1. uberAgent Support
  2. Community
  3. General Discussion
New post
0

URL filtering

Avatar
Tony edwards

I am testing Uberagent in the EU region of my company.  There are concerns about privacy and URL's accessed by staff.  I have been trying to get filtering working in Uberagent.conf. 

I know the file is being read at service restart as the splunk data feed for username is changing depending on how I set EncryptUserNames = False/True

I cannot locate any documentation on the filtering format and cannot get it working.  Below is an example I copied from your example, yet I still see the URL in Splunk

############################################
# Optional filter for browser web app metrics (sourcetype uberAgent:Application:BrowserWebRequests2) and the SessionFgBrowserActiveTabHost field of sourcetype uberAgent:Session:SessionDetail
#
# URLs can be whitelisted or blacklisted. Whitelisting overrides blacklisting.
# URLs are specified as regular expressions. Format: origin and path (without query segment), e.g.: "https://uberagent.com/download/".
# Port numbers are stripped from the URL if they match the default port number.
# Matching is case-sensitive.
#
# Format: URL_REGEX = uberAgent_blacklist | uberAgent_whitelist
#
# Examples:
#
# .*\.com/.*$ = uberAgent_whitelist # Whitelist all .com domains
# ^https?://.*\.?vastlimits\.com/.*$ = uberAgent_blacklist

# Blacklist vastlimits.com and subdomains over http or https
#
############################################
[BrowserWebAppURL_Filter]
^https?://.*\.?vastlimits\.com/.*$ = uberAgent_blacklist

############################################

Date Votes

6 comments

  • Avatar
    Dominik Britz Official comment

    Hi Tony,

    I am afraid the option [BrowserWebAppURL_Filter] works only for the source type uberAgent:Application:BrowserWebRequests2 as stated in the config file. The source type is used in the dashboard Browser Web App Performance, not in Browser Performance: Internet Explorer. That is why you are seeing vastlimits.com in the latter dashboard.

    More information on the source type uberAgent:Application:BrowserWebRequests2 can be found here.

  • 0
    Avatar
    Dominik Britz

    Hi Tony,

    Yes, uberAgent reads the config on service start.

    The filtering format is the well-known regex format. It is not a custom implementation, thus every documentation about regex applies.

    The example we provide in the configuration file works on my machine. Maybe you are seeing just old data in the dashboard?

    Could you please access vastlimits.com and then run the following search and check if there is an event for your user for that time vastlimits.com was accessed? index=`uberAgent_index` sourcetype=uberAgent:Application:BrowserWebRequests2

  • 0
    Avatar
    Tony edwards

    Thanks for the reply Dominik. Splunkcloud is set to show last minute data so it is up to date when I refresh.  I'm looking on the Browser performance: internet explorer dash with a filter set to my tablet running win10.

    I'm not a developer so regex was new to me.  I've tested in https://regex101.com the expression .* which will effectively be "anything". 

    when I restart Uberagent, I can see the conf file I'm working with loads from the uberagent log file.  But i'm still seeing any URL I browse in IE appearing in Splunkcloud when everything should all be blacklisted.

    I'm not sure where to look for the event search you mention.  But if it's just to validate current data then I'm sure already the data I see is current.

  • 0
    Avatar
    Tony edwards

    I found the index search in Splunk and ran it. The vastlimits.com URL is not there.  But the URL is still showing on the performance dash so maybe we are discussing two different things.  For my requirement the URL exclusion is for privacy purposes rather than data volume reduction.

     

  • 0
    Avatar
    Helge Klein

    To add to my colleague Dominik's reply:

    To prevent browser performance data collection per site for IE you can disable the uberAgent configuration metric BrowserPerformanceIE. Please find it listed in the default configuration.

  • 1
    Avatar
    Tony edwards

    Thank you for replying to me so quickly and pointing me in the right direction.  I now have a conf which achieves what I want.  Uberagent is a very impressive utility.

Please sign in to leave a comment.