Cloud SIEM & Threat Detection for Microsoft Windows Server

Cloud SIEM for Microsoft Windows Server

Click here for the most updated version of this documentation.

Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response. Blumira supports the following Microsoft Windows Server operating systems:

Windows Server 2019

Windows Server 2016

Windows Server 2012R2

Windows Server 2012

Blumira provides broad coverage for Windows Server including collecting logs and recommends using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.

Recommended: Automated Windows Setup

We recommend using Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.

Note: This recommended setup using Poshim requires Windows Server 2012 R2 and above.

If using Poshim, nothing further is needed on this page. For manual configuration, continue reading below.

NXLog for Windows Setup

NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs. In concept, NXLog is similar to syslog-ng or Rsyslog, but it is not limited to UNIX and syslog only.

Setting up a Standard Host

Download and install the newest stable NXLog Community Edition.
Download Blumira’s nxlog template by right clicking this link and save as to download: https://raw.githubusercontent.com/Blumira/Flowmira/master/nxlog.conf
(You can subscribe to updates of the Blumira’s nxlog template here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf )
Replace C:\Program Files (x86)\nxlog\conf\nxlog.conf with the Blumira nxlog configuration file downloaded
Open the configuration file for editing as an administrator replace A.B.C.D. with the actual IP address of the Blumira Sensor at line 56. The edited line should look like this:
```
define SIEM 10.11.12.13
```
Save the configuration file.
Open Windows Services and restart the NXLog service. You can also run net start nxlog to start the service in an administrator command prompt.
Set nxlog to a delayed start using services.msc. You can also run sc config nxlog start=delayed-auto
Log into Blumira platforn and verify that you are receiving NXLog events by navigating to the Settings > Sensors > Logging Devices page or look at your Security dashboard.

Enabling Additional Logging

See Advanced Microsoft Logging for our recommended Windows logging GPO settings.
If there are additional logging files beyond what is covered here, you will need to specify them as channels in the nxlog.conf.

If you are using Windows 2003

Stop using Windows 2003. If not possible…
You should use this configuration instead of the configuration described above: https://storage.googleapis.com/blumira-shipping-configurations/nxlog/nxlog_2003.conf
It can be placed in the same location, assuming you are using x86 version of Windows 2003, C:\Program Files\nxlog\conf\nxlog.conf.
This configuration strips out a number of features that the 2008+ version has. We strongly recommend using the latest version of Sysmon that supports Windows 2003 to fill in the holes that are lost due to the Windows 2003 event log not being very verbose.
You do not need to set up any additional logging on the host, no additional steps are required beyond the hardening guide.
Please reach out to [email protected] for our Windows 2003 hardening and visibility guide.

Microsoft Windows Server

Cloud SIEM for Microsoft Windows Server

Recommended: Automated Windows Setup

Sign Up For Your Free Account Today

NXLog for Windows Setup

Setting up a Standard Host

Enabling Additional Logging

If you are using Windows 2003

Contact Sales

Reach Out