Overview
After configuring certain group policy settings, Blumira can ingest advanced Microsoft Commandline and PowerShell module logging. You can use Logmira to easily import the pre-built settings. Logmira has been created as a helpful download of Microsoft Windows Domain Group Policy Object (GPO) settings.
This GPO backup includes our recommended Windows logging settings for all supported versions of Microsoft Windows Server. Importing it from backup is much easier than following a list and manually modifying 100+ settings.
Note: Pairing Poshim with the Logmira GPO template provides the most advanced and thorough detection coverage for your systems. Many of Blumira's Windows detection rules rely on the advanced logging GPO. Ensure that you deploy the GPO when you deploy Poshim to your Windows endpoints.
Logmira GPO Policy Import
- Download the GPO backup from here: https://github.com/Blumira/Logmira/raw/master/GPO%20Files/Logmira.zip
- Extract the contents of the zip file. It will be a single folder with a large hexidecimal string as the folder name.
- Copy the extracted folder to your DC.
- Log in to the DC and open Group Policy Management.
- Expand the Forest node > Domains node > your domain node.
- Right click on the group policy objects folder under your domain and choose New.
- In the New GPO window, type in a name, such as Logmira-RV.
- In the Source Starter GPO field, keep the default (none) setting.
- Click OK.
- In the right pane of the window, click the new Logmira-RV entry and click Import Settings.
- In the Import Settings Wizard window:
- Click Next to continue.
- In Backup GPO, ignore the Backup button, and click Next.
- In Backup location, click Browse to choose the parent folder where you extracted the zip file's contents and click OK.
Example: If you extracted the folder to Desktop, choose Desktop in the folder browser. Do not select the extracted folder. - In the Source GPO window, select Logmira and click Next.
- After scanning backup, click Next.
- Click Finish.
- Now that the policy is imported you need to link the policy to your domain:
- In Group Policy Management, right-click on your domain and click Link an existing GPO.
Alternatively, you can choose each OU that contains machines from which you want to forward logs to Blumira and link the GPO to those OUs instead of to the top-level domain. - In Select GPO, select Logmira-RV and click OK.
- In Group Policy Management, right-click on your domain and click Link an existing GPO.
Additional Resources
Exporting a GPO
(What we have done to create GPOLoggingImport.zip, and what should be done for GPO Backups.)
- To begin the export process, open up the group policy management console, navigate to the proper domain, expand group policy objects and select the group policy object that you'd like to export.
- Right-click and select Back Up from the menu.
- Select the location the backup will be exported to and the description.
- Click Back Up.
- Click OK.
Reference
- Group Policy Overview
- How to use the Group Policy Management Console (GPMC)
- Understanding GPO Scopes