCatalog
UA metric         = CitrixDCHypervisor
UA metric         = CitrixDCGeneralInformation
UA metric         = CitrixDCApplication
UA metric         = CitrixDCPublishedDesktops

############################################
# Timer 7
############################################

[Timer]
Name              = Citrix site - machines
Comment           = Collect Citrix Virtual Apps and Desktops site information
Interval          = 300000
Start delay       = 260000
UA metric         = CitrixDCMachine

############################################
# Timer 8
############################################

[Timer]
Name              = Citrix site - licenses
Comment           = Collect Citrix Virtual Apps and Desktops site information
Interval          = 60000
Start delay       = 180000
UA metric         = CitrixDCLicenseInformation

############################################
# Timer 9
############################################

[Timer]
Name              = CitrixADC - performance
Comment           = Collect CitrixADC performance information for virtual servers, gateways and the appliance itself. Primary CitrixADC only.
Interval          = 60000
Start delay       = 300000
UA metric         = CitrixADCPerformance
UA metric         = CitrixADCvServer
UA metric         = CitrixADCGateways

############################################
# Timer 10
############################################

[Timer platform=Windows]
Name              = Citrix session configuration details
Comment           = Collect Citrix HDX metrics
Interval          = 900000
UA metric         = CitrixSessionConfig
EventTrigger      = TriggerCitrixSessionConfig

############################################
# Timer 11
############################################

[Timer]
Name              = Process statistics
Comment           = Collect process statistics metrics at a longer interval than ProcessDetail to keep the data volume low.
Interval          = 300000
UA metric         = ProcessStatistics

############################################
# EventTrigger configuration
############################################

[EventTrigger platform=Windows]
Name = TriggerCitrixSessionConfig
Type = UserLogon
Type = SessionConnectionStateChange
Type = SessionRoaming
Query = BrokerType == "Citrix"


############################################
#
# Executable to application name mappings (for overriding uberAgent's automatic application identification)
#
# Format: PATH_REGEX = Application name
#
#   See the definition of PATH_REGEX above.
#
# Examples:
#
# App name for C:\Dir\my.exe is "MyApp"
#   ^C:\\DIR\\my\.exe$ = MyApp
#
# App name for all executables in "C:\Program Files\Windows Defender" is "Windows Defender"
#   ^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender
#
# Example macOS:
#
# App name for all executables in "/Applications/MyApp Bundle.app" is "My App"
#   ^\/Applications\/MyApp Bundle\.app.*$ = My App
#
############################################

[ProcessToApplicationMapping]

# Windows Defender
^%ProgramData%\\Microsoft\\Windows Defender\\Platform\\.+\\.+\.exe$ = Windows Defender
^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender

############################################
#
# Processes to ignore in application lookup
#
# Format: PATH_REGEX = uberAgent_ignore
#
#   See the definition of PATH_REGEX above.
#
############################################

[ApplicationMappingIgnoredProcesses]

############################################
#
# Process startup duration load image wait interval
#
# When uberAgent determines process startup duration, it looks for the beginning of a 30 second time interval without library load events
# The default wait duration of 30 seconds can be adjusted either globally or for individual processes here (individual has precedence over global).
#
# Additionally, if there are IO operations during the library loading phase, uberAgent calculates the average IOPS during that phase and waits until
# IOPS drop to less than 20% for at least 10 seconds after the end of the library loading phase. The value of 10 seconds can be adjusted here, too.
#
# Configurable settings:
#
#   Setting name: DllLoadWaitDurationGlobal
#   Description: Globally set the library loading phase wait duration for all processes in ms.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
#   Setting name: IopsDropoffDurationGlobal
#   Description: Globally set the IOPS dropoff phase duration for all processes in ms.
#   Valid values: any number
#   Default: 10000
#   Required: no
#
#   Setting name: <process.exe>
#   Description: Set the library loading phase wait duration for a specific process in ms. May be specified more than once.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
############################################

[ProcessStartupDurationWaitIntervalOverride]

