Automating Windows log collection with Poshim

Poshim – Automated Windows Log Collection Agent

Click here for the most updated version of this documentation.

Overview

Blumira created the Poshim (PowerShell Shim) agent to help streamline and simplify Windows log collection and ongoing management for our customers.

One of the most difficult parts of Windows log collection is ensuring that you are collecting the right data from hosts across your entire environment. This is made even more complex when you realize during deployments that each host has the tendency to be slightly different depending on your internal needs.

Note: Pairing Poshim with Logmira GPO template provides the most advanced and thorough detection coverage for your systems. Many of Blumira’s Windows detection rules rely on the advanced logging GPO in order to function. Ensure that you deploy the GPO when you deploy Poshim to your Windows endpoints.

What it does

Poshim officially supports all current Microsoft-supported Windows Server operating systems, starting with Windows Server 2012 R2 and up to Windows Server 2019.

Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP. It will automatically pull down, install, and properly configure the necessary binaries to ensure you are getting the most visibility possible for each machine, as each configuration is built for that machine.

Note: Poshim is currently in beta testing for Windows 11 and Windows Server 2022.

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Using Poshim

Basic use of Poshim is very simple as it only requires you to run one PowerShell command on each host. This command can be run continuously on a task or once.

When running it on a host that already has already been setup by Poshim, it will update the running configurations of Sysmon and NXLog to the latest “best visibility” configurations crafted by Blumira. By default, Poshim will install Sysmon onto the host with the last stable, good version.

Important: All of these commands must be run from an elevated PowerShell prompt. Remember to include the “.” before the “{ iwr” part of the command or you will get an error message about how Blumira-Agent is not found.

If the host has the firewall enabled, Poshim will automatically enable the log file output and set up ingestion from the host.

Warning: Using patch manager software, like Patch Manager Plus, to update Windows hosts will disrupt the running NXlog service on the hosts and cause logging to stop. Either avoid using patch manager software to update Poshim or update Poshim manually on each host.

Installing

PowerShell may attempt to use TLS1.0 by default, so you must pass in a protocol change before the script run. We include this in the installation command, and it is safe to use on all versions of Windows above 2012 and may work on 2008 R2 depending on the PowerShell version.

If you do not have any older machines in your environment, you can use the shorter command below. Change the Sensor IP address to suit the needs of your environment.

Using this command broadly across a mixed environment will provide you with the best impact without having to modify use of the command.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Agent -Install -Sensor A.B.C.D

Tip: If you are getting errors that Blumira-Agent is an unknown module make sure your command has a single dot between ...Tls12; and { iwr.... It should look like this: ...Tls12; . { iwr ...

Afterwards, set the NXLog service to use a delayed-auto start by running the following command:

sc.exe config nxlog start= delayed-auto

Options and advanced use

Poshim has a number of features that allow for our users to be generally more self sufficient. All of the below flags would be added to the above command.

Flag	Description
`-NoSysmon`	This triggers Poshim to not `-Install` or `-Uninstall` sysmon if utilized. As of 2021-11-05 Blumira has moved to deploying Sysmon by default to ensure best visibility across Windows hosts.
`-Sensor`	As seen above, the Sensor flag is required if `-Install` is being used. It will test for connectivity and prep the NXLog configuration.
`-Configuration`	By default, pulls the configuration from `https://dl.blumira.com/agent/poshim_config.json`; however, customers can override this with their own locally or remotely hosted configuration as such `-Configuration \\FILEHOST\C\poshim\config.json` or a different remote location.
`-AdditionalLogs`	Identify any additional logs they want to load using fuzzy text match, e.g., if you wanted to add all HyperV and SentinelOne logs you would pass `-AdditionalLogs "HyperV,SentinelOne"`. Tip: Remember to quote the logs if you have more than one.
`-NXLogExtras`	Allows for users to currently select from two extras, however they can add their own base64 encoded full route blocks (in/route/out) for NXLog to their own configuration. Right now, we support two, as seen here `-NXLogExtras "fw_514_syslog,iis_514_im_file"` which would load in the Windows Firewall syslog ingestor as well as the IIS file-based ingestor if desired. Note: By default, if the firewall is identified as enabled, the script will automatically load fw_514_syslog without requiring any changes.
`-WorkingDirectory`	Allows for users to store all files locally and define the directory they’re located in. We expect to find files that match the general configuration being used in filenames at the least. This would likely be used in conjunction with a local run configuration in general. This is used in conjunction with the `-Download`mode that will prep local files for use.
`-FirewallAllow`	By default, Poshim will enable Firewall Block logs if a Firewall exists on the host. If you require additional visibility within your environment you can pass `-FirewallAllow` in conjunction with `-Install` which will enable both Block and Allow logs. If Block Logging is already enabled but Allow is not, Poshim will determine current state and update accordingly.
`-Silent`	If you want no log output other than the module loading, add `-Silent` to your command. Will still log to Event Viewer on actions however.

Uninstalling

Uninstalling is a simple process that requires you to identify if you want to remove NXLog or NXLog and Sysmon.

Tip: If you do not want to uninstall Sysmon, you can add the -NoSysmon flag to the command.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Agent -Uninstall

Downloading and local installation – expert mode

While it’s great to have a one-liner to set up hosts from the internet, this can make things difficult in locked down environments. Therefore, we provide a -Download mode that allows you to build this internally.

Important: To use this mode, you must define the -WorkingDirectory (the file path in parentheses in the example code block below) to indicate where to write the files.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Agent -Download -WorkingDirectory "C:\Users\owen\Downloads\poshim_local"

Local install following Download mode

After you have used the -Download mode, you can run the script in local mode only with no internet access.

To run the script:

Navigate to the local folder where this file was dropped (in your shell, or however you approach this) and Import the module.
Note: You must set the execution policy first, and change the UNC path to suit the needs of your environment.
```
Set-ExecutionPolicy Unrestricted; Import-Module \\Filehost\C\poshim\poshim.ps1
Set-ExecutionPolicy Unrestricted; Import-Module .\poshim.ps1 // if local, example screenshot below
```
Run the locally loaded module and execute on the script itself as seen in the steps below.
Note: You must change the WorkingDirectory path and Sensor IP address to suit the needs of your environment.
```
Blumira-Agent -Install -Sysmon -Configuration poshim_config.json -WorkingDirectory "C:\Users\owen\Downloads\" -Sensor A.B.C.D
```