Overview
This article explains how to integrate your Windows machines with Blumira using a Blumira sensor and Poshim (PowerShell Shim).
One of the most difficult parts of Windows log collection is ensuring that you are collecting the right data from varying hosts across your entire environment, which can be complex and non-uniform. Poshim handles the installation and configuration for NXLog and Sysmon to ship Windows event logs via Syslog to a targeted IP. It will automatically pull down, install, and properly configure the necessary binaries to ensure you are getting the most visibility possible for each machine, as each configuration is built for that machine.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Recommended: Pairing Poshim with the Logmira GPO template provides the most advanced and thorough detection coverage for your systems. Many of Blumira's Windows detection rules rely on the advanced logging GPO. Ensure that you deploy the GPO when you deploy Poshim to your Windows endpoints.
Using Poshim to install NXLog and Sysmon
Poshim can be used on the following operating systems:
- Windows 7, 10, and 11
- All Microsoft-supported Windows Server, including Windows Server 2012 R2 through Windows Server 2019 and Windows Server 2022
When running it on a host that was previously set up by Poshim, it will update the running configurations of Sysmon and NXLog to the latest “best visibility” configurations crafted by Blumira. By default, Poshim will install Sysmon onto the host with the last stable, good version.
If the host has the firewall enabled, Poshim will automatically enable the log file output and set up ingestion from the host.
Warning: Using patch manager software, like Patch Manager Plus, to update Windows hosts will disrupt the running NXlog service on the hosts and cause logging to stop. Either avoid using patch management software to update Poshim or update Poshim manually on each host.
Installing
To run Poshim on a Windows machine:
- Open an elevated PowerShell prompt.
- If you do not have any older machines in your environment, run this short command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Installer -Install -Sensor A.B.C.D
Notes:- Using this command broadly across a mixed environment will provide you with the best impact without having to modify the use of the command.
- PowerShell may attempt to use TLS1.0 by default, so you must pass in a protocol change before the script run. We include this in the installation command and it is safe to use on all versions of Windows above 2012. It may work on 2008 R2, depending on the PowerShell version.
- If your devices are using Threatlocker, ensure that you properly allow application installation before running the script, otherwise Threatlocker will stop it from completing successfully. See Threatlocker's instructions in
Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool. - If you are getting errors that Blumira-Installer is an unknown module, ensure your command has a single dot between
...Tls12;
and{ iwr...
. It should look like this:...Tls12; . { iwr ...
Options and advanced use
Poshim has a number of flag options that allow our users to be more self-sufficient. All of these flags can be added to the above command.
Flag | Description |
-NoSysmon |
This triggers Poshim to not -Install or -Uninstall Sysmon if it is utilized. As of 2021-11-05, Blumira has moved to deploy Sysmon by default to ensure the best visibility across Windows hosts. |
-Sensor |
As seen above, the Sensor flag is required if -Install is being used. It will test for connectivity and prep the NXLog configuration. |
-Configuration |
By default, pulls the configuration from https://dl.blumira.com/agent/poshim_config.json ; however, customers can override this with their own locally or remotely hosted configuration, such as -Configuration \\FILEHOST\C\poshim\config.json or a different remote location. |
-AdditionalLogs |
Identifies any additional logs to load by using fuzzy text match. Example: If you want to add all HyperV and SentinelOne logs, you would pass -AdditionalLogs "HyperV,SentinelOne" . Tip: Remember to quote the logs and separate them with a comma if you have more than one. |
-NXLogExtras |
Allows you to select from two extras, however, you can add your own base64 encoded full route blocks (in/route/out) for NXLog to your own configuration. Right now, we support two extras: -NXLogExtras "fw_514_syslog,iis_514_im_file" , which would load in the Windows Firewall Syslog ingestor as well as the IIS file-based ingestor. Note: By default, if the firewall is identified as enabled, the script will automatically load fw_514_syslog without requiring any changes. |
-WorkingDirectory |
Allows you to store all files locally and define the directory they are located in. We expect to find files that match the general configuration being used in filenames at the least. This would likely be used in conjunction with a local run configuration in general. This is used in conjunction with the |
-FirewallAllow |
By default, Poshim enables Firewall Block logs if a firewall exists on the host. If you require additional visibility within your environment, you can pass -FirewallAllow in conjunction with -Install , which will enable both Block and Allow logs. If Block Logging is already enabled but Allow is not, Poshim will determine the current state and update it accordingly. |
-Silent |
If you want no log output other than the module loading, add -Silent to your command. Will still log to Event Viewer on actions. |
Uninstalling
Uninstalling is a simple process that requires you to identify if you want to remove NXLog or NXLog and Sysmon.
Tip: If you do not want to uninstall Sysmon, you can add the -NoSysmon flag to the command.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Installer -Uninstall
Downloading and local installation – expert mode
While it’s great to have a one-liner to set up hosts from the internet, this can make things difficult in locked-down environments. Therefore, we provide a -Download
mode that allows you to build this internally.
Important: To use this mode, you must define the -WorkingDirectory
(the file path in parentheses in the example code block below) to indicate where to write the files.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Installer -Download -WorkingDirectory "C:\Users\owen\Downloads\poshim_local"
Local install following Download mode
After you have used the -Download
mode, you can run the script in local mode only with no internet access.
To run the script:
- Navigate to the local folder where this file was dropped (in your shell, or however you approach this) and Import the module.
Note: You must set the execution policy first, and change the UNC path to suit the needs of your environment.Set-ExecutionPolicy Unrestricted; Import-Module \\Filehost\C\poshim\poshim.ps1
Set-ExecutionPolicy Unrestricted; Import-Module .\poshim.ps1 // if local, example screenshot below - Run the locally loaded module and execute on the script itself as seen in the steps below.
Note: You must change the WorkingDirectory path and Sensor IP address to suit the needs of your environment.Blumira-Installer -Install -Sysmon -Configuration poshim_config.json -WorkingDirectory "C:\Users\owen\Downloads\" -Sensor A.B.C.D