Overview
Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response. Blumira supports the following Microsoft Windows Server operating systems:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
- Windows Server 2012
Blumira provides broad coverage for Windows Server including collecting logs and recommends using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
Using Poshim for automated Windows setup
To complete this integration, we recommend using Blumira’s Poshim (PowerShell Shim) script, which is designed to ensure that you are collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Reference: See Automating Windows log collection with Poshim for instructions.
If you choose to use Poshim for this integration, nothing further is needed on this page. For manual configuration, continue reading below.
NXLog for Windows setup
NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs. In concept, NXLog is similar to syslog-ng or Rsyslog, but it is not limited to UNIX and syslog only.
Setting up a standard host
- Download and install the newest stable NXLog Community Edition.
- Download Blumira’s nxlog template by right-clicking this link and saving as to download: https://raw.githubusercontent.com/Blumira/Flowmira/master/nxlog.conf
Note: You can subscribe to updates of the template here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf. - Replace "C:\Program Files (x86)\nxlog\conf\nxlog.conf" with the Blumira nxlog configuration file you downloaded.
- Open the configuration file for editing as an administrator and replace A.B.C.D. with the actual IP address of the Blumira Sensor at line 56. The edited line should look like this:
define SIEM 10.11.12.13
. - Save the configuration file.
- Open Windows Services and restart the NXLog service, or start the service from an administrator command prompt by running this command:
net start nxlog
- Set nxlog to a delayed start using services.msc, or run the following command:
sc config nxlog start=delayed-auto
Enabling additional logging
See Advanced Microsoft Logging for our recommended Windows logging GPO settings.
If there are additional logging files beyond what is covered here, you will need to specify them as channels in the nxlog.conf.
Windows 2003
If you are using Windows 2003, use this configuration instead of the configuration described above: https://storage.googleapis.com/blumira-shipping-configurations/nxlog/nxlog_2003.conf.
It can be placed in the same location, assuming you are using x86 version of Windows 2003, C:\Program Files\nxlog\conf\nxlog.conf.
This configuration strips out several features that the 2008+ version has. We strongly recommend using the latest version of Sysmon that supports Windows 2003 to fill in the holes that are lost due to the Windows 2003 event log not being very verbose.
You do not need to set up any additional logging on the host; no additional steps are required beyond the hardening guide.