AcroRd32.exe = 15000

############################################
#
# Optional settings for Process startup metrics
#
#   Setting name: EnableExtendedInfo
#   Description: Send detailed information about each started process to the backend, e.g. path, command line, process ID, parent ID. This also enables population of the ProcGUID field in other sourcetypes, which can be used for detailed process instance tracking.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: EnableCalculateHash
#   Description: Enables hash calculation for processes and libraries.
#   Requires: ESA
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: EnableCdHash
#   Description: Enables the collection of an application's code directory hash. macOS only.
#   Requires: ESA
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: HashImageTypes
#   Description: Defines on which objects to calculate hash values.
#   Requires: ESA
#   Valid values: Processes | Libraries | ProcessesAndLibraries
#   Default: Processes
#   Required: no
#
#   Setting name: HashAlgorithm
#   Description: Defines which hash algorithm should be used to calculate the hash.
#   Requires: ESA
#   Valid values: SHA-1 | SHA-256 | MD5 | ImpHash
#   Default: MD5
#   Required: no
#
#   Setting name: HashesCacheMaxSize
#   Description: The maximum number of elements of images (.EXE and .DLL) to store in hash cache.
#   Requires: ESA
#   Valid values: any number between 1 and 2000000
#   Default: 3000
#   Required: no
#
#   Setting name: EnableAuthenticode
#   Description: The following information will be read out: Authenticode signature present? Is from OS vendor e.g. Microsoft? Is signature valid and the name of the signer.
#   Requires: ESA
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: AuthenticodeImageTypes
#   Description:  Defines on which objects to check Authenticode values.
#   Requires: ESA
#   Valid values: Processes | Libraries | ProcessesAndLibraries
#   Default: Processes
#   Required: no
#
#   Setting name: AuthenticodeCacheMaxSize
#   Description: The maximum number of elements to store in the Authenticode information cache.
#   Requires: ESA
#   Valid values: any number between 1 and 2000000
#   Default: 1500
#   Required: no
#
#   Setting name: EnableProcessTampering
#   Description: Enables verifying process starts and checks whether a process was tampered or not. Evaluates an ESA Threat Detection event if detected.
#   Requires: ESA
#   Valid values: true | false
#   Default: true
#   Required: no
#
############################################

[ProcessStartupSettings]

############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metrics ProcessStartup and ProcessStop
#
# Format: PATH_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PATH_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude "conhost.exe" (typically started from the path: \??\C:\WINDOWS\system32\conhost.exe)
#    ^(\\\?\?\\)?%SystemRoot%\\System32\\conhost\.exe$ = uberAgent_denylist
#
############################################

[ProcessStartStop_Filter]

############################################
#
# Optional filter for browser web app metrics (sourcetype uberAgent:Application:BrowserWebRequests2) and the SessionFgBrowserActiveTabHost field of sourcetype uberAgent:Session:SessionDetail.
#
# Format: URL_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of URL_REGEX in the documentation)
#
# URLs can be allowed or denied.
# If an allowlist is defined, any URLs not on that list are ignored.
# When a URL has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any URLs on that list are ignored.
#
# Only tab URLs are filtered. This filter is not applied to request URLs.
#
# Examples:
#
# Allow only .com domains:
#    .*\.com/.*$ = uberAgent_allowlist
#
# Deny vastlimits.com and subdomains over http or https:
#    ^https?://.*\.?vastlimits\.com/.*$ = uberAgent_denylist
#
############################################

[BrowserWebAppURL_Filter]

############################################
#
# Documentation for BrowserWebAppURL_ComponentDetail: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/web-app-monitoring/
#
############################################

[BrowserWebAppURL_ComponentDetail]

############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metric ProcessDetailFull
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
#    ^process\.exe$ = uberAgent_denylist
#
# Include only .EXE files whose name starts with "c"
#    ^c.*\.exe$ = uberAgent_allowlist
#
############################################

[ProcessDetailFull_Filter]

############################################
#
# Optionally add the command line to the ProcessDetail* metrics
# This can significantly increase the data volume, so use with caution
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
#    ^process\.exe$ = uberAgent_denylist
#
# Include only .EXE files whose name starts with "c"
#    ^c.*\.exe$ = uberAgent_allowlist
#
############################################

[ProcessDetail_SendCommandline]

############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metric NetworkTargetPerformanceProcess
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
#    ^process\.exe$ = uberAgent_denylist
#
# Allow only .EXE whose name starts with "c"
#    ^c.*\.exe$ = uberAgent_allowlist
#
############################################

[NetworkTargetPerformanceProcess_Filter]

############################################
#
# Documentation for NetworkTargetPerformanceProcess_Config: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/per-application-network-monitoring/
#
############################################

[NetworkTargetPerformanceProcess_Config]

