Part #4 of an in-depth exploration of the uberAgent product – what’s the final verdict?
If you haven’t read part #1, part #2 and part #3 of this article yet, then you’re coming in half-cocked. Go and read those first!
So we’re at a pivotal stage. It’s time to put up or shut up, to stay or to go, to get busy living or get busy dying (to paraphrase Andy Dufresne). Arguably, this final stage in the acceptance of a product suite is by far the hardest because this is where you need to move from PoC to purchase. And, dependent on the enterprise you are working in, there may be significant hurdles to this final jump.
Building the business case
This is a key factor. It’s all very well ticking all of the technical boxes but when it comes to making the acquisition of the product, you need good business justification. If the cost is high or there is technical debt because of the underlying complexity, then be prepared to face difficult questions and possible pushback.
I’d argue that our AdminX wouldn’t be in the process of evaluation of a product such as uberAgent if they didn’t already have a strategic context for it. The first part of building any business case is the strategic context, and the evaluation signals that (generally) a need has been identified and you are now in the process of identifying options to fill that need.
But we generally approach an evaluation purely from a technical perspective. Like it or not, there is also an economic analysis required at this point. Return on investment is a vital consideration when any business is looking at purchasing – how much benefit will you gain from the outlay? And let’s not forget that affordability within the purchase time frame should also be considered.
When we talk about economic considerations you also need to think about management and governance. Aside from ongoing costs, how much of a difference would a purchase make to your organization in terms of skills, resources, training, and support? Does it fit in with your governance principles?
In short, you need to build a case that shows how the benefits will be realized and how this will translate into value to the business.
Economic analysis of uberAgent
When it comes to uberAgent, there’s a few considerations to make from the economic analysis side.
uberAgent is greatly enhanced, in my opinion, by its flexibility which comes from being tied to Splunk. But on the flip side of this, is the fact that the Splunk licensing cost is an “unknown” in the equation. Businesses like to deal with a fixed price, but Splunk comes in various different flavours and licensing models. It can be licensed based around data ingestion, infrastructure resource, a “predictive” model (which uses predefined volume tiers), and there are even options for free licensing (for instance, if you ingest less than 500MB/day) But in practice, you need to investigate the amount of data you are generating if you are going to make a realistic calculation.
uberAgent offer some pointers around general calculations, but dependent on the size of your environment, you would really need to try and make an informed decision. What you can do is actually set up an uberAgent PoC and then use the metrics to measure the generated data volume from within your environment, which is rather cool. If this is too high, you can also optionally tune it down. And bear in mind – many monitoring solutions out there have infrastructure requirements with costs attached, such as databases and web services. There is no such need with uberAgent, so costs are offset in different ways.
When it comes to evaluating the cost of uberAgent, you need to put a little bit of effort in rather than just getting a number from the vendor.
- Choose between Splunk on-premises and Splunk Cloud
- Identify the Splunk pricing model that would be right for your environment – there are several, so take some time to explore them
- If you’re looking at a data ingestion pricing model, identify your typical daily data volume for a typical endpoint through a PoC implementation, ideally
- Extrapolate the data volume out to a yearly per user cost by multiplying by number of endpoints and mapping against the Splunk pricing
- Check the uberAgent pricing against your user and device numbers to find the right model for your environment
- Add the Splunk estimated cost to the uberAgent cost
This might sound a bit much for your average overworked admin, but if you think about it in practice, it isn’t really. If you’re diligent, you’d be doing this kind of thorough exploration of any product you looked at – the only difference is you don’t have a ready-made off-the-shelf guide price to run with as a rough idea. However, we can run through a quick simulation of how you could possibly come up with a number.
In my PoC I never generated enough traffic to move out of the free tier (as I was only monitoring 6 or 7 endpoint servers at a time). However, in a normal size environment (and this is just a finger-in-the-air moment, please don’t take it as gospel), Splunk licensing generally comes in at about $17-20 per user per year. Let’s also not forget that Splunk isn’t just for uberAgent – you can load up all other kinds of metrics and dashboards and security analytics into your Splunk instance. So that cost doesn’t just go towards uberAgent, even though you may look at it as part of the uberAgent cost.
uberAgent, like most software, also has pricing tiers dependent on volume and whether you are looking at per-user or per-device models. However (and this is another finger-in-the-air moment!) lets say, for posterity, that you had a decent-sized environment (5000 or so users) running Citrix Virtual Apps – your uberAgent cost would not be out of the realms of possibility to be about $9.50 per user per year. So overall, we’re looking at a cost of Splunk + uberAgent of about $27-30 dollars per user. As I said, this could well vary massively according to your requirements and user base, so it is worth putting in the time to understand your needs and potential costs.
