POC Guide: Citrix uberAgent + Splunk (2024)

Monitoring on-premises and Virtual environments is critical for every enterprise as part of the operational model. Having a solid data source for security and user experience provides information for your daily tasks, security diagnostics and investigation, user experience, and proactive and reactive solutions.

Citrix uberAgent is an advanced software solution meticulously crafted for monitoring desktops, virtual desktop infrastructure (VDI), and server-based computing environments. It goes beyond basic system metrics and delivers detailed insights into application performance, user experience, and system health.

This POC guide will walk you through the initial deployment process of an uberAgent and Splunk Enterprise (on-premises) instance for data visualization.

The Citrix uberAgent agent gathers security and performance information from the endpoint device (physical or virtual machines) installed and sent to your data visualization solution. Out of the box, uberAgent provides 60+ Splunk dashboards to visualize data.

Architecture

It is recommended that you review the Citrix uberAgent Tech Brief, which provides details about the architecture and capabilities of Citrix uberAgent.

Splunk on-premises

• Operating System: all that Splunk supports
• Splunk version: Splunk Enterprise 7.0 or newer or Splunk Cloud

OS Versions

• Windows 10 or later
• Windows Server 2016 or later
• MacOS Monterey or newer

Platforms supported:

• Citrix Virtual Apps and Desktops, Citrix DaaS, Microsoft RDS, and Remote desktop session hosts (e.g., Citrix, Microsoft RDS) are explicitly supported. The same applies to any virtual desktop (e.g., Citrix Virtual Apps and Desktops or Citrix DaaS).

Browser extensions:

• Google Chrome
• Edge
• Firefox

The installation consists of four configuration steps:

• Create a Splunk Enterprise ( on-premises) trial instance.
• Install uberAgent UXM and ESA applications in the Splunk instance.
• Install the uberAgent agent in the endpoint device (Physical machine, Virtual Server, or Master/Gold image).
• Install the uberAgent agent to monitor the Citrix Site.

Create Splunk Enterprise Trial Instance

1. Download Splunk Enterprise software from the downloads page. You can request a free trial or use your company's instance. We will use the trial version for this guide, which provides 500MB/day for 60 days.

2. Fill Out the form to create your Splunk account to access the software.

3. Install Splunk on your dedicated server and follow the configuration wizard with default values.
4. Accept the "License Agreement" and click Next.

5. Enter the Username and Password to access your Splunk instance.

6. Click Install to begin the installation process. The installation process will take a few minutes.

7. Once the installation process is completed, click Finish. The Splunk Management Console will launch. Enter your username and password previously created.

Install uberAgent UXM and ESA applications in the Splunk instance

The next step is to install the UXM (uberAgent User Experience) and ESA (uberAgent Security) applications in Splunk. This will add the uberAgent capabilities and out-of-the-box Dashboards to your Splunk instance.The result is the following in your console:

1. Follow the link to download the uberAgent software.
2. Select the latest available version and download the software.
3. Mark the Terms & Conditions checkbox to enable the download button.

A .zip file with all uberAgent components for your endpoint devices and Splunk applications will be downloaded.

4. Extract the folder to your desired location.

5. Go to the uberAgent Components folder and identify the three files we will use to install the UXM (uberAgent User Experience) and ESA (uberAgent Security) applications in Splunk.

6. Open an Internet Browser and navigate to your Splunk console's Home Page by typing http://servername:8000. Then, log in to Splunk using your username and password.

7. In the left top corner, select Apps and click Manage.

8. On the next screen at the top right corner, Click Install app from file.
   1. Click Choose File
   2. Select each uberAgent_####.tgz file
      1. uberAgent_ESA_searchhead.tgz
      2. uberAgent_indexer.tgz
      3. uberAgent_searchhead.tgz
9. 3. Click Upload

9. Once all three .tgz files are uploaded, go to Home > Settings > Server Control > Restart Splunk to restart the Splunk instance.

10. Log in again to the Splunk instance.

11. Validate that the UXM and ESA uberAgent applications are available. Then, click on each app to launch the Dashboard. There will not be any data initially.

Endpoint Device uberAgent Installation

Once you have the Splunk instance ready, install the uberAgent agent on your endpoint device. Remember, the endpoint device can be a physical machine, Virtual Server, or Master/Gold Image.

1. For this step, you must either copy the uberAgent software you downloaded before or download it directly from the uberAgent website.
2. Install the uberAgent agent as follows:
   1. Open the uberAgent unzipped folder.
   2. Go to uberAgent Components > bin > uberAgent-64.msi > right-click and Install.

3. Accept the Terms and Conditions and click Next.
4. Continue with the default Destination folder. The installation will create a folder called vast limits. There, you will find all the uberAgent components, the configuration file, and where you allocate the license file when you are ready to roll out to production.

