0

uberAgent - no data in Splunk

built a Splunk 9.3 trial with the latest uberAgent 9.3 on some Citrix VDAs. Everything appears to be working but no data appears in Splunk. Checked the Citrix article on this re: raw data on 9997/19500 etc and Splunk is configured correctly for forwarders and data inputs.

in the uberAgent.log file on the Citrix VDA I'm seeing this constantly (edited to remove domain name and server host name)

what does _failedDnsRequestsCache mena?

2024-09-10 17:21:15.603 +0100,INFO ,<DOMAIN>,<HOST>$,8040,MemoryStatistics,MemoryStatistics: _failedDnsRequestsCache: 10(+10), _memoryStatistics: 600(+600), _processesLookup: 390(+390), _eventInfoDataBuffer: 1832(+1832), _dnsCache: 11(+11), _cnameLookup: 13(+13), _sidLookupCache: 6(+6), _appIdToAppPropertiesLUT: 81(+81), _activeSetupFiles: 5(+5), _appSetupFiles: 3(+3), _processesLookupList: 197(+197), _sessions: 2(+2), , , , uAQL stack: 4.0 KB
2024-09-10 17:21:15.603 +0100,INFO ,<DOMAIN>,<HOST>$,8040,ReceiverStatistics,Splunk; KWZ-SPLUNK93:19500 - Name: KWZ-SPLUNK93 (POQ) - Bulk events in queue: <0>, queue size: <0.0> KB, bulk events sent: <1>, bulk events sent overall: <1>, bulk events added to queue: <1>, bulk events added to queue overall: <1>, rejected from queue: <0>, generated events: <1>, total generated events: <1>
2024-09-10 17:21:15.822 +0100,INFO ,<DOMAIN>,<HOST>$,8040,BacklogEventsOutput,Number of entries - eventviewer: 0 - registry: 0 - network: 0 - network connection failures: 0 - network dns: 0 - filesystem: 0 - ceb: 0
2024-09-10 17:26:15.677 +0100,INFO ,<DOMAIN>,<HOST>$,8040,MemoryStatistics,MemoryStatistics: _failedDnsRequestsCache: 10, _memoryStatistics: 486(-114), _processesLookup: 280(-110), _eventInfoDataBuffer: 1832, _dnsCache: 5(-6), _sidLookupCache: 6, _appIdToAppPropertiesLUT: 73(-8), _activeSetupFiles: 5, _appSetupFiles: 3, _processesLookupList: 140(-57), _sessions: 2, , , , uAQL stack: 4.0 KB
2024-09-10 17:26:15.677 +0100,INFO ,<DOMAIN>,<HOST>$,8040,ReceiverStatistics,Splunk; KWZ-SPLUNK93:19500 - Name: KWZ-SPLUNK93 (POQ) - Bulk events in queue: <0>, queue size: <0.0> KB, bulk events sent: <0>, bulk events sent overall: <1>, bulk events added to queue: <0>, bulk events added to queue overall: <1>, rejected from queue: <0>, generated events: <0>, total generated events: <1>
2024-09-10 17:26:16.099 +0100,INFO ,<DOMAIN>,<HOST>$,8040,BacklogEventsOutput,Number of entries - eventviewer: 0 - registry: 0 - network: 0 - network connection failures: 0 - network dns: 0 - filesystem: 0 - ceb: 0
2024-09-10 17:31:15.723 +0100,INFO ,<DOMAIN>,<HOST>$,8040,MemoryStatistics,MemoryStatistics: _failedDnsRequestsCache: 11(+1), _memoryStatistics: 482(-4), _processesLookup: 276(-4), _eventInfoDataBuffer: 1832, _dnsCache: 6(+1), _cnameLookup: 1(+1), _sidLookupCache: 6, _appIdToAppPropertiesLUT: 69(-4), _activeSetupFiles: 5, _appSetupFiles: 3, _processesLookupList: 138(-2), _sessions: 2, , , , uAQL stack: 4.0 KB
2024-09-10 17:31:15.723 +0100,INFO ,<DOMAIN>,<HOST>$,8040,ReceiverStatistics,Splunk; KWZ-SPLUNK93:19500 - Name: KWZ-SPLUNK93 (POQ) - Bulk events in queue: <0>, queue size: <0.0> KB, bulk events sent: <0>, bulk events sent overall: <1>, bulk events added to queue: <0>, bulk events added to queue overall: <1>, rejected from queue: <0>, generated events: <0>, total generated events: <1>
2024-09-10 17:31:16.364 +0100,INFO ,<DOMAIN>,<HOST>$,8040,BacklogEventsOutput,Number of entries - eventviewer: 0 - registry: 0 - network: 0 - network connection failures: 0 - network dns: 0 - filesystem: 0 - ceb: 0
2024-09-10 17:36:15.817 +0100,INFO ,<DOMAIN>,<HOST>$,8040,MemoryStatistics,MemoryStatistics: _failedDnsRequestsCache: 11, _memoryStatistics: 474(-8), _processesLookup: 268(-8), _eventInfoDataBuffer: 1832, _dnsCache: 5(-1), _sidLookupCache: 6, _appIdToAppPropertiesLUT: 69, _activeSetupFiles: 5, _appSetupFiles: 3, _processesLookupList: 134(-4), _sessions: 2, , , , uAQL stack: 4.0 KB
2024-09-10 17:36:15.817 +0100,INFO ,<DOMAIN>,<HOST>$,8040,ReceiverStatistics,Splunk; KWZ-SPLUNK93:19500 - Name: KWZ-SPLUNK93 (POQ) - Bulk events in queue: <0>, queue size: <0.0> KB, bulk events sent: <0>, bulk events sent overall: <1>, bulk events added to queue: <0>, bulk events added to queue overall: <1>, rejected from queue: <0>, generated events: <0>, total generated events: <1>
2024-09-10 17:36:16.598 +0100,INFO ,<DOMAIN>,<HOST>$,8040,BacklogEventsOutput,Number of entries - eventviewer: 0 - registry: 0 - network: 0 - network connection failures: 0 - network dns: 0 - filesystem: 0 - ceb: 0
2024-09-10 17:41:15.924 +0100,INFO ,<DOMAIN>,<HOST>$,8040,MemoryStatistics,MemoryStatistics: _failedDnsRequestsCache: 13(+2), _memoryStatistics: 470(-4), _processesLookup: 264(-4), _eventInfoDataBuffer: 1832, _dnsCache: 3(-2), _sidLookupCache: 6, _appIdToAppPropertiesLUT: 69, _activeSetupFiles: 5, _appSetupFiles: 3, _processesLookupList: 132(-2), _sessions: 2, , , , uAQL stack: 4.0 KB
2024-09-10 17:41:15.924 +0100,INFO ,<DOMAIN>,<HOST>$,8040,ReceiverStatistics,Splunk; KWZ-SPLUNK93:19500 - Name: KWZ-SPLUNK93 (POQ) - Bulk events in queue: <0>, queue size: <0.0> KB, bulk events sent: <1>, bulk events sent overall: <2>, bulk events added to queue: <1>, bulk events added to queue overall: <2>, rejected from queue: <0>, generated events: <1>, total generated events: <2>

