Perch Log Shipper Install

Hello,

Has anyone deployed the Perch Log Shipper for MacOS? I am having some issues deploying it with their documented method. https://beta.perch.help/siem/perch-log-shipper-on-macos/.

curl 'https://cdn.perchsecurity.com/downloads/pls_install' | bash -s "perch-client-token-here"

I get the following result. Any help would be appreciated.

Page 1 / 1

you maybe better off capturing this with composer and deploying the pkg it creates

pkg will need script to load lauchdeamon

this the installer script you trying to run

echo "

                   *

                   ****,

                   ********,

                   .************

                   .****************

                    ********************.

                     ***********************.

                     ***************************,

                      *******************************

                       *********************************,

    ,,,,,,,,,,,,,,,,,,,,,************************************

      ,,,,,,,,,,,,,,,,,,,,**************************************(

       .,,,,,,,,,,,,,,,,,,,,************.                  .***((((((

         .,,,,,,,,,,,,,,,***********                         ((((((((((,

            ,,,,,,,,,,,**********        %%%%%%/            (((((*,,/(((((

              ,,,,,,,**********        %%%%%%%%%%%        (((((((((((((((((,

               ***,,*********,        %%%%%%%%%%%%/     .((((((((((((((((((((

            ****************.         ,%%%%%%%%%%%     (((((((((((((((((((((((

        .******************,            #%%%%%%%*    ,(((((((((((((((((((((((((

     **********************                         (((((((((((((((((((((((((((/

  *************************                       ,(((((((((((((((((((((((((((((

  *************************                      (((((((((((((((((((((((((((((((

         .*****************                     /(((((((((((((((((((((((((((((((

               ,************                  ,,/(((((((((((((((((((((((((((((((

               ,*************               .,,,,(((((((((((((((((((((((((((((((

                **************             ,,,,,,,(((((((((((((((((((((((((((((/

                ****************         .,,,,,,,,,,/((((((((((((((((((((((((((

                ,*****************      ,,,,,,,,,,,,,,,,,,,,,,,,,,     ,((((((

                 ******************** .,,,,,,,,,,,,,,,,,,,,,,,,          ((((

                  *******************     ,,,,,,,,,,,,,,,,                (

                   ****************,

                    **************

                     ***********.

                      *********

                       ******.

                         ***

"

echo "***************PERCH LOG SHIPPER***************"



if [ -z "$1" ]; then

echo "Enter TOKEN:"

read TOKEN

else

TOKEN=$1

fi



echo ""

echo ""

echo "Installing..."



curl "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.5-darwin-x86_64.tar.gz" -o auditbeat-7.17.5-darwin-x86_64.tar.gz

tar -zxvf auditbeat-7.17.5-darwin-x86_64.tar.gz auditbeat-7.17.5-darwin-x86_64/auditbeat

sudo mkdir /etc/PLS

sudo mv auditbeat-7.17.5-darwin-x86_64/auditbeat /etc/PLS

sudo rm -r auditbeat-7.17.5-darwin-x86_64

sudo rm auditbeat-7.17.5-darwin-x86_64.tar.gz



sudo echo "

auditbeat.modules:



- module: file_integrity

  paths:

  - /bin

  - /usr/bin

  - /usr/local/bin

  - /sbin

  - /usr/sbin

  - /usr/local/sbin



- module: system

  datasets:

    - host    # General host information, e.g. uptime, IPs

    - package # Installed, updated, and removed packages

    - process # Started and stopped processes



  state.period: 12h







processors:

  - add_host_metadata: ~



#================================ Custom Perch Output ============================



output.elasticsearch:

  hosts: ['ingest.perchsecurity.com:443/elastic']

  headers:

    X-Perch-Header: '$TOKEN'

  protocol: https

  compression_level: 5

  #path: /elastic

" > auditbeat.yml

sudo cp auditbeat.yml /etc/PLS

sudo rm auditbeat.yml

sudo chown root /etc/PLS/auditbeat.yml



sudo echo '

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

	<key>Label</key>

	<string>com.PLS</string>

	<key>ProgramArguments</key>

	<array>

		<string>sh</string>

		<string>-c</string>

		<string>/etc/PLS/auditbeat</string>

	</array>

	<key>RunAtLoad</key>

	<true/>

	<key>UserName</key>

	<string>root</string>

	<key>WorkingDirectory</key>

	<string>/etc/PLS</string>

</dict>

</plist>

' > com.PLS.plist

sudo cp com.PLS.plist /Library/LaunchDaemons

sudo rm com.PLS.plist

sudo launchctl load -w /Library/LaunchDaemons/com.PLS.plist

you maybe better off capturing this with composer and deploying the pkg it creates

pkg will need script to load lauchdeamon

this the installer script you trying to run

echo "

