Hello,
Has anyone deployed the Perch Log Shipper for MacOS? I am having some issues deploying it with their documented method. https://beta.perch.help/siem/perch-log-shipper-on-macos/.
curl 'https://cdn.perchsecurity.com/downloads/pls_install' | bash -s "perch-client-token-here"
I get the following result. Any help would be appreciated.
you maybe better off capturing this with composer and deploying the pkg it creates
pkg will need script to load lauchdeamon
this the installer script you trying to run
echo "
*
****,
********,
.************
.****************
********************.
***********************.
***************************,
*******************************
*********************************,
,,,,,,,,,,,,,,,,,,,,,************************************
,,,,,,,,,,,,,,,,,,,,**************************************(
.,,,,,,,,,,,,,,,,,,,,************. .***((((((
.,,,,,,,,,,,,,,,*********** ((((((((((,
,,,,,,,,,,,********** %%%%%%/ (((((*,,/(((((
,,,,,,,********** %%%%%%%%%%% (((((((((((((((((,
***,,*********, %%%%%%%%%%%%/ .((((((((((((((((((((
****************. ,%%%%%%%%%%% (((((((((((((((((((((((
.******************, #%%%%%%%* ,(((((((((((((((((((((((((
********************** (((((((((((((((((((((((((((/
************************* ,(((((((((((((((((((((((((((((
************************* (((((((((((((((((((((((((((((((
.***************** /(((((((((((((((((((((((((((((((
,************ ,,/(((((((((((((((((((((((((((((((
,************* .,,,,(((((((((((((((((((((((((((((((
************** ,,,,,,,(((((((((((((((((((((((((((((/
**************** .,,,,,,,,,,/((((((((((((((((((((((((((
,***************** ,,,,,,,,,,,,,,,,,,,,,,,,,, ,((((((
******************** .,,,,,,,,,,,,,,,,,,,,,,,, ((((
******************* ,,,,,,,,,,,,,,,, (
****************,
**************
***********.
*********
******.
***
"
echo "***************PERCH LOG SHIPPER***************"
if [ -z "$1" ]; then
echo "Enter TOKEN:"
read TOKEN
else
TOKEN=$1
fi
echo ""
echo ""
echo "Installing..."
curl "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.5-darwin-x86_64.tar.gz" -o auditbeat-7.17.5-darwin-x86_64.tar.gz
tar -zxvf auditbeat-7.17.5-darwin-x86_64.tar.gz auditbeat-7.17.5-darwin-x86_64/auditbeat
sudo mkdir /etc/PLS
sudo mv auditbeat-7.17.5-darwin-x86_64/auditbeat /etc/PLS
sudo rm -r auditbeat-7.17.5-darwin-x86_64
sudo rm auditbeat-7.17.5-darwin-x86_64.tar.gz
sudo echo "
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /usr/local/bin
- /sbin
- /usr/sbin
- /usr/local/sbin
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
state.period: 12h
processors:
- add_host_metadata: ~
#================================ Custom Perch Output ============================
output.elasticsearch:
hosts: ['ingest.perchsecurity.com:443/elastic']
headers:
X-Perch-Header: '$TOKEN'
protocol: https
compression_level: 5
#path: /elastic
" > auditbeat.yml
sudo cp auditbeat.yml /etc/PLS
sudo rm auditbeat.yml
sudo chown root /etc/PLS/auditbeat.yml
sudo echo '
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.PLS</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/etc/PLS/auditbeat</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>WorkingDirectory</key>
<string>/etc/PLS</string>
</dict>
</plist>
' > com.PLS.plist
sudo cp com.PLS.plist /Library/LaunchDaemons
sudo rm com.PLS.plist
sudo launchctl load -w /Library/LaunchDaemons/com.PLS.plist
you maybe better off capturing this with composer and deploying the pkg it creates
pkg will need script to load lauchdeamon
this the installer script you trying to run
echo "
*
****,
********,
.************
.****************
********************.
***********************.
***************************,
*******************************
*********************************,
,,,,,,,,,,,,,,,,,,,,,************************************
,,,,,,,,,,,,,,,,,,,,**************************************(
.,,,,,,,,,,,,,,,,,,,,************. .***((((((
.,,,,,,,,,,,,,,,*********** ((((((((((,
,,,,,,,,,,,********** %%%%%%/ (((((*,,/(((((
,,,,,,,********** %%%%%%%%%%% (((((((((((((((((,
***,,*********, %%%%%%%%%%%%/ .((((((((((((((((((((
****************. ,%%%%%%%%%%% (((((((((((((((((((((((
.******************, #%%%%%%%* ,(((((((((((((((((((((((((
********************** (((((((((((((((((((((((((((/
************************* ,(((((((((((((((((((((((((((((
************************* (((((((((((((((((((((((((((((((
.***************** /(((((((((((((((((((((((((((((((
,************ ,,/(((((((((((((((((((((((((((((((
,************* .,,,,(((((((((((((((((((((((((((((((
************** ,,,,,,,(((((((((((((((((((((((((((((/
**************** .,,,,,,,,,,/((((((((((((((((((((((((((
,***************** ,,,,,,,,,,,,,,,,,,,,,,,,,, ,((((((
******************** .,,,,,,,,,,,,,,,,,,,,,,,, ((((
******************* ,,,,,,,,,,,,,,,, (
****************,
**************
***********.
*********
******.
***
"
echo "***************PERCH LOG SHIPPER***************"
if [ -z "$1" ]; then
echo "Enter TOKEN:"
read TOKEN
else
TOKEN=$1
fi
echo ""
echo ""
echo "Installing..."
curl "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.5-darwin-x86_64.tar.gz" -o auditbeat-7.17.5-darwin-x86_64.tar.gz
tar -zxvf auditbeat-7.17.5-darwin-x86_64.tar.gz auditbeat-7.17.5-darwin-x86_64/auditbeat
sudo mkdir /etc/PLS
sudo mv auditbeat-7.17.5-darwin-x86_64/auditbeat /etc/PLS
sudo rm -r auditbeat-7.17.5-darwin-x86_64
sudo rm auditbeat-7.17.5-darwin-x86_64.tar.gz
sudo echo "
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /usr/local/bin
- /sbin
- /usr/sbin
- /usr/local/sbin
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
state.period: 12h
processors:
- add_host_metadata: ~
#================================ Custom Perch Output ============================
output.elasticsearch:
hosts: ['ingest.perchsecurity.com:443/elastic']
headers:
X-Perch-Header: '$TOKEN'
protocol: https
compression_level: 5
#path: /elastic
" > auditbeat.yml
sudo cp auditbeat.yml /etc/PLS
sudo rm auditbeat.yml
sudo chown root /etc/PLS/auditbeat.yml
sudo echo '
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.PLS</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/etc/PLS/auditbeat</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>WorkingDirectory</key>
<string>/etc/PLS</string>
</dict>
</plist>
' > com.PLS.plist
sudo cp com.PLS.plist /Library/LaunchDaemons
sudo rm com.PLS.plist
sudo launchctl load -w /Library/LaunchDaemons/com.PLS.plist
Thanks, I will give that a shot.
Thanks, I will give that a shot.
Ever get anywhere with this?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.