5 comments

  • Avatar
    Julian Krause Official comment

    Hi Ken, 

    I'm forwarding your request to our support system as we need to look into the log files that may contain sensitive information.

    Once resolved, we'll post the solution to this post.

    Thanks, Julian

  • 0
    Avatar
    Ken Zygmunt

    NOTE: i'd installed and earlier version of Splunk and uberAgent (7.1.2) earlier this year and that installed correctly and worked fine. it's just the latest Splunk/uberAgent combination that appears to be causing me an issue.

    I'm aware that the way uberAgent 9.3 works and you now need to manually configure the environment, but i used the group policy templates to configure uberAgent.

    Configure through Group Policy: Enabled

    Receiver 1 was configured as follows

    Servers:   <Splunk host shortname>

    REST token: blank

    TLS client certificate: blank

    Basic ingest pipeline: blank

    Kafka Topic name: blank

    Max number...: 100

    Receiver 1 Advanced Settings

    Protocol: TCP

    Type: Splunk

     

     

  • 0
    Avatar
    Ken Zygmunt

    Hi Julian

    I tried to reply to your email with the zip attachment but it got rejected 

    Ken

     

    Your message couldn't be delivered

    The message you sent to support@uberagent.com couldn't be delivered due to: Recipient email server rejected the message.

     

     

    Further information

    5.7.0 This message was blocked because its content presents a potential
    security issue. To review our message content and attachment content
    guidelines, go to
    https://support.google.com/mail/?p=BlockedMessage ffacd0b85a97d-378956d71eesi4122991f8f.933 - gsmtp

    If you sent this message to multiple addresses, you'll receive a notification like this for every one that didn't arrive.

     
  • 0
    Avatar
    Ken Zygmunt

    Hi Julian

    thanks, data is being logged successfully to Splunk using the default GPO Backup (after updating 'Receiver 01' values).

    Regards

    Ken

  • 0
    Avatar
    Julian Krause

    Hi Ken,

    Thank you for sharing the solution. 

    Best regards, Julian

Please sign in to leave a comment.