Endpoint Security Data Collection Strategy: Splunk UF, uberAgent, or Sysmon?


This is a guest blog post from Helge Klein, founder and managing director at vast limits, the uberAgent company.


Many threats originate from the endpoint and detecting them requires insights into what happens on the endpoint. In this post we look at different endpoint activity data sources, comparing the benefits and capabilities of Splunk Universal Forwarder with vast limits uberAgent and homegrown solutions.

Universal Forwarder

Splunk Universal Forwarder (UF) is Splunk’s default method for collecting and forwarding remote data. It supports the same broad range of platforms (including Windows, macOS, and Linux) and is configured in a similar manner to data collection on Splunk Enterprise/Splunk Cloud.

Data Sources & Metrics

Splunk Universal Forwarder is an agent for getting endpoint data into Splunk Enterprise or Cloud. It supports a number of generic data sources that are important in the context of information security:

  • Log files
  • Windows event log
  • Script output

In addition to the above, Universal Forwarder can collect data from various sources specific to Windows: performance counters, WMI, registry changes, Active Directory changes, network activity, host inventory and printing.

The ability to run arbitrary tools or scripts (such as PowerShell on Windows systems), collect their output and send it to Splunk makes Universal Forwarder a versatile tool, and useful in many different scenarios.

Sending Data to Splunk Receivers

The Splunk Universal Forwarder can send data to Splunk backends either via TCP or HTTP. It supports TLS encryption for both protocols. It also supports advanced options such as indexer acknowledgment and persistent disk queues.


uberAgent is a Windows and macOS endpoint agent developed by vast limits. It can be used in conjunction with Universal Forwarder or standalone.

uberAgent is optimized for a small footprint and minimal data volume. It typically needs fewer CPU and memory resources when compared to Splunk Universal Forwarder. In cases where there is an overlap in functionality with the UF, uberAgent often generates less data volume (e.g., network monitoring).

Data Sources & Metrics

In terms of security (uberAgent ESA) as well as user experience and performance (uberAgent UXM), uberAgent is focused on providing deeper visibility into user and application activity

uberAgent ESA comes with an activity monitoring engine that efficiently detects risky behavior and flags the corresponding event for further analysis in Splunk. Activity monitoring rules are processed on the endpoint for maximum efficiency. uberAgent ESA ships with an extensive predefined rule set covering some of the most significant endpoint security use cases. The product also includes a converter for Sigma detection rules.

In addition to the above, uberAgent collects detailed information about application performance, network connections, web apps, and Citrix. Also, it does not stop at machine boot and user logon duration. All in all, uberAgent ESA collects data from about 80 different categories. Similar to Universal Forwarder, the agent’s capabilities can be extended through scripts whose output is captured.

uberAgent ESA feature summary:

  • Activity monitoring engine
  • uAQL query language (processed on the endpoint)
  • Converter for Sigma rules
  • Extensive contextual information (inventory, app usage, performance)
  • Web app monitoring (all major browsers)
  • Citrix monitoring

Sending Data to Splunk Receivers

uberAgent can send data either to a locally installed Universal Forwarder, which then forwards it to the Splunk backend or directly to Splunk Enterprise or Cloud.

Endpoint Security Data Collection Strategy

Dashboards & Data Models

uberAgent comes with 60+ Splunk dashboards that visualize all of the metrics collected by the agent. This makes for a smooth end-user experience and shortens implementation times dramatically as everything from data creation to dashboarding is coming from a single provider.

CIM-compliant event tags are automatically applied to the data collected by uberAgent. Data models provide a schema for all fields and sourcetypes. This makes uberAgent ready to be immediately adopted and integrated into Splunk Enterprise Security - the SIEM many clients rely on for centralized visibility through whatever mechanism, technique or tool data is collected.


A homegrown endpoint security data collection solution is typically based on a combination of Microsoft Sysmon and custom scripts.

Sysmon is a monitoring and logging agent designed to identify malicious or anomalous activity. Whenever Sysmon observes some activity that matches one of the rules of its configuration XML file it writes an event to the Windows event log.

Data Sources & Metrics

Sysmon does not ship with monitoring rules; it needs to be configured from scratch by the customer. Many rules are available on the internet. The ruleset published by SwiftOnSecurity seems to be the most popular.

Sysmon’s capabilities are focused on low-level system events like process or thread creation, image or driver loads, registry or file system activity, WMI events, or DNS queries.

Sending Data to Splunk Receivers

The events generated by Sysmon need to be read from the endpoint’s Windows event log and forwarded to Splunk by a tool like the Splunk Universal Forwarder.

Custom scripts are typically executed through an agent that also captures their output and sends it to Splunk. The Splunk Universal Forwarder and uberAgent are equally well suited for that task.

Dashboards & Data Models

With a homegrown solution, customers need to create their own dashboards for the data they collect.

Which Approach is Right for You?

Universal Forwarder is a flexible and scalable tool. It comes Splunk-supported and should be a solid building block in a solution where customers require a data collection tool on the endpoint that can be adapted for any situation. It’s a key building block for organizations realizing the data-to-everything strategy.

uberAgent is going deeper into data and metrics collection. It comes with a good predefined configuration that makes it fast and easy to deploy and implement on top of Splunk Cloud/Enterprise. uberAgent’s dashboards light up with data minutes after installing the first endpoint agent. As a commercial product it offers full support and extensive documentation in addition to a unique set of metrics.

A homegrown endpoint security solution needs either of the two agents as a basis for tasks like data collection and transport to the Splunk backend. Homegrown appeals to customers who prefer tailor-made search queries and bespoke dashboard visualizations.

In the end, every approach has its benefits. There is no single solution that fits all requirements and use cases. As a Splunk customer, you are probably familiar with the Splunk Universal Forwarder. If you hadn’t heard of uberAgent before reading this article, be sure to request your 60-day trial license.

Matthias Maier is Product Marketing Director at Splunk, as well as a technical evangelist in EMEA, responsible for communicating Splunk's go-to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation. Previously, Matthias worked at TIBCO LogLogic and McAfee as a senior technical consultant. He is also a regular speaker at conferences on a range of enterprise technology topics.

Show All Tags
Show Less Tags