############################################
#
# Configuration for CitrixADC
# If multiple [CitrixADC_Config] sections are specified, the configured metrics will be determined for each of them.
# Use one [CitrixADC_Config] section for each of your CitrixADC pairs.
#
# Configurable settings:
#
#   Setting name: Server
#   Description: List of Citrix ADC servers/appliances. The secondary appliance is optional.
#   Valid values: primary appliance, secondary appliance
#   Default: empty
#   Required: yes
#
# Examples:
#
#    Server = 10.1.1.21
#    Server = Server1.domain.local,Server2.domain.local
#
#   Setting name: Username
#   Description: The username to connect to the Citrix ADC server
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Password
#   Description: The password to connect to the Citrix ADC server
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Https
#   Description: Defines the connection type (HTTP or HTTPS). If HTTPS is used, the entries in the setting "Server" must match those in the CitrixADC management certificate.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: CollectADCInformation
#   Description: CitrixADC information is collected only on Citrix Virtual Apps and Desktops delivery controllers (DDCs) by default. With this setting, you can overwrite that behavior.
#                True collects the Citrix ADC information on every machine. False disables data collection.
#                MachineList defines, that Citrix ADC information is determined from a set of machines. See: CollectADCInformationMachines
#   Valid values: DDCOnly | True | False | MachineList
#   Default: DDCOnly
#   Required: no
#
#   Setting name: CollectADCInformationMachines
#   Description: A set of machine names where the Citrix ADC information will be collected. A comma-separated list of machine names.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#############################################

[CitrixADC_Config platform=Windows]

############################################
#
# Configuration for Citrix cloud
# If multiple [CitrixCloud_Config] sections are specified, the configured metrics will be determined for each of them.
#
# Configurable settings:
#
#   Setting name: API endpoint
#   Description: Full URL of the Citrix cloud (e.g. https://api-eu.cloud.com)
#   Valid values: any string
#   Default: https://api-us.cloud.com
#   Required: No
#
#   Setting name: CustomerId
#   Description: The customer ID
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: ClientId
#   Description: The client ID
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: ClientSecret
#   Description: The client secret
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: CollectCitrixCloudInformation
#   Description: Citrix Cloud information determination is disabled by default. With this setting, you can overwrite that behavior.
#                True collects the Citrix Cloud information on every machine. False disables data collection.
#                MachineList defines, that Citrix Cloud information is determined from a set of machines. See: CollectCitrixCloudInformationMachines
#   Valid values: True | False | MachineList
#   Default: False
#   Required: no
#
#   Setting name: CollectCitrixCloudInformationMachines
#   Description: A set of machine names where the Citrix Cloud information will be collected. A comma-separated list of machine names.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#############################################

[CitrixCloud_Config platform=Windows]

############################################
#
# Optional configuration for the metric SessionDetail
#
# Configurable settings:
#
#   Setting name: SessionFgWindowTitleMaxLength
#   Description: Maximum length of window titles in the SessionFgWindowTitle field. Longer titles are trimmed to the configured length. A value of zero disables the collection of window titles.
#   Valid values: any positive integer
#   Default: 30
#   Required: no
#
############################################

[SessionDetail_Config]

############################################
#
# Optional configuration for tags. Tags are company-defined metadata that are added for hosts/users. User tags are determined in the user's context and host tags are determined for the host.
# Tags are stored in a separate sourcetype.
#
# The tags documentation can be found here: https://uberagent.com/docs/uberagent/latest/advanced-topics/user-host-tagging/
#
############################################

[UserHostTagging]

############################################
#
# Optional configuration for Threat Detection rules.
#
# The rule filter documentation can be found here: https://uberagent.com/docs/uberagent/latest/esa-features-configuration/threat-detection-engine/rule-syntax/
#
############################################

[ActivityMonitoringRule_Filter]

############################################
#
# Configuration for Filesystem Monitoring
#
# Configurable settings:
#
#   Setting name: Enabled
#   Description: Activates or deactivates filesystem monitoring. Filesystem monitoring requires ESA being enabled.
#   Valid values: True | False
#   Default: True
#   Required: no
#
#   Setting name: Hotplug
#   Description:  Specify to monitor newly mounted volumes dynamically. If enabled, uberAgent will monitor newly mounted volumes that match the criteria; otherwise, it will not.
#   Valid values: True | False
#   Default: False
#   Required: no
#
#   Setting name: Monitor
#   Description: Activates or deactivates filesystem monitoring. Filesystem monitoring requires ESA being enabled.
#   Valid values: Disks, NetworkShares. Additionally for Windows only: NamedPipes, Mailslot
#   Default: Disks. Additionally for Windows only: NamedPipes and Mailslot
#   Required: no
#
############################################

[FilesystemMonitoring]

############################################
#
# Security & Compliance Inventory configuration.
#
# The Security & Compliance Inventory documentation can be found here: https://uberagent.com/docs/uberagent/latest/esa-features-configuration/security-compliance-inventory/
#
############################################

[SecurityInventoryTest]

############################################
#
# Includes (config files to be processed, too)
#
############################################

# Include the ESA config file
@ConfigInclude uberAgent-ESA.conf

# Include default event data filter rules
@ConfigInclude uberAgent-eventdata-filter.conf