                   *

                   ****,

                   ********,

                   .************

                   .****************

                    ********************.

                     ***********************.

                     ***************************,

                      *******************************

                       *********************************,

    ,,,,,,,,,,,,,,,,,,,,,************************************

      ,,,,,,,,,,,,,,,,,,,,**************************************(

       .,,,,,,,,,,,,,,,,,,,,************.                  .***((((((

         .,,,,,,,,,,,,,,,***********                         ((((((((((,

            ,,,,,,,,,,,**********        %%%%%%/            (((((*,,/(((((

              ,,,,,,,**********        %%%%%%%%%%%        (((((((((((((((((,

               ***,,*********,        %%%%%%%%%%%%/     .((((((((((((((((((((

            ****************.         ,%%%%%%%%%%%     (((((((((((((((((((((((

        .******************,            #%%%%%%%*    ,(((((((((((((((((((((((((

     **********************                         (((((((((((((((((((((((((((/

  *************************                       ,(((((((((((((((((((((((((((((

  *************************                      (((((((((((((((((((((((((((((((

         .*****************                     /(((((((((((((((((((((((((((((((

               ,************                  ,,/(((((((((((((((((((((((((((((((

               ,*************               .,,,,(((((((((((((((((((((((((((((((

                **************             ,,,,,,,(((((((((((((((((((((((((((((/

                ****************         .,,,,,,,,,,/((((((((((((((((((((((((((

                ,*****************      ,,,,,,,,,,,,,,,,,,,,,,,,,,     ,((((((

                 ******************** .,,,,,,,,,,,,,,,,,,,,,,,,          ((((

                  *******************     ,,,,,,,,,,,,,,,,                (

                   ****************,

                    **************

                     ***********.

                      *********

                       ******.

                         ***

"

echo "***************PERCH LOG SHIPPER***************"



if [ -z "$1" ]; then

echo "Enter TOKEN:"

read TOKEN

else

TOKEN=$1

fi



echo ""

echo ""

echo "Installing..."



curl "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.5-darwin-x86_64.tar.gz" -o auditbeat-7.17.5-darwin-x86_64.tar.gz

tar -zxvf auditbeat-7.17.5-darwin-x86_64.tar.gz auditbeat-7.17.5-darwin-x86_64/auditbeat

sudo mkdir /etc/PLS

sudo mv auditbeat-7.17.5-darwin-x86_64/auditbeat /etc/PLS

sudo rm -r auditbeat-7.17.5-darwin-x86_64

sudo rm auditbeat-7.17.5-darwin-x86_64.tar.gz



sudo echo "

auditbeat.modules:



- module: file_integrity

  paths:

  - /bin

  - /usr/bin

  - /usr/local/bin

  - /sbin

  - /usr/sbin

  - /usr/local/sbin



- module: system

  datasets:

    - host    # General host information, e.g. uptime, IPs

    - package # Installed, updated, and removed packages

    - process # Started and stopped processes



  state.period: 12h







processors:

  - add_host_metadata: ~



#================================ Custom Perch Output ============================



output.elasticsearch:

  hosts: ['ingest.perchsecurity.com:443/elastic']

  headers:

    X-Perch-Header: '$TOKEN'

  protocol: https

  compression_level: 5

  #path: /elastic

" > auditbeat.yml

sudo cp auditbeat.yml /etc/PLS

sudo rm auditbeat.yml

sudo chown root /etc/PLS/auditbeat.yml



sudo echo '

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

	<key>Label</key>

	<string>com.PLS</string>

	<key>ProgramArguments</key>

	<array>

		<string>sh</string>

		<string>-c</string>

		<string>/etc/PLS/auditbeat</string>

	</array>

	<key>RunAtLoad</key>

	<true/>

	<key>UserName</key>

	<string>root</string>

	<key>WorkingDirectory</key>

	<string>/etc/PLS</string>

</dict>

</plist>

' > com.PLS.plist

sudo cp com.PLS.plist /Library/LaunchDaemons

sudo rm com.PLS.plist

sudo launchctl load -w /Library/LaunchDaemons/com.PLS.plist

Thanks, I will give that a shot.

Ever get anywhere with this?

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded