Overview
With Blumira Agent and your customized install script, Blumira can receive event logs directly through the cloud within minutes, and without the need for a server or additional configurations. Devices running Blumira Agent (also called “agent devices”) send logs of remote activity on a Windows, Mac, or Linux operating system to Blumira for detection and response. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.
Supported platforms
Blumira Agent can run on the following platforms:
- Windows XP 32-bit or higher (excludes ARM)
- x86_64 Linux distributions that use the apt or yum package manager
- all versions of MacOS 10.7 and up
Before you begin
If your organization is actively blocking outbound traffic or using SSL interception, you must add the following URLs to your firewall's allowlist so that the agent can connect successfully to Blumira:
- URLs used to download the agent:
https://dl.blumira.com/agent/files/blu_agent.exe
https://dl.blumira.com/blumira_linux_agent.sh
https://dl.blumira.com/blumira_macos_agent.sh
- URL for shipping agent logs:
9157798c50af372c.lc.limacharlie.io:443
- Additional SSL Certificate Exclusion when using SSL decryption/interception:
rp_c2_dev
If you have not added the above to your allowlist and the installation of the agent fails, you can run this command to see if something is blocking or intercepting the SSL Certificate for the agent:
test-netconnection -computername "9157798c50af372c.lc.limacharlie.io" -port "443"
If the output confirms that traffic is being blocked, ensure that you add the above URLs to your firewall allowlist.
Installing the agent
Required: You must be a Blumira Administrator or Manager to generate installation keys and scripts for Blumira Agent.
Blumira’s agent installation scripts provide a simple process for installing and running Blumira Agent on your remote endpoints. Obtain a custom script in-app, then run the agent install script in an elevated command prompt on the devices you want to collect logs from.
Notes:
- If NXLog or Sysmon are found on the device, the Poshim script removes those from the device because they are not required for Blumira Agent and Windows endpoint logging. However, NXLog and Sysmon are included in the Poshim script when integrating with Windows machines without Blumira Agent.
- If your devices are using Threatlocker, ensure that you properly allow application installation before running the script, otherwise, Threatlocker will stop it from completing successfully. See Threatlocker's instructions in Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool.
To create and gather a new installation script:
- Navigate to Blumira Agent > Installation.
- Under Generate agent installation script, click Select installation key.
- If you already have an installation key in the app, select the installation key from the options; otherwise, click Create new installation key then type a description and the number of devices on which you will install Blumira Agent using the new key.
- Under Select platform, select the OS platform you plan to install the agent on.
- Click Copy to copy the custom installation script that appears in the box.
To run the script directly on the device, complete the following steps according to the platform selected:
Platform | Steps |
Windows |
After logging in to the Windows device as an administrator, paste the agent installation script into an elevated PowerShell prompt and press Enter. The script will perform all installation steps automatically. Note: In addition to the logs that are enabled by default in Windows, Blumira recommends deploying Logmira, our group policy object (GPO) template for advanced logging. This GPO enables about 100 additional types of Windows logs, enhancing our detection and logging capabilities. |
Linux |
On a Linux device, paste the agent installation script into your Linux terminal and press Enter. The script will perform all installation steps automatically. |
Mac |
On a Mac device, complete the following as sudo or with root privileges:
Note: You can deploy the agent to your Mac devices using an MDM solution by referencing LimaCharlie’s example configurations and preferences for silent installation in macOS Sensor Installation - MDM Configuration Profiles. |
Verifying that Blumira Agent is connected
To verify that Blumira Agent is installed and connected to Blumira, do the following:
- In the Blumira app, navigate to Blumira Agent > Devices.
- In the Devices table, find the row for the newly added agent device.
- In the Agent status column, verify that the device is “Online”.
If you do not see the device connected to Blumira, you can verify if the agent is running on the device by doing one of the following:
Platform | Steps |
Windows | Open Task Manager and search for the file or service using any of the following methods:
|
Mac | Find and run the app RPHCP from the Applications folder. A message will appear to confirm if the required permissions have been granted. |
Linux | In the Linux terminal, run this command:sudo systemctl status blumira_agent
|
If you have confirmed the agent is running on the device, but you do not see any logs reaching Blumira, verify that your account has not already reached the maximum number of agents allocated for your license. If you have already reached your maximum, the agent will not be able to connect to Blumira to send logs. You will need to either remove old agents that are no longer needed or increase your agent limit to ensure the recently installed agent can connect.