uberAgent data is not available on the Splunk dashboard.
Agents are reporting correctly when Admins allow full internet access on the firewall.
uberAgent log file located in C:\Windows\Temp (default location) shows the issue with CurlSend attempt, example:
2025-05-02 10:31:10.439 +0000,ERROR,DOMAIN,MACHINE_NAME$,2320,CurlSend,Sending to host https://http-inputs.myorgexample.splunkcloud.com:443 failed with: schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline..
The traffic to the external CRL servers and OCSP traffic should be allowed on the firewall. You can check with the certificate provider what are the required URLs.
You should also import the root certificate into the Windows certificate store (Trusted Root Certification Authorities).
Workaround:
We have a few settings (Config Flags) which can help in scenarios like this. Examples:
You can update the configuration file (uberAgent.conf) located in C:\Programdata\vast limits\uberAgent\Configuration on the affected machine.
An example configuration stanza looks like this:
[Miscellaneous]
DebugMode = true
ConfigFlags = TLSRevocationChecksBestEffort
Firewall was blocking CRL/OCSP traffic required for certificate validation.
Certificate chain was not trusted.