fbpx
Back Arrow Back to All Integrations

Poshim – Automated Windows Log Collection Agent

Poshim – Automated Windows Log Collection Agent
Beta Release

Poshim – Automated Windows Log Collection Agent

Blumira has created the Poshim (PowerShell Shim) agent to help streamline and simplify Windows log collection and ongoing management for our customers.

One of the most difficult parts of Windows log collection is ensuring that you are collecting the right data from hosts across your entire environment. This is made even more complex when you realize during deployments that each host has the tendency to be slightly different depending on your internal needs.

 

What it Does

Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP. It will automatically pull down the needed binaries, install them, and properly configure them to ensure you are getting the most visibility possible for each machine – as each configuration is built for that machine.

Poshim supports Windows 2012 and up, (including Windows 8 and newer for endpoints), in situations where Windows 2008 R2 has been updated to PowerShell 4 it may work depending on the environment. We are working to improve coverage and stability on older Windows where possible.

Set Up Instructions

Using Poshim

Basic usage of Poshim is very simple as it only requires you to run one PowerShell command on each host. This command can be run continuously on a task or once; when running it on a host that already has already been setup by Poshim, it will update the running configurations of Sysmon and NXLog to the latest “best visibility” configurations crafted by Blumira. By default Poshim will now install Sysmon onto the host with the last known-stable good version.

All of these commands must be run from an elevated PowerShell prompt. Remember to include the . before the { iwr part of the command or you will get an error message about how Blumira-Agent is not found.

Note: If the host has the firewall enabled, Poshim will automatically enable the log file output and set up ingestion from the host.

Click to Enlarge

Installation

Due to the fact Powershell may attempt to use TLS1.0 by default, it is required that you pass in a protocol change previous to the script run. By default we include this in the installation command, it is safe to use on all versions of Windows above 2012 and may work on 2008 R2 depending on Powershell version.

If you do not have any older machines in your environment, you can use the shorter command below. Using this command broadly across a mixed environment will provide you with the best impact without having to modify use of the command.

The Sensor IP address should be changed to suit the needs of your environment.

If you are getting errors that Blumira-Agent is an unknown module make sure your command has a single dot between ...Tls12; and { iwr....  It should look like ...Tls12; . { iwr ...

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Agent -Install -Sensor A.B.C.D

Options and Advanced Use

Poshim has a number of features that allow for our users to be generally more self sufficient. All of the below flags would be added to the above command.

-NoSysmon – This triggers Poshim to not -Install or -Uninstall sysmon if utilized. As of 2021-11-05 Blumira has moved to deploying Sysmon by default to ensure best visibility across Windows hosts.

-Sensor – As seen above, the Sensor flag is required if -Install is being used – it will test for connectivity and prep the NXLog configuration.

-Configuration – By default pulls the configuration from https://dl.blumira.com/agent/poshim_config.json – however, customers can override this with their own locally or remotely hosted configuration as such -Configuration \\FILEHOST\C\poshim\config.json or a different remote location.

-AdditionalLogs – Identify any additional logs they want to load using fuzzy text match, e.g., if you wanted to add all HyperV and SentinelOne logs you would pass -AdditionalLogs "HyperV,SentinelOne". Remember to quote the logs if you have more than one!

-NXLogExtras – Allows for users to currently select from two extras, however they can add their own base64 encoded full route blocks (in/route/out) for NXLog to their own configuration. Right now, we support two, as seen here -NXLogExtras "fw_514_syslog,iis_514_im_file" which would load in the Windows Firewall syslog ingestor as well as the IIS file-based ingestor if desired. Note: By default, if the firewall is identified as enabled, the script will automatically load fw_514_syslog without requiring any changes.

-WorkingDirectory – Allows for users to store all files locally and define the directory they’re located in. We expect to find files that match the general configuration being used in filenames at the least. This would likely be used in conjunction with a local run configuration in general. This is used in conjunction with the -Download mode that will prep local files for use.

-FirewallAllow – By default Poshim will enable Firewall Block logs if a Firewall exists on the host. If you require additional visibility within your environment you can pass -FirewallAllow in conjunction with -Install which will enable both Block and Allow logs. If Block Logging is already enabled but Allow is not, Poshim will determine current state and update accordingly.

-Silent – If you want no log output other then the module loading, add -Silent to your command. Will still log to Event Viewer on actions however.

Uninstallation

Installing is great, but, what if you need to clean up :broom: ! This is a simple process that just requires you to identify if they want to remove NXLog or NXLog and Sysmon.

If they do not want to uninstall Sysmon, you can drop the -NoSysmon flag from the command.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Agent -Uninstall -Sysmon

Click to Enlarge

Downloading and Local Installation – Expert Mode

While it’s great to have a one-liner to set up hosts from the internet, this can make things difficult in locked down environments.

Due to that, we have added a -Download mode that allows you to build this for your own needs internally. All you have to do is define the -WorkingDirectory which indicates where files are to be written to.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Agent -Download -WorkingDirectory "C:\Users\owen\Downloads\poshim_local"

Click to Enlarge

Local Install – Following Download Mode

Once you have used the -Download mode, you now have the needed files to run the script in local mode only with no internet access.

Navigate to the folder where this file was dropped (in your shell, or however you approach this) and Import the module – set execution policy first to ensure successful run.

The UNC path should be changed to suit the needs of your environment.

Set-ExecutionPolicy Unrestricted; Import-Module \\Filehost\C\poshim\poshim.ps1
Set-ExecutionPolicy Unrestricted; Import-Module .\poshim.ps1 // if local, example screenshot below

Click to Enlarge

Then run the locally loaded Module and execute as you would on the script itself seen in the steps above.

The WorkingDirectory path should be changed to suit the needs of your environment as well as the Sensor IP address.

Blumira-Agent -Install -Sysmon -Configuration poshim_config.json -WorkingDirectory "C:\Users\owen\Downloads\" -Sensor A.B.C.D