uberAgent.conf

#
#
# This is the default configuration file for uberAgent
# On Windows, place it in the same directory as uberAgent.exe
#
# On macOS, this file must be located in /Library/Application Support/uberAgent. Make sure to save changes to this file as uberAgent.conf.
# uberAgent-default.conf serves as a fallback, and is overwritten with the most current default configuration during updates.

#
# Documentation: https://uberagent.com/docs/uberagent/latest/installation/configuration-through-config-file/
#

############################################
#
# Products
#
# a)  UXM (User Experience Monitoring)
#
#     This is the default product. It is always enabled.
#
# b)  ESA (Endpoint Security Analytics)
#
#     ESA is an optional add-on product that requires UXM to work. Please note that ESA must be licensed independently of UXM.
#
# Configurable settings in this section:
#
#   Setting name: EnableESA
#   Description: Enables the Endpoint Security Analytics product
#   Valid values: true | false
#   Default: false
#   Required: no
#
############################################

[ProductComponents]
EnableESA = true

############################################
#
# General configuration
#
# Configurable settings in this section:
#
#   Setting name: DebugMode
#   Description: When in debug mode, uberAgent's log file is more verbose, providing more detail on what is going on.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: LogFileCount
#   Description: Number of log files to keep (current + historical). When exceeded, the oldest log file is deleted.
#   Valid values: any positive integer
#   Default: 5
#   Required: no
#
#   Setting name: EncryptUserNames
#   Description: If enabled, user and domain names are encrypted in the agent before being sent off to Splunk. This can be useful for compliance with privacy regulations.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: LicenseFilePath
#   Description: Path to a directory where uberAgent searches for license files. The license files are cached locally in "%ProgramData%\vast limits\uberAgent\License cache" (Windows) and in "/Library/Caches/uberAgent" (macOS) so that permanent connectivity is not required. If the license file path is not specified uberAgent falls back to the installation directory (Windows) or to "/Library/Application Support/uberAgent" (macOS).
#   Valid values: Any valid path (local or UNC)
#   Default: empty
#   Required: no
#
#   Setting name: RegisterIEAddOn
#   Description: Register or deregister uberAgent's Internet Explorer add-on through the service.
#   Valid values: 0 = do nothing, 1 = register the add-on, 2 = deregister the add-on
#   Default: 0
#   Required: no
#
#   Setting name: BrowserDataCollection
#   Description: Enable or disable data collection of uberAgent's browser extensions. Currently this setting is used only in our Firefox extension.
#   Valid values: 0 = do nothing, 1 = enable data collection, 2 = disable data collection
#   Default: 1
#   Required: no
#
#   Setting name: RegistryMonitoring
#   Description: When disabled (false), no registry monitoring is performed. Registry monitoring requires ESA being enabled.
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: ConfigFlags
#   Description: Define additional implementation defined flags.
#   Valid values: A comma- or semicolon-separated list of any of the following strings
#     - NoGatewayCheck                   - disable the check for a configured Default Gateway for non-PPP network interfaces
#     - IEIgnoreFrames                   - disable determination of performance data for frames in Internet Explorer
#     - RegMonSvcDebugOutput             - enable Registry Monitoring debug output to ProcMon
#     - TLSRevocationChecksDisabled      - disable certificate revocation checks, e.g. during testing with self-signed certificates on the backend (Windows only)
#     - TLSRevocationChecksBestEffort    - ignore certificate revocation checks in case of missing or offline distribution points (Windows only). If both revocation check options are configured, the option above takes precedence. For more details on these two options see https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html
#     - DisableESFileSystemMonitoring    - disable file system monitoring based on Endpoint Security on macOS
#     - SessionHelperQueryDelayMs:NUMBER - delay between queries to in-session helper processes. Replace NUMBER with any integer >= 0 to specify the delay in ms.
#   Default: empty
#   Required: no
#
############################################

