uberAgent ESA data exists in Splunk even with ESA disabled ("EnableESA = false")

book

Article ID: CTX696314

calendar_today

Updated On:

Description

uberAgent is still evaluating ESA-related metrics on your VDAs although you’ve set EnableESA to false in your uberAgent.conf, and you are running Citrix Virtual Apps and Desktops 2503 or later.

Cause

Starting with Citrix Virtual Apps and Desktops 2503, uberAgent integrates with Citrix Director to enable enhanced monitoring capabilities. The Director integration requires a subset of ESA metrics. Therefore, ESA is enabled by Director even when you’ve set EnableESA to false in your uberAgent.conf.

Resolution

To keep Director functionality while preventing ESA data from being sent to your backend (for example, Splunk), do the following:

Remove the @ConfigInclude uberAgent-ESA.conf line from your uberAgent.conf.
Add the following Event Data Filter to your uberAgent.conf to block remaining ESA data:

 
# Exclude all ESA metrics
[EventDataFilter]
Action = deny
Sourcetype = ActivityMonitoring:ProcessTagging
Sourcetype = Process:DnsQuery
Sourcetype = System:ScheduledTaskActions
Sourcetype = System:ScheduledTaskTriggers
Sourcetype = System:ScheduledTasks
Sourcetype = Process:ProcessStop
Sourcetype = System:WinEvtLogForwarding
Sourcetype = System:SecurityInventory
Query = true
 

After applying the filter, save your uberAgent.conf and restart the uberAgent service. ESA data should no longer appear in your backend while Director functionality remains available.

Issue/Introduction

ESA related metrics are still being evaluated even though EnableESA is set to false in the uberAgent.config file.

Additional Information

https://docs.citrix.com/en-us/uberagent/7-5-x/kb/data-volume/disable-esa-with-director-integration

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"