Using Poshim

Basic use of Poshim is very simple as it only requires you to run one PowerShell command on each host. This command can be run continuously on a task or once.

When running it on a host that already has already been setup by Poshim, it will update the running configurations of Sysmon and NXLog to the latest “best visibility” configurations crafted by Blumira. By default, Poshim will install Sysmon onto the host with the last stable, good version.

Important: All of these commands must be run from an elevated PowerShell prompt. Remember to include the “.” before the “{ iwr” part of the command or you will get an error message about how Blumira-Agent is not found.

If the host has the firewall enabled, Poshim will automatically enable the log file output and set up ingestion from the host.

Warning: Using patch manager software, like Patch Manager Plus, to update Windows hosts will disrupt the running NXlog service on the hosts and cause logging to stop. Either avoid using patch manager software to update Poshim or update Poshim manually on each host.


PowerShell may attempt to use TLS1.0 by default, so you must pass in a protocol change before the script run. We include this in the installation command, and it is safe to use on all versions of Windows above 2012 and may work on 2008 R2 depending on the PowerShell version.

If you do not have any older machines in your environment, you can use the shorter command below. Change the Sensor IP address to suit the needs of your environment.

Using this command broadly across a mixed environment will provide you with the best impact without having to modify use of the command.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb }| iex; Blumira-Agent -Install -Sensor A.B.C.D

Tip: If you are getting errors that Blumira-Agent is an unknown module make sure your command has a single dot between ...Tls12; and { iwr....  It should look like this: ...Tls12; . { iwr ...

Afterwards, set the NXLog service to use a delayed-auto start by running the following command:

sc.exe config nxlog start= delayed-auto

Options and advanced use

Poshim has a number of features that allow for our users to be generally more self sufficient. All of the below flags would be added to the above command.

Flag Description
-NoSysmon This triggers Poshim to not -Install or -Uninstall sysmon if utilized. As of 2021-11-05 Blumira has moved to deploying Sysmon by default to ensure best visibility across Windows hosts.
-Sensor As seen above, the Sensor flag is required if -Install is being used. It will test for connectivity and prep the NXLog configuration.
-Configuration By default, pulls the configuration from; however, customers can override this with their own locally or remotely hosted configuration as such -Configuration \\FILEHOST\C\poshim\config.json or a different remote location.
-AdditionalLogs Identify any additional logs they want to load using fuzzy text match, e.g., if you wanted to add all HyperV and SentinelOne logs you would pass -AdditionalLogs "HyperV,SentinelOne".
Tip: Remember to quote the logs if you have more than one.
-NXLogExtras Allows for users to currently select from two extras, however they can add their own base64 encoded full route blocks (in/route/out) for NXLog to their own configuration. Right now, we support two, as seen here -NXLogExtras "fw_514_syslog,iis_514_im_file" which would load in the Windows Firewall syslog ingestor as well as the IIS file-based ingestor if desired.
Note: By default, if the firewall is identified as enabled, the script will automatically load fw_514_syslog without requiring any changes.
-WorkingDirectory Allows for users to store all files locally and define the directory they’re located in. We expect to find files that match the general configuration being used in filenames at the least. This would likely be used in conjunction with a local run configuration in general. This is used in conjunction with the -Downloadmode that will prep local files for use.
-FirewallAllow By default, Poshim will enable Firewall Block logs if a Firewall exists on the host. If you require additional visibility within your environment you can pass -FirewallAllow in conjunction with -Install which will enable both Block and Allow logs. If Block Logging is already enabled but Allow is not, Poshim will determine current state and update accordingly.
-Silent If you want no log output other than the module loading, add -Silent to your command. Will still log to Event Viewer on actions however.


Uninstalling is a simple process that requires you to identify if you want to remove NXLog or NXLog and Sysmon.

Tip: If you do not want to uninstall Sysmon, you can add the -NoSysmon flag to the command.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb }| iex; Blumira-Agent -Uninstall

Downloading and local installation – expert mode

While it’s great to have a one-liner to set up hosts from the internet, this can make things difficult in locked down environments. Therefore, we provide a -Download mode that allows you to build this internally.

Important: To use this mode, you must define the -WorkingDirectory (the file path in parentheses in the example code block below) to indicate where to write the files.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb }| iex; Blumira-Agent -Download -WorkingDirectory "C:\Users\owen\Downloads\poshim_local"

Local install following Download mode

After you have used the -Download mode, you can run the script in local mode only with no internet access.

To run the script:

  1. Navigate to the local folder where this file was dropped (in your shell, or however you approach this) and Import the module.
    Note: You must set the execution policy first, and change the UNC path to suit the needs of your environment.

    Set-ExecutionPolicy Unrestricted; Import-Module \\Filehost\C\poshim\poshim.ps1
    Set-ExecutionPolicy Unrestricted; Import-Module .\poshim.ps1 // if local, example screenshot below
  2. Run the locally loaded module and execute on the script itself as seen in the steps below.
    Note: You must change the WorkingDirectory path and Sensor IP address to suit the needs of your environment.

    Blumira-Agent -Install -Sysmon -Configuration poshim_config.json -WorkingDirectory "C:\Users\owen\Downloads\" -Sensor A.B.C.D