[Miscellaneous]
DebugMode = true

############################################
#
# Data receivers
#
# uberAgent sends data to the receivers configured here.
# If multiple [Receiver] sections are specified, data will be sent to EACH receiver. This can be overridden per Timer by specifying a comma-separated list of receivers.
# To load-balance and fail over between servers specify multiple comma-separated values for "Servers" in a SINGLE receiver section
#
# Configurable settings in this section:
#
#   Setting name: Name
#   Description: Arbitrary name for the data receiver. Used only internally.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Type
#   Description: Receiver type.
#   Valid values: Splunk | Elasticsearch | OMSLogAnalytics | Kafka
#   Default: Splunk
#   Required: yes
#
#   Setting name: Protocol
#   Description: How to send data to the backend.
#      TCP uses a direct TCP connection
#      HTTP sends to a REST endpoint via HTTP or HTTPS
#      For type Splunk use TCP or HTTP, for all other types use HTTP.
#   Valid values: TCP | HTTP
#   Default: TCP
#   Required: no
#
#   Setting name: Servers
#   Description: List of target servers/URLs.
#   Valid values:
#      TCP: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
#      HTTP: comma-separated list of URLs starting with http or https.
#         Splunk example: http://server1:8088, https://server2:8088
#         OMS Log Analytics example: https://CUSTOMERID.ods.opinsights.azure.com
#   Default: empty
#   Required: yes
#
#   Setting name: RESTToken
#   Description: Authentication token required by the Splunk HTTP Event Collector and by OMS Log Analytics.
#     For Type OMSLogAnalytics use the primary or the secondary key for the workspace.
#     For Type Elasticsearch credentials in format <username>:<password> can be used to authenticate to the Elasticsearch server.
#   Valid values: any string
#   Default: empty
#   Required: only for type Splunk and protocol HTTP
#
#   Setting name: TLSClientCertificate
#   Description: Client certificate to be used in HTTPS communications with REST endpoints
#   Valid values: <store location>\<store name>\<certificate thumbprint>
#     <store location> can be: CurrentUser, LocalMachine, CurrentService, Services, CurrentUserGroupPolicy, LocalMachineGroupPolicy, LocalMachineEnterprise
#     <store name> can be: MY, Root, Trust, CA (if in doubt, use MY)
#     <certificate thumbprint> is the thumbprint of the certificate to be used to authenticate the client to the server
#   Default: empty
#   Required: only for type Kafka if the REST proxy requires authentication
#
#   Setting name: ElasticIngestPipeline
#   Description: Name of the Elasticsearch ingest pipeline used to perform common data transformation and enrichments.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Index
#   Description: Name of the backend index. Custom Splunk index names must be configured in macros.conf, too.
#   Valid values: any lowercase string
#   Default: uberagent
#   Required: no
#
#   Setting name: Host
#   Description: Name of the Splunk source host sending the event. Normally does not need to be changed.
#   Valid values: any string
#   Default: %computername%
#   Required: no
#
#   Setting name: Source
#   Description: Event source name. Normally does not need to be changed.
#   Valid values: any string
#   Default: uberAgent for UXM metrics, uberAgentESA for ESA metrics
#   Required: no
#
#   Setting name: MaxQueueSizeRamMb
#   Description: Maximum queue size in RAM in MB. If exceeded, events are discarded.
#   Valid values: any number
#   Default: 10
#   Required: no
#
############################################

[Receiver]
Name = Default
Type = Splunk
Protocol = TCP
Servers = localhost:19500
RESTToken =

