Jump to content

POC Guide: Citrix uberAgent + Splunk

  • Contributed By: Amir Trujillo Special Thanks To: Dominik Britz, Steve Beals

Overview

Monitoring on-premises and Virtual environments is critical for every enterprise as part of the operational model. Having a solid data source for security and user experience provides information for your daily tasks, security diagnostics and investigation, user experience, and proactive and reactive solutions.

Citrix uberAgent is an advanced software solution meticulously crafted for monitoring desktops, virtual desktop infrastructure (VDI), and server-based computing environments. It goes beyond basic system metrics and delivers detailed insights into application performance, user experience, and system health. 

This POC guide will walk you through the initial deployment process of an uberAgent and Splunk Enterprise (on-premises) instance for data visualization.

Solution Overview

The Citrix uberAgent agent gathers security and performance information from the endpoint device (physical or virtual machines) installed and sent to your data visualization solution. Out of the box, uberAgent provides 60+ Splunk dashboards to visualize data.

image.png

 


Architecture

It is recommended that you review the Citrix uberAgent Tech Brief, which provides details about the architecture and capabilities of Citrix uberAgent.

 

image.png

 

Prerequisites

Splunk on-premises

  • Operating System: all that Splunk supports
  • Splunk version: Splunk Enterprise 7.0 or newer or Splunk Cloud

OS Versions

  • Windows 10 or later
  • Windows Server 2016 or later
  • MacOS Monterey or newer

Platforms supported:

  • Citrix Virtual Apps and Desktops, Citrix DaaS, Microsoft RDS, and Remote desktop session hosts (e.g., Citrix, Microsoft RDS) are explicitly supported. The same applies to any virtual desktop (e.g., Citrix Virtual Apps and Desktops or Citrix DaaS).

Browser extensions:

  • Google Chrome
  • Edge
  •  Firefox

Installation

The installation consists of four configuration steps:

Create Splunk Enterprise Trial Instance

  1. Download Splunk Enterprise software from the downloads page. You can request a free trial or use your company's instance. We will use the trial version for this guide, which provides 500MB/day for 60 days.

 

image.png

 

image.png
 

 

image.png

 

image.png
 

image.png

 

image.png

 

image.png
 

Note: 

(Optional) If you have a Splunk License, install it. Here is the link to the process: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Installalicense.

Install uberAgent UXM and ESA applications in the Splunk instance 

The next step is to install the UXM (uberAgent User Experience) and ESA (uberAgent Security) applications in Splunk. This will add the uberAgent capabilities and out-of-the-box Dashboards to your Splunk instance. The result is the following in your console:

image.png

image.png

A .zip file with all uberAgent components for your endpoint devices and Splunk applications will be downloaded.

  1. Extract the folder to your desired location.

 

image.png
 

image.png
 

 

image.png

image.png

 

image.png

image.png

 

image.png

 

image.png

 

 

image.png

 

 

image.png

Endpoint Device uberAgent Installation

Once you have the Splunk instance ready, install the uberAgent agent on your endpoint device. Remember, the endpoint device can be a physical machine, Virtual Server, or Master/Gold Image.

  1. Install the uberAgent agent as follows:

image.png

Note: 

If you are using Citrix AppLayering, installing the agent in the Platform Layer is recommended.
 

 

image.png

  1. The next step is to configure the Receiver. Here is where you point the uberAgent agent to your Splunk instance. There are two options:
  • TCP (default) is recommended for Splunk Enterprise (on-premises) instances. We chose this for our POC deployment.
  • HTTP Event Collector: Use this if you use a Splunk Cloud instance. The documentation provides more details.

 

image.png
 

 

image.png

 

image.png

 

 

image.png
 

 

image.png

At this point, the uberAgent agent installation process is completed. The next step is to prepare the agent for the Citrix Master / Gold image.

Preparing a Citrix Master/Gold image

If you use an imaging method such as Machine Creation Services (MCS), Citrix Provisioning (PVS), or Citrix AppLayering, it is recommended that you remove some information to prepare the image for deployment.

  1. Stop the uberAgent service (leave it Automatic).

 

image.png

Add uberAgent extension to Web Browsers

For this POC, we are going to add the Chrome browser extension. If you use Firefox or Edge, follow the links for reference.

There are two options to install the extension for Chrome:

We are going to install this POC directly from the Chrome Store.

  1. Launch Chrome and go to the following URL:
  2. https://chromewebstore.google.com/detail/uberagent/jghgedlkcoafeakcaepncnlanjkbinpb?pli=1

image.png

Now that the Master / Gold image and the Browser extension are ready, we can install uberAgent on the Citrix Delivery Controller for on-premises Citrix Virtual Apps and Desktops deployments or on the Cloud Connectors for Citrix DaaS deployments.

Monitor Citrix Virtual Apps and Desktops Sites

uberAgent detects whether it runs on a Citrix Delivery Controller (DDC) or a Citrix Virtual Desktop Agent (VDA). On DDCs, uberAgent automatically activates additional metrics like machine registration status, license usage, and published application inventory. There are some recommendations for installing uberAgent to monitor Citrix sites, including:

  • Install the uberAgent endpoint agent on at least one delivery controller per site.
  • Before installing the agent, run the following script template to grant the user account the required permissions. Before running it with elevated permissions, fill in your domain names and DDCs.
  • Required permissions:
Add-PSSnapin Citrix.DelegatedAdmin.Admin.V1
New-AdminAdministrator -Sid S-1-5-18 -Enabled $true
Add-AdminRight -Role 0a05f0c6-0153-4852-a55a-989d6a95c0eb -Administrator S-1-5-18 -All
New-AdminAdministrator -Name <Domain>\<computer account> -Enabled $true
Add-AdminRight -Role 0a05f0c6-0153-4852-a55a-989d6a95c0eb -Administrator <Domain>\<computer account> -All

For more details, please refer to the following documentation.

Monitoring Citrix DaaS Sites

  • Requirements:

Note:

The Citrix Cloud API client name is case-sensitive. Name it "uberAgent".

 

image.png
 

[CitrixCloud_Config]

API endpoint = https://api-us.cloud.com

CustomerId = <CustomerId>

ClientId = <ClientId>

ClientSecret = <ClientSecret>

CollectCitrixCloudInformation=True

 

image.png

 

Note: 

The API endpoint URL depends on your region:

After installing the uberAgent agent in your Master/Gold image, seal it and deploy it to your Citrix workload using your usual distribution method (MCS / PVS / AppLayering).

For more details, please refer to the following documentation.

Testing and Final Result

Once completed, validate that the machines where you installed the uberAgent agent are shown in the Splunk Dashboard uberAgent UXM under Machines tab > Machine Inventory.

To complete the testing, start a machine, launch a new session, and open an application. Wait a few minutes to allow the agent to capture data. All data will be available in the Splunk Dashboards for uberAgent User Experience (UXM) and uberAgent Security (ESA).

 

image.png

image.png

 

image.png


 

image.png


User Feedback


There are no comments to display.



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...