1. uberAgent Support
  2. Community
  3. General Discussion
New post
0

processtop5detail not working?

Avatar
Sven Goossens

Hi

I am trying to setup the "reduce volume" parameters decribed in the documentation: https://uberagent.com/docs/uberagent/latest/advanced-topics/reducing-the-data-volume/

I am most interested in the ProcessDetailTop5 parameter because it promises a significant data reduction.

I'm managing about 70 uberAgent endpoints (XA/XD) through GPO. I edited the TIMER 01 part and disabled the ProcessDetailFull part and enabled the ProcessDetailTop5

I waited a few days so I could monitor how much data I had saved by enabling the processdetailtop5. I can only see 8% data volume reduction (from 74% to 66%) so I think the setting is not working but I'm 100% sure.

I restarted some uberAgent endpoint services on the endpoints but this did not do anything significant.

Can I check somewhere in the temp\uberagent.log that this setting is active? Can I check somewhere else that it is active?

I also put the processdetailtop5 in the conf file and restarted the uberAgent service but I am still getting different results

Date Votes

5 comments

  • 0
    Avatar
    Dominik Britz

    Hi Sven,

    After service start and at the beginning of each log file uberAgent dumps the applied configuration.

    You can see what uberAgent is using as configuration source:

    2020-05-15 02:18:56.035 +0200,INFO ,WORKGROUP,LAPTOP-DOMINIK$,2968,ReadConfiguration,Found configuration source: config file. Processing...

    And which metrics are enabled:

    2020-05-15 02:18:56.062 +0200,INFO ,WORKGROUP,LAPTOP-DOMINIK$,2968,AddUaMetric,Read value: timer UA metric = <ProcessDetailFull>

     

     

  • 0
    Avatar
    Sven Goossens

    Hi Dominik,

    Should the uberAgent service always be restarted after you change something in the GPO?

    I am getting the log below (I deleted some of the private info) 

    2020-05-15 11:47:44.353 +0200,INFO ,16288,ReadConfig,Found configuration source: Group Policy. Processing...

    So it is working through group policy. I see this configured.

    2020-05-15 11:47:44.359 +0200,INFO ,16288,AddUaMetric,Read value: timer UA metric = <ProcessDetailTop5>

    So it should be filtering only the Top5 process.

    I also see this in the log, but it is probably not relevant.

    2020-05-15 11:47:44.384 +0200,INFO ,,,16288,ReadConfig,Reading section: ProcessDetailFull_Filter
    2020-05-15 11:47:44.385 +0200,INFO ,,16288,ReadConfig,Added to ProcessDetailFull_Filter - blacklist: <^cmd\.exe$>
    2020-05-15 11:47:44.385 +0200,INFO ,,,16288,ReadConfig,Added to ProcessDetailFull_Filter - blacklist: <^conhost\.exe$>
    2020-05-15 11:47:44.385 +0200,INFO ,,,16288,ReadConfig,Added to ProcessDetailFull_Filter - blacklist: <^csrss\.exe$>
    2020-05-15 11:47:44.385 +0200,INFO ,,,16288,ReadConfig,Added to ProcessDetailFull_Filter - blacklist: <^lsm\.exe$>
    2020-05-15 11:47:44.385 +0200,INFO ,,,16288,ReadConfig,Added to ProcessDetailFull_Filter - blacklist: <^smss\.exe$>
    2020-05-15 11:47:44.385 +0200,INFO ,,,16288,ReadConfig,Added to ProcessDetailFull_Filter - blacklist: <^wininit\.exe$>
    2020-05-15 11:47:44.385 +0200,INFO ,,,16288,ReadConfig,Added to ProcessDetailFull_Filter - blacklist: <^winlogon\.exe$>
    2020-05-15 11:47:44.385 +0200,INFO ,,,16288,ReadConfig,Reading section: ProcessDetail_SendCommandline

    I'll compare the MBs before and afterwards and post them here to see if it is normal.

  • 0
    Avatar
    Dominik Britz

    Yes, please restart the service after a change. uberAgent only reads the config on startup.

  • 0
    Avatar
    Sven Goossens

    Hi Dominik,

    thank you for the response.

    That's a bit unfortunate because with every change I'm going to have to restart the uberAgent service on the endpoint.

    This would mean that I would have to restart the service at more than 70 endpoints before I could see a change.

    Is it on the development roadmap to have uberAgent re-read the configuration more frequently? This would be better than having to make a scheduled task to restart the uberagent service.

  • 0
    Avatar
    Dominik Britz

    I'm afraid that's not on the roadmap. You may test a configuration change on a single machine and in case of success deploy that configuration to more machines.

Please sign in to leave a comment.