############################################
#
# Metrics explanation
#
# Available metrics:
#
# I.  UXM metrics (requiring the base product User Experience Monitoring)
#
# a)  Timer metrics (output at regular intervals):
#
#     ProcessDetailTop5                   Performance & application data for each process, top 5 items are displayed per category. Should not be used in conjunction with ProcessDetailFull (redundancy).
#     ProcessDetailFull                   Performance & application data for each process, all processes are displayed. Generates a huge data volume! Should not be used in conjunction with ProcessDetailTop5 (redundancy).
#     ApplicationUsage                    DEPRECATED: this metric is deprecated and will be removed in a future release. uberAgent's dashboards use ProcessDetail instead.
#     ApplicationInventory                Retrieves a list of all installed applications
#     SoftwareUpdateInventory             Retrieves a list of all installed updates and patches
#     MachineInventory                    Retrieves information about machines (OS, hardware model)
#     SessionDetail                       Performance data for each session
#     SystemPerformanceSummary            Performance data for the entire system
#     BrowserPerformanceChrome            Chrome: browser performance (requires the uberAgent browser extension for most metrics)
#     BrowserPerformanceEdge              Edge: browser performance (requires the uberAgent browser extension)
#     BrowserPerformanceFirefox           Firefox: browser performance (requires the uberAgent browser extension)
#     BrowserPerformanceIE                Internet Explorer performance (requires the uberAgent browser extension for most metrics)
#     GpuUsage                            GPU usage per machine and per process
#     NetworkTargetPerformanceProcess     Performance data per target IP address and port per process (see also [NetworkTargetPerformanceProcess_Filter])
#     SMBClientSharePerformance           Performance data per SMB share accessed by the machine's SMB client (requires Windows 8/Server 2012 or newer)
#     NetworkConfigInformation            Retrieves information about network configuration
#     AppNameIdMapping                    Lists mappings between app IDs (short names) and app names (regular application names) for use in lookups in the backend
#     ProcessStartup                      Process start events (including startup duration)
#
#     The following metrics are collected only if uberAgent is running on a Citrix Virtual Apps and Desktops delivery controller:
#
#     CitrixDCDesktopGroup                Information on Citrix Virtual Apps and Desktops delivery groups
#     CitrixDCCatalog                     Information on Citrix Virtual Apps and Desktops machine catalogs
#     CitrixDCMachine                     Information on Citrix Virtual Apps and Desktops machines (VDAs and DDCs)
#     CitrixDCHypervisor                  Information on Citrix Virtual Apps and Desktops hypervisor connections
#     CitrixDCGeneralInformation          Information on Citrix Virtual Apps and Desktops site properties like databases
#     CitrixDCLicenseInformation          Information on Citrix Virtual Apps and Desktops license usage
#     CitrixDCApplication                 Information on Citrix Virtual Apps and Desktops published applications
#     CitrixDCPublishedDesktops           Information on Citrix Virtual Apps and Desktops published desktops
#
#     The following metrics are collected by default if uberAgent is running on a Citrix Virtual Apps and Desktops delivery controller, but this behavior is customizable:
#
#     CitrixADCInventory                  CitrixADC (formerly NetScaler) inventory information for IPs, certificates and the appliance itself. Primary as well as secondary CitrixADC.
#     CitrixADCPerformance                CitrixADC (formerly NetScaler) performance information for the appliance itself. Primary only.
#     CitrixADCvServer                    CitrixADC (formerly NetScaler) performance information for virtual servers. Primary only.
#     CitrixADCGateways                   CitrixADC (formerly NetScaler) performance information for gateways. Primary only.
#
# b)  On-demand metrics (output when it happens):
#
#     LogonDetail                         Several logon metrics like logon script processing time, group policy processing time, etc.
#     LogonProcesses                      Information about all processes run during user logon
#     BootDetail                          Boot performance data including applications/services/drivers that cause delays
#     ShutdownDetail                      Shutdown performance data including applications/services/drivers that cause delays
#     StandbyDetail                       Standby performance data including applications/services/drivers that cause delays
#     OutlookPerformanceEvents            Performance information for Microsoft Outlook
#     ApplicationErrors                   Information about application crashes and related errors
#     ApplicationUIDelay                  Application UI unresponsiveness
#
# c)  System performance counters (output at regular intervals)
#
#     Any Windows performance counter can be used. Example:
#        
#        Perf counter = \System\System Up Time
#
############################################
#
# II. ESA metrics (requiring the optional product Endpoint Security Analytics)
#
# a)  Timer metrics (output at regular intervals):
#     ActivityMonitoring                  Enables the activity monitoring engine
#     ProcessStop                         Process stop events
#     DnsMonitoring                       Enables the DNS monitoring engine
#
# b)  On-demand metrics (output when it happens):
#
#     ScheduledTaskMonitoring             Events related to the Windows Task Scheduler (Scheduled Tasks)
#
############################################