5. The next step is to configure the Receiver. Here is where you point the uberAgent agent to your Splunk instance. There are two options:

• TCP (default) is recommended for Splunk Enterprise (on-premises) instances. We chose this for our POC deployment.
  • TCP input: comma-separated list of server: port, e.g., localhost:19500, splunksrv:12345
• HTTP Event Collector: Use this if you use a Splunk Cloud instance. The documentation provides more details.
  • HTTP Event Collector (HEC) Input: comma-separated list of URLs starting with http or https, e.g., http://server1:8088, https://server2:8088

6. Continue and select both options on the Configuration Security.

7. Click Install.

8. Click Finish to complete the installation.

9. After the installation,the vast limits folder is created under C:\Program Files. You can validate and modify the configuration (Receiver) in the uberAgent.conf file.

At this point, the uberAgent agent installation process is completed. The next step is to prepare the agent for the Citrix Master / Gold image.

Preparing a Citrix Master/Gold image

If you use an imaging method such as Machine Creation Services (MCS), Citrix Provisioning (PVS), or Citrix AppLayering, it is recommended that you remove some information to prepare the image for deployment.

1. Stop the uberAgent service (leave it Automatic).
2. Open a command prompt as an Administrator.
3. Run the following command: reg delete "HKLM\SOFTWARE\vast limits\uberAgent"/f /reg:64
4. (Optional): Delete the existing uberAgent.log file at C:\Windows\Temp.

Add uberAgent extension to Web Browsers

For this POC, we are going to add the Chrome browser extension. If you use Firefox or Edge, follow the links for reference.

There are two options to install the extension for Chrome:

• Directly from the Chrome store
• Group Policy

We are going to install this POC directly from the Chrome Store.

1. Launch Chrome and go to the following URL:
2. https://chromewebstore.google.com/detail/uberagent/jghgedlkcoafeakcaepncnlanjkbinpb?pli=1
3. Click on Add to Chrome.
4. Click on Add Extension.
5. After enabling the extension, you receive the notification that uberAgent has been added to Chrome.

Now that the Master / Gold image and the Browser extension are ready, we can install uberAgent on the Citrix Delivery Controller for on-premises Citrix Virtual Apps and Desktops deployments or on the Cloud Connectors for Citrix DaaS deployments.

uberAgent detects whether it runs on a Citrix Delivery Controller (DDC) or a Citrix Virtual Desktop Agent (VDA). On DDCs, uberAgent automatically activates additional metrics like machine registration status, license usage, and published application inventory. There are some recommendations for installing uberAgent to monitor Citrix sites, including:

• Install the uberAgent endpoint agent on at least one delivery controller per site.
• Before installing the agent, run the following script template to grant the user account the required permissions. Before running it with elevated permissions, fill in your domain names and DDCs.
• Required permissions:
  • Each delivery controller's computer account
  • The local SYSTEM account.

Add-PSSnapin Citrix.DelegatedAdmin.Admin.V1New-AdminAdministrator -Sid S-1-5-18 -Enabled $trueAdd-AdminRight -Role 0a05f0c6-0153-4852-a55a-989d6a95c0eb -Administrator S-1-5-18 -AllNew-AdminAdministrator -Name <Domain>\<computer account> -Enabled $trueAdd-AdminRight -Role 0a05f0c6-0153-4852-a55a-989d6a95c0eb -Administrator <Domain>\<computer account> -All

For more details, please refer to the following documentation.

• Requirements:
  • Create a Citrix Cloud API client as described in our Citrix docs.
  • Go to citrix.cloud.com and log in with your credentials.
  • Install the Citrix Virtual Apps and Desktops Remote Powershell SDK on the endpoint on a separate server/machine.

• Configuration:
  • Once you install the agent on the VM/Server, open the uberAgent.conf file.
  • Search for CitrixCloud.
  • Replace the content as shown in the screenshot:

[CitrixCloud_Config]

API endpoint = https://api-us.cloud.com

CustomerId = <CustomerId>

ClientId = <ClientId>

ClientSecret = <ClientSecret>

CollectCitrixCloudInformation=True

• • Restart the uberAgent service to complete the process.

After installing the uberAgent agent in your Master/Gold image, seal it and deploy it to your Citrix workload using your usual distribution method (MCS / PVS / AppLayering).

For more details, please refer to the following documentation.

Once completed, validate that the machines where you installed the uberAgent agent are shown in the Splunk Dashboard uberAgent UXM under Machines tab > Machine Inventory.

To complete the testing, start a machine, launch a new session, and open an application. Wait a few minutes to allow the agent to capture data. All data will be available in the Splunk Dashboards for uberAgent User Experience (UXM) and uberAgent Security (ESA).