Quick Links

Automating Windows log collection with Poshim

Overview

This article explains how to integrate your Windows machines with Blumira for log ingestion using a sensor and Poshim (PowerShell Shim). One of the most difficult parts of Windows log collection is ensuring that you collect the right data from varying hosts across your entire environment, which can be complex and non-uniform. Poshim handles the installation and configuration for NXLog and Sysmon to ship Windows event logs via Syslog to a targeted IP. Poshim will automatically pull down, install, and properly configure the necessary binaries to ensure you get the most visibility possible for each machine, as each configuration is built for that machine.

Note: Blumira Agent eliminates the need to use the sensor-based log shipping method. If your Blumira license includes access to Blumira Agent, we recommend using our modern agent instead of the below legacy log shipping method. See Installing Blumira Agent on a remote device for more information about deploying the agent.

By default, Poshim will install Sysmon onto the host with the last stable, good version. When running it on a host previously set up by Poshim, it will update the running configurations of Sysmon and NXLog to the latest configurations crafted by Blumira for the best visibility. 

If the host has a firewall enabled, Poshim will automatically enable the log file output and set up ingestion from the host.

Before you begin

System requirements

Poshim can be used on the following Windows operating systems:

  • Windows 7, 10, and 11
  • All Microsoft-supported Windows Server, including Windows Server 2012 R2 through Windows Server 2019 and Windows Server 2022

Gathering your Blumira sensor details

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Gather the IP address of your Blumira sensor to use when configuring the external service.

To find and copy the IP address of the sensor, do the following:

  1. In Blumira, navigate to Settings > Sensors.
  2. Click the sensor row to open the details page.
  3. In the Overview section, next to Host Details, copy the IP address.
Important: Pairing Poshim with the Logmira GPO template provides the most advanced and thorough detection coverage for your systems. Many of Blumira's Windows detection rules rely on the advanced logging GPO. Ensure that you also deploy the GPO when you deploy Poshim to your Windows endpoints by completing the steps in Advanced Microsoft Windows logging with Logmira GPO template.

Preparing your environment

Using patch manager software, like Patch Manager Plus, to update Windows hosts will disrupt the running NXlog service on the hosts and cause logging to stop. Either avoid using patch management software to update Poshim or update Poshim manually on each host.

If your devices use Threatlocker, ensure that you properly allow application installation before running the script. Otherwise, Threatlocker will stop it from completing successfully. See Threatlocker's instructions in Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool.

Using Poshim to install NXLog and Sysmon

Using Poshim broadly across a mixed environment will provide you with the best impact without having to modify the use of the command. PowerShell may attempt to use TLS1.0 by default, so we include a protocol change in the installation command to allow the script to run properly, and it is safe to use on all versions of Windows above 2012. It may work on 2008 R2, depending on the PowerShell version.

Standard option

You can use a simple PowerShell command if you do not have any older machines in your environment and do not need additional logging options, which are listed in the Advanced section below.

To run Poshim on a Windows machine, do the following:

  1. Open an elevated PowerShell prompt.
  2. Run this short command, replacing "A.B.C.D." with the IP Address of your Blumira sensor:
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Installer -Install -Sensor A.B.C.D

Note: If you get errors that Blumira-Installer is an unknown module, ensure your command includes the single dot in the middle of the command, after Tls12; and before the bracket.

Advanced options

Poshim has a number of flag options that allow our users to be more self-sufficient. All of these flags can be added to the above command depending on your needs.

Flag Description
-AdditionalLogs Identifies any additional logs to load by using fuzzy text match. Example: If you want to add all HyperV and SentinelOne logs, you would pass -AdditionalLogs "HyperV,SentinelOne".
Tip: Remember to quote the logs and separate them with a comma if you have more than one.
-Configuration By default, pulls the configuration from https://dl.blumira.com/agent/poshim_config.json; however, customers can override this with their own locally or remotely hosted configuration, such as -Configuration \\FILEHOST\C\poshim\config.json or a different remote location.
-FirewallAllow By default, Poshim enables Firewall Block logs if a firewall exists on the host. If you require additional visibility within your environment, you can pass -FirewallAllow in conjunction with -Install, which will enable both Block and Allow logs. If Block Logging is already enabled but Allow is not, Poshim will determine the current state and update it accordingly.
-NoSysmon This triggers Poshim to not -Install or -Uninstall Sysmon if it is utilized. Blumira deploys Sysmon by default to ensure the best visibility across Windows hosts.
-NXLogExtras Allows you to select from two extras, however, you can add your own base64 encoded full route blocks (in/route/out) for NXLog to your own configuration. Right now, we support two extras: -NXLogExtras "fw_514_syslog,iis_514_im_file", which would load in the Windows Firewall Syslog ingestor as well as the IIS file-based ingestor. 
Note: By default, if the firewall is identified as enabled, the script will automatically load fw_514_syslog without requiring any changes.
-Sensor As seen above, the Sensor flag is required if -Install is being used. It will test for connectivity and prep the NXLog configuration.
-Silent  If you want no log output other than the module loading, add -Silent to your command. It will still log to Event Viewer on actions.
-WorkingDirectory

Allows you to store all files locally and define the directory they are located in. We expect to find files that match the general configuration being used in filenames at the least. This would likely be used in conjunction with a local run configuration in general. This is used in conjunction with the -Downloadmode that will prep local files for use.

Expert mode–download and local installation

While it is great to have a one-liner to set up hosts from the internet, this can make things difficult in locked-down environments. Therefore, we provide a -Download mode that allows you to build this internally.

Important: To use this mode, you must define the -WorkingDirectory (the file path in parentheses in the example code block below) to indicate where to write the files.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Installer -Download -WorkingDirectory "C:\Users\owen\Downloads\Poshim_Local_Example"

image-20211102-130919.png

Local install following Download mode

After using the -Download mode, you can run the script in local mode only with no internet access.

To run the script locally, do the following:

  1. Navigate to the local folder where this file was dropped (in your shell or however you approach this) and import the module.
    Note: You must set the execution policy first and change the UNC path to suit the needs of your environment.
    Set-ExecutionPolicy Unrestricted; Import-Module \\Filehost\C\poshim\poshim.ps1
    Set-ExecutionPolicy Unrestricted; Import-Module .\poshim.ps1 // if local, example screenshot below
  2. Run the locally loaded module and execute on the script itself, as shown below, ensuring that you change the -WorkingDirectory path and -Sensor IP address to suit the needs of your environment.
    Blumira-Installer -Install -Sysmon -Configuration poshim_config.json -WorkingDirectory "C:\Users\owen\Downloads\" -Sensor A.B.C.D
    image-20211102-154630.png

Uninstalling NXLog and Sysmon

Uninstalling is a simple process that requires determining if you want to remove NXLog and Sysmon or only NXLog.

To uninstall both, run the command below in PowerShell. If you do not want to uninstall Sysmon, add the -NoSysmon flag to the command before running it.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Installer -Uninstall