############################################
#
# Timers
#
# uberAgent works with one or more timers.
# Each timer wakes up periodically. When it does, it computes the values of a configurable set of metrics and sends the results off for storage.
# Additionally there are on-demand metrics that log data when an event occurs, e.g. a user logon.
#
# Configurable settings per timer:
#
#   Setting name: Name
#   Description: Arbitrary name for the timer. Used only internally.
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Comment
#   Description: Arbitrary comment for the timer. Not used by uberAgent.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#   Setting name: Interval
#   Description: How long to wait before collecting data again. Unit: milliseconds.
#   Valid values: any number
#   Default: [none]
#   Required: yes
#
#   Setting name: UA metric
#   Description: Name of any uberAgent timer metric to be collected through this timer. May be specified more than once per timer.
#   Valid values: any uberAgent timer metric
#   Default: empty
#   Required: no
#
#   Setting name: Perf counter
#   Description: Name of any Windows performance counter to be collected through this timer. May be specified more than once per timer.
#   Valid values: any performance counter name
#   Default: empty
#   Required: no
#
#   Setting name: Start delay
#   Description: If a start delay is configured, uberAgent waits for the given time in ms before running the timer's metrics for the first time. If no start delay is configured, uberAgent waits for the time configured with the Interval parameter.
#   Valid values: any number
#   Default: 0
#   Required: no
#
#   Setting name: Persist interval
#   Description: If this is enabled, uberAgent stores the timer's last runtime so that it does not run it more often than specified with the Interval parameter even when restarted.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: Thread priority
#   Description: Relative priority for the timer's thread.
#   Valid values: background | normal
#   Default: normal
#   Required: no
#
#   Setting name: Receivers
#   Description: List of receivers to send this timer's data to. Overrides the default (send to all receivers).
#   Valid values: Comma-separated list of receiver names configured in [Receiver] sections, e.g.: SplunkPool1, SplunkPool2
#   Default: all receivers
#   Required: no
#
#   Setting name: Script
#   Description: Run a script once or periodically, depending on the configured Interval (0 = run only once). The script's output to stdout is sent to Splunk, each line as a new event. Can be specified more than once per timer.
#   Valid values: Any valid command line, optionally including command line parameters.
#   Default: empty
#   Required: no
#
#   Setting name: ScriptContext
#   Description: The user context to run a script in.
#   Valid values: Session0AsSystem | UserSessionAsSystem | UserSessionAsUser
#   Default: Session0AsSystem
#   Required: no
#
############################################

############################################
# On-demand metrics
############################################

[OnDemand]
UA metric      = LogonDetail
UA metric      = LogonProcesses
UA metric      = BootDetail
UA metric      = ShutdownDetail
UA metric      = StandbyDetail
UA metric      = OutlookPerformanceEvents
UA metric      = ApplicationErrors
UA metric      = ApplicationUIDelay

# ESA metrics
UA metric      = ScheduledTaskMonitoring

############################################
# Timer 1
############################################

[Timer]
Name           = Default
Comment        = Metrics are placed here unless there is a reason to have them run at different frequencies or to isolate them
Interval       = 30000
UA metric      = ProcessDetailFull
UA metric      = SessionDetail
UA metric      = SystemPerformanceSummary
UA metric      = SMBClientSharePerformance
UA metric      = NetworkTargetPerformanceProcess
UA metric      = ProcessStartup

# ESA metrics
UA metric      = ProcessStop
UA metric      = ActivityMonitoring
UA metric      = DnsMonitoring

############################################
# Timer 2
############################################

[Timer]
Name           = Network config & AppNameIdMapping
Comment        = Collects network configuration information and lists mappings between app IDs and app names for use in lookups in the backend
Interval       = 300000
UA metric      = NetworkConfigInformation
UA metric      = AppNameIdMapping

############################################
# Timer 3
############################################

[Timer]
Name           = GPU usage
Comment        = Isolate GPU metrics from the other metrics
Interval       = 30000
UA metric      = GpuUsage

############################################
# Timer 4
############################################

[Timer]
Name           = Browser performance
Comment        = Isolate browser metrics from the other metrics
Interval       = 30000
UA metric      = BrowserPerformanceChrome
UA metric      = BrowserPerformanceEdge
UA metric      = BrowserPerformanceFirefox
UA metric      = BrowserPerformanceIE

############################################
# Timer 5
############################################

[Timer]
Name              = Inventory
Comment           = Perform an inventory at a very low frequency
Interval          = 86400000
Start delay       = 600000
Persist interval  = true
Thread priority   = background
UA metric         = ApplicationInventory
UA metric         = SoftwareUpdateInventory
UA metric         = MachineInventory
UA metric         = CitrixADCInventory

############################################
# Timer 6
############################################

[Timer]
Name              = Citrix site - default
Comment           = Collect Citrix Virtual Apps and Desktops site information
Interval          = 300000
Start delay       = 240000
UA metric         = CitrixDCDesktopGroup
UA metric         = CitrixDCCatalog
UA metric         = CitrixDCHypervisor
UA metric         = CitrixDCGeneralInformation
UA metric         = CitrixDCApplication
UA metric         = CitrixDCPublishedDesktops

############################################
# Timer 7
############################################

[Timer]
Name              = Citrix site - machines
Comment           = Collect Citrix Virtual Apps and Desktops site information
Interval          = 300000
Start delay       = 260000
UA metric         = CitrixDCMachine

############################################
# Timer 8
############################################

[Timer]
Name              = Citrix site - licenses
Comment           = Collect Citrix Virtual Apps and Desktops site information
Interval          = 60000
Start delay       = 180000
UA metric         = CitrixDCLicenseInformation

############################################
# Timer 9
############################################

[Timer]
Name              = CitrixADC - performance
Comment           = Collect CitrixADC performance information for virtual servers, gateways and the appliance itself. Primary CitrixADC only.
Interval          = 60000
Start delay       = 300000
UA metric         = CitrixADCPerformance
UA metric         = CitrixADCvServer
UA metric         = CitrixADCGateways

############################################
#
# Executable to application name mappings (for overriding uberAgent's automatic application identification)
#
# Format: PATH_REGEX = Application name
#
#   See the definition of PATH_REGEX above.
#
# Examples:
#
# App name for C:\Dir\my.exe is "MyApp"
#   ^C:\\DIR\\my\.exe$ = MyApp
#
# App name for all executables in "C:\Program Files\Windows Defender" is "Windows Defender"
#   ^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender
#
# Example macOS:
#
# App name for all executables in "/Applications/MyApp Bundle.app" is "My App"
#   ^\/Applications\/MyApp Bundle\.app.*$ = My App
#
############################################

[ProcessToApplicationMapping]

# Windows Defender
^%ProgramData%\\Microsoft\\Windows Defender\\Platform\\.+\\.+\.exe$ = Windows Defender
^%ProgramFiles%\\Windows Defender\\.+\.exe$ = Windows Defender

############################################
#
# Processes to ignore in application lookup
#
# Format: PATH_REGEX = uberAgent_ignore
#
#   See the definition of PATH_REGEX above.
#
############################################

[ApplicationMappingIgnoredProcesses]

############################################
#
# Process startup duration load image wait interval
#
# When uberAgent determines process startup duration, it looks for the beginning of a 30 second time interval without image (DLL) load events
# The default wait duration of 30 seconds can be adjusted either globally or for individual processes here (individual has precedence over global).
# 
# Additionally, if there are IO operations during the DLL loading phase, uberAgent calculates the average IOPS during that phase and waits until
# IOPS drop to less than 20% for at least 10 seconds after the end of the DLL loading phase. The value of 10 seconds can be adjusted here, too.
#
# Configurable settings:
#
#   Setting name: DllLoadWaitDurationGlobal
#   Description: Globally set the DLL loading phase wait duration for all processes in ms.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
#   Setting name: IopsDropoffDurationGlobal
#   Description: Globally set the IOPS dropoff phase duration for all processes in ms.
#   Valid values: any number
#   Default: 10000
#   Required: no
#
#   Setting name: <process.exe>
#   Description: Set the DLL loading phase wait duration for a specific process in ms. May be specified more than once.
#   Valid values: any number
#   Default: 30000
#   Required: no
#
############################################

[ProcessStartupDurationWaitIntervalOverride]

AcroRd32.exe = 15000

############################################
#
# Optional settings for Process startup metrics
#
#   Setting name: EnableExtendedInfo
#   Description: Send detailed information about each started process to the backend, e.g. path, command line, process ID, parent ID. This also enables population of the ProcGUID field in other sourcetypes, which can be used for detailed process instance tracking.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: EnableCalculateHash
#   Description: Enables hash calculation for processes and Dlls.
#   Requires: ESA
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: HashObjects
#   Description: Defines on which objects to calculate hash values.
#   Requires: ESA
#   Valid values: Processes | Images | ProcessesAndImages
#   Default: Processes
#   Required: no
#
#   Setting name: HashAlgorithm
#   Description: Defines which hash algorithm should be used to calculate the hash.
#   Requires: ESA
#   Valid values: SHA-1 | SHA-256 | MD5 | ImpHash
#   Default: MD5
#   Required: no
#
#   Setting name: HashesCacheMaxSize
#   Description: The maximum number of elements to store in the process and library (EXE and DLL) image hash cache.
#   Requires: ESA
#   Valid values: any number between 1 and 2000000
#   Default: 1000
#   Required: no
#
#   Setting name: EnableAuthenticode
#   Description: The following information will be read out: Authenticode signature present? Is from OS vendor e.g. Microsoft? Is signature valid and the name of the signer.
#   Requires: ESA
#   Valid values: true | false
#   Default: true
#   Required: no
#
#   Setting name: AuthenticodeCacheMaxSize
#   Description: The maximum number of elements to store in the Authenticode information cache
#   Requires: ESA
#   Valid values: any number between 1 and 2000000
#   Default: 500
#   Required: no
#
############################################

[ProcessStartupSettings]

############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metrics ProcessStartup and ProcessStop
#
# Format: PATH_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PATH_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude "conhost.exe" (typically started from the path: \??\C:\WINDOWS\system32\conhost.exe)
#    ^(\\\?\?\\)?%SystemRoot%\\System32\\conhost\.exe$ = uberAgent_denylist
#
############################################

[ProcessStartStop_Filter]

############################################
#
# Optional filter for browser web app metrics (sourcetype uberAgent:Application:BrowserWebRequests2) and the SessionFgBrowserActiveTabHost field of sourcetype uberAgent:Session:SessionDetail.
#
# Format: URL_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of URL_REGEX in the documentation)
#
# URLs can be allowed or denied.
# If an allowlist is defined, any URLs not on that list are ignored.
# When a URL has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any URLs on that list are ignored.
#
# Only tab URLs are filtered. This filter is not applied to request URLs.
#
# Examples:
#
# Allow only .com domains:
#    .*\.com/.*$ = uberAgent_allowlist
#
# Deny vastlimits.com and subdomains over http or https:
#    ^https?://.*\.?vastlimits\.com/.*$ = uberAgent_denylist
#
############################################

[BrowserWebAppURL_Filter]

############################################
#
# Documentation for BrowserWebAppURL_ComponentDetail: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/web-app-monitoring/
#
############################################

[BrowserWebAppURL_ComponentDetail]

############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metric ProcessDetailFull
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
#    ^process\.exe$ = uberAgent_denylist
#
# Include only .EXE files whose name starts with "c"
#    ^c.*\.exe$ = uberAgent_allowlist
#
############################################

[ProcessDetailFull_Filter]

############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optionally add the command line to the ProcessDetail* metrics
# This can significantly increase the data volume, so use with caution
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
#    ^process\.exe$ = uberAgent_denylist
#
# Include only .EXE files whose name starts with "c"
#    ^c.*\.exe$ = uberAgent_allowlist
#
############################################

[ProcessDetail_SendCommandline]

############################################
#
# DEPRECATED
# This configuration is deprecated and will be removed in a future release.
# Please use event data filtering instead: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/event-data-filtering/
#
# Optional filter for the metric NetworkTargetPerformanceProcess
#
# Format: PROCESS_NAME_REGEX = uberAgent_denylist | uberAgent_allowlist
#
# (see the definition of PROCESS_NAME_REGEX in the documentation)
#
# Processes can be allowed or denied.
# If an allowlist is defined, any processes not on that list are ignored.
# When a process has passed the allowlist (or if no allowlist is defined), it is checked against the denylist.
# If a denylist is defined, any processes on that list are ignored.
#
# Examples:
#
# Exclude processes whose name is exactly "process.exe"
#    ^process\.exe$ = uberAgent_denylist
#
# Allow only .EXE whose name starts with "c"
#    ^c.*\.exe$ = uberAgent_allowlist
#
############################################

[NetworkTargetPerformanceProcess_Filter]

############################################
#
# Documentation for NetworkTargetPerformanceProcess_Config: https://uberagent.com/docs/uberagent/latest/uxm-features-configuration/per-application-network-monitoring/
#
############################################

[NetworkTargetPerformanceProcess_Config]

############################################
#
# Configuration for CitrixADC
# If multiple [CitrixADC_Config] sections are specified, the configured metrics will be determined for each of them.
# Use one [CitrixADC_Config] section for each of your CitrixADC pairs.
#
# Configurable settings:
#
#   Setting name: Server
#   Description: List of Citrix ADC servers/appliances. The secondary appliance is optional.
#   Valid values: primary appliance, secondary appliance
#   Default: empty
#   Required: yes
#
# Examples:
#
#    Server = 10.1.1.21
#    Server = Server1.domain.local,Server2.domain.local
#
#   Setting name: Username
#   Description: The username to connect to the Citrix ADC server
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Password
#   Description: The password to connect to the Citrix ADC server
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Https
#   Description: Defines the connection type (HTTP or HTTPS). If HTTPS is used, the entries in the setting "Server" must match those in the CitrixADC management certificate.
#   Valid values: true | false
#   Default: false
#   Required: no
#
#   Setting name: CollectADCInformation
#   Description: CitrixADC information is collected only on Citrix Virtual Apps and Desktops delivery controllers (DDCs) by default. With this setting, you can overwrite that behavior.
#                True collects the Citrix ADC information on every machine. False disables data collection. 
#                MachineList defines, that Citrix ADC information is determined from a set of machines. See: CollectADCInformationMachines
#   Valid values: DDCOnly | True | False | MachineList
#   Default: DDCOnly
#   Required: no
#
#   Setting name: CollectADCInformationMachines
#   Description: A set of machine names where the Citrix ADC information will be collected. A comma-separated list of machine names.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#############################################

[CitrixADC_Config]

############################################
#
# Configuration for Citrix cloud
# If multiple [CitrixCloud_Config] sections are specified, the configured metrics will be determined for each of them.
#
# Configurable settings:
#
#   Setting name: API endpoint
#   Description: Full URL of the citrix cloud (e.g. https://api-eu.cloud.com/monitorodata/)
#   Valid values: any string
#   Default: https://api-us.cloud.com/monitorodata/
#   Required: No
#
#   Setting name: CustomerId
#   Description: The customer ID
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: ClientId
#   Description: The client ID
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: ClientSecret
#   Description: The client secret
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: CollectCitrixCloudInformation
#   Description: Citrix Cloud information determination is disabled by default. With this setting, you can overwrite that behavior.
#                True collects the Citrix Cloud information on every machine. False disables data collection. 
#                MachineList defines, that Citrix Cloud information is determined from a set of machines. See: CollectCitrixCloudInformationMachines
#   Valid values: True | False | MachineList
#   Default: False
#   Required: no
#
#   Setting name: CollectCitrixCloudInformationMachines
#   Description: A set of machine names where the Citrix Cloud information will be collected. A comma-separated list of machine names.
#   Valid values: any string
#   Default: empty
#   Required: no
#
#############################################

[CitrixCloud_Config]

############################################
#
# Optional configuration for the metric SessionDetail
#
# Configurable settings:
#
#   Setting name: SessionFgWindowTitleMaxLength
#   Description: Maximum length of window titles in the SessionFgWindowTitle field. Longer titles are trimmed to the configured length. A value of zero disables the collection of window titles.
#   Valid values: any positive integer
#   Default: 30
#   Required: no
#
############################################

[SessionDetail_Config]

############################################
#
# Optional configuration for tags. Tags are company-defined metadata that are added for hosts/users. User tags are determined in the user's context and host tags are determined for the host. 
# Tags are stored in a separate sourcetype. 
#
# Configurable settings:
#
#   Setting name: Tag name
#   Description: A user-defined unique name of the tag.
#   Valid values: any string
#   Default: empty
#   Required: yes
#
#   Setting name: Tag type
#   Description: Defines if the tag is a host or a user tag
#   Valid values: Host | User
#   Default: empty
#   Required: yes
#
#   Setting name: Tag source
#   Description: Defines the source where the tag data is read from. Registry values of type REG_EXPAND_SZ are automatically expanded.
#   Valid values: Registry | Environment | Ad
#   Default: empty
#   Required: yes
#
#   Setting name: Tag value
#   Description: The path where to read the data from.
#                Registry format: [HKCU|HKLM\<path>]. E.g. HKCU\Software\vast limits\Department
#                Environment format: %<variablename>%. E.g. %DEPARTMENT%
#                Ad format: <Ad attribute name>. E.g. Department
#   Valid values: Any string
#   Default: empty
#   Required: yes
#
############################################

[UserHostTagging]

############################################
#
# Includes (config files to be processed, too)
#
############################################

# Include the ESA config file
@ConfigInclude uberAgent-ESA.conf platform=Windows

# Include default event data filter rules
@ConfigInclude uberAgent-eventdata-filter.conf