Again, this is where uberAgent feels a bit different from your average commercial off-the-shelf monitoring software. With most COTS software you almost always have a fixed price to start from, but the very nature of uberAgent means that with the flexibility comes a lot of flexibility on the price. And I think this does put people off, slightly, because they feel that there is an “unknown” attached to the product that involves them putting in some time to define. However – is this also not a good point? The flexibility of the Splunk licensing models means you can probably fit your costs into your budget rather than having to work the other way round. And don’t forget, uberAgent isn’t specifically tied to Splunk – it can also work with ElasticSearch, Apache Kafka and Azure Monitor logs.
Value for money?
So from the economic analysis perspective, let’s make some summary statements.
If you are already a Splunk customer (and many are, especially for security event monitoring and retention), I think uberAgent is frankly a complete shoo-in. I currently have a customer who is using Splunk quite widely and I would not really consider anything other than uberAgent for their Citrix infrastructure because it fits straight in, no questions asked. It also means that, generally, you also have competent Splunk administrators on board – which speaks to the “management” consideration I also mentioned earlier.
If you’re not a Splunk customer, don’t get put off by the fact. I must admit, I (like our fictional AdminX character) always have had a bit of a fear of the unknown. Slotting in a piece of off-the-shelf software always seemed so much easier. But once you’ve sat down and realized the level of flexibility and customization you can get from uberAgent, then it doesn’t seem too much of a chore to sit down and work out the various permutations that you can twist out of the myriad Splunk licensing models. And once you start to tweak uberAgent as well, you can see that you might be able to actually be so flexible with the cost that you can possibly skin it into different levels of monitoring. Again, I really like this idea – you could maybe even adjust the data volumes and licensing models year-on-year to have a sliding scale of costs based around budgets and value add.
I think doing a PoC is vitally important, though, to validate those costs. Ideally, I’d like to see it done on production or pre-production instances to get a “real” feel for the session host data volumes, but I realize that this isn’t always possible in some environments. However, uberAgent goes out of its way to be helpful here – you can use free community licenses for up to 100 users for one year, you can use the evaluation version which has full functionality and merely presents a nag screen, or if you’re a consultant you can get a two-month license for up to 1000 users. You have lots of options and flexibility around putting together that PoC – there’s no reason to complain that it’s hard to do.
And finally, from this economic perspective, uberAgent doesn’t diverge much from the ballpark figures of other products in the space. There are some products out there that are considerably more expensive than their competitors, and which leave you wondering what you get from them that justifies all the extra expenditure (and the trouble of building the associated wider business case!) Thankfully, all of the flexibility and customization that comes along with uberAgent doesn’t cost you extra.
Management and resource
Now I did mention earlier that you would also potentially need to get familiar with the Splunk product, or whatever you are using for the backend. And as I said, if you are an existing Splunk customer with staff who are already familiar with it, then you’re already in a good place. But if you aren’t – how difficult is it and what sort of resource requirement will it bring, long-term?
Again, I think this is an area where there’s a bit of knee-jerk going on. I don’t think it is much more difficult to learn the Splunk side of things then it is to get to grips with any new product, but as it feels a bit less point-and-click than some products out there, again that fear of the unfamilar rises up slightly. But on the flip side, Splunk is used in great numbers of enterprises, has a thriving community, and as such is documented incredibly well online (Splunk Fundamentals is free and well worth a look). Compare this with other products I’ve worked with in the past – the closed-source nature of them often means that help is difficult to find and you’re more or less dependent directly on the vendor (for a couple of years, I was pretty much the only online source for documentation or guides on AppSense, for instance). As well as having good community representation, I also found uberAgent’s own support staff really helpful at bringing me along, particularly by providing custom XML that not only let me unlock new functionality, but which also encouraged me to start experimenting with the Splunk query interface myself.
So from a management perspective, I feel that there is a little bit of a curve attached to the Splunk side of the product, but the excellent online and vendor support much more than compensates for this. I’d much sooner take a product that involves a bit of learning but has a lot of online resource than the other way around, any day of the week.
Other considerations
What else did I think about when living with uberAgent?
Obviously everyone thinks about cloud, and Splunk is no different. There is a Splunk Cloud offering which is slightly more expensive but which would be more suitable for enterprises which are cloud-first and/or are hosting their workers within cloud services.
Citrix Cloud support isn’t fully there yet from a perspective of performing full monitoring on the infrastructure components, but obviously there is no such problem on the session hosts. Citrix Cloud support is on the future roadmap though. To be fair, querying data within Citrix Cloud has presented problems for a lot of vendors and clients respectively, so this isn’t unexpected.
On the cloud service subject, you could quite easily install uberAgent into Windows Virtual Desktop, Amazon Workspaces, Citrix Managed Desktops or any other environment – as long as they are Windows-based, it will function exactly the same.
Talking about Windows, there’s also macOS agent support on the horizon, as well as other features such as browser metrics for Edge Chromium and a new network driver which will show jitter, packet loss, source addresses and improve latency accuracy.
Splunk fully supports load balancing and clustering, so architecting for high availability doesn’t present any problems.
Verdict
So, I’ve used uberAgent in my lab and looked at it from the perspective of our “unknown admin” for a few months now. What’s my final verdict?
uberAgent is different to other monitoring tools I’ve worked with. I think that my attitude towards it was slightly skewed by my thought of “it needs Splunk and that’s something I’m not familiar with”. I know this attitude is widespread because it has been echoed by other community people I’ve talked to.
But honestly – it’s a case of vive la difference. Once you get past your prejudice towards Splunk, that flexibility is great. Most COTS products, as a rule, come with pre-defined dashboards that try to be all things to all men – you simply get to jig them around a bit to try and find the best for you. With uberAgent and Splunk, you start from what you want to see and build the uberAgent UXM solution together with other Splunkbase apps to create the dashboards that you want. It really is a total sea-change. I was setting up an uberAgent PoC with a client who already had Splunk and they asked me to mock up what I wanted to see on a dashboard, and then they went off to try and arrange the apps and dashboards so I had exactly the view that I wanted.
In modern environments where the “Citrix” or “virtualized” solution is made up of many moving parts this flexibility is vital. For the client I am working with, there’s no point having visibility of the Citrix infrastructure without visibility of Azure MFA because without MFA nobody can ever log in. With uberAgent, we present the Azure MFA status view alongside the Citrix dashboards. I think this is great – I no longer have to work within the confines of specific product offerings when trying to translate client needs into delivered artifacts. And being able to tune the Splunk side of things with regards to cost also gives you a lever you never had before – if it’s too expensive for a customer, then just tune it down a bit and present it as a “lower tier” offering.
Like I said, if you’re already into Splunk, then I frankly wouldn’t consider anything else. You’ve already got your feet wet, after all! But if you’re not a Splunk customer – well, uberAgent would now certainly always be on my list of monitoring tools to suggest. I think that it’s fair to say that I always have a small number of products that I am comfortable working with which I would recommend to customers, and it’s also fair to say that after spending some time with uberAgent it is now firmly on that list. As a consultant, I know it is very rare to find a product that will work for every single customer – hence the shortlist. But I can honestly say that if you want flexibility and the power to create highly-tailored dashboards that give precise views of metrics aligning directly with your customer needs – uberAgent gives you that in spades.
Very nice series of articles, thanks.
I have evaluated UberAgent and this is the product I am recommending my company to use.
My problem is that my company is abandoning Splunk for Elastic and I had to configure UberAgent to feed an Elastic instance and it works fine.
But thismade me loose the beautiful dashboards that are provided by vast limit for Splunk (for free).
The only company that I have found developing Elastic/Kibana dashboards for UberAgent is RisConsulting in Germany (https://www.risconsulting.de/) so far.
They have lots of dashboards in the pipeline and I am looking forward to work with them.
JCMoriaud /Geneva /Switzerland
I can’t modify my post above so here it is :
the company designing the dashboards is actually XOSS (http://xoss.io ).