+3Hello,
Has anyone deployed the Perch Log Shipper for MacOS? I am having some issues deploying it with their documented method. https://beta.perch.help/siem/perch-log-shipper-on-macos/.
curl 'https://cdn.perchsecurity.com/downloads/pls_install' | bash -s "perch-client-token-here"
I get the following result. Any help would be appreciated.
+17you maybe better off capturing this with composer and deploying the pkg it creates
pkg will need script to load lauchdeamon
this the installer script you trying to run
echo "
*
****,
********,
.************
.****************
********************.
***********************.
***************************,
*******************************
*********************************,
,,,,,,,,,,,,,,,,,,,,,************************************
,,,,,,,,,,,,,,,,,,,,**************************************(
.,,,,,,,,,,,,,,,,,,,,************. .***((((((
.,,,,,,,,,,,,,,,*********** ((((((((((,
,,,,,,,,,,,********** %%%%%%/ (((((*,,/(((((
,,,,,,,********** %%%%%%%%%%% (((((((((((((((((,
***,,*********, %%%%%%%%%%%%/ .((((((((((((((((((((
****************. ,%%%%%%%%%%% (((((((((((((((((((((((
.******************, #%%%%%%%* ,(((((((((((((((((((((((((
********************** (((((((((((((((((((((((((((/
************************* ,(((((((((((((((((((((((((((((
************************* (((((((((((((((((((((((((((((((
.***************** /(((((((((((((((((((((((((((((((
,************ ,,/(((((((((((((((((((((((((((((((
,************* .,,,,(((((((((((((((((((((((((((((((
************** ,,,,,,,(((((((((((((((((((((((((((((/
**************** .,,,,,,,,,,/((((((((((((((((((((((((((
,***************** ,,,,,,,,,,,,,,,,,,,,,,,,,, ,((((((
******************** .,,,,,,,,,,,,,,,,,,,,,,,, ((((
******************* ,,,,,,,,,,,,,,,, (
****************,
**************
***********.
*********
******.
***
"
echo "***************PERCH LOG SHIPPER***************"
if [ -z "$1" ]; then
echo "Enter TOKEN:"
read TOKEN
else
TOKEN=$1
fi
echo ""
echo ""
echo "Installing..."
curl "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.5-darwin-x86_64.tar.gz" -o auditbeat-7.17.5-darwin-x86_64.tar.gz
tar -zxvf auditbeat-7.17.5-darwin-x86_64.tar.gz auditbeat-7.17.5-darwin-x86_64/auditbeat
sudo mkdir /etc/PLS
sudo mv auditbeat-7.17.5-darwin-x86_64/auditbeat /etc/PLS
sudo rm -r auditbeat-7.17.5-darwin-x86_64
sudo rm auditbeat-7.17.5-darwin-x86_64.tar.gz
sudo echo "
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /usr/local/bin
- /sbin
- /usr/sbin
- /usr/local/sbin
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
state.period: 12h
processors:
- add_host_metadata: ~
#================================ Custom Perch Output ============================
output.elasticsearch:
hosts: ['ingest.perchsecurity.com:443/elastic']
headers:
X-Perch-Header: '$TOKEN'
protocol: https
compression_level: 5
#path: /elastic
" > auditbeat.yml
sudo cp auditbeat.yml /etc/PLS
sudo rm auditbeat.yml
sudo chown root /etc/PLS/auditbeat.yml
sudo echo '
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.PLS</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/etc/PLS/auditbeat</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>WorkingDirectory</key>
<string>/etc/PLS</string>
</dict>
</plist>
' > com.PLS.plist
sudo cp com.PLS.plist /Library/LaunchDaemons
sudo rm com.PLS.plist
sudo launchctl load -w /Library/LaunchDaemons/com.PLS.plist
+3you maybe better off capturing this with composer and deploying the pkg it creates
pkg will need script to load lauchdeamon
this the installer script you trying to run
echo "
*
****,
********,
.************
.****************
********************.
***********************.
***************************,
*******************************
*********************************,
,,,,,,,,,,,,,,,,,,,,,************************************
,,,,,,,,,,,,,,,,,,,,**************************************(
.,,,,,,,,,,,,,,,,,,,,************. .***((((((
.,,,,,,,,,,,,,,,*********** ((((((((((,
,,,,,,,,,,,********** %%%%%%/ (((((*,,/(((((
,,,,,,,********** %%%%%%%%%%% (((((((((((((((((,
***,,*********, %%%%%%%%%%%%/ .((((((((((((((((((((
****************. ,%%%%%%%%%%% (((((((((((((((((((((((
.******************, #%%%%%%%* ,(((((((((((((((((((((((((
********************** (((((((((((((((((((((((((((/
************************* ,(((((((((((((((((((((((((((((
************************* (((((((((((((((((((((((((((((((
.***************** /(((((((((((((((((((((((((((((((
,************ ,,/(((((((((((((((((((((((((((((((
,************* .,,,,(((((((((((((((((((((((((((((((
************** ,,,,,,,(((((((((((((((((((((((((((((/
**************** .,,,,,,,,,,/((((((((((((((((((((((((((
,***************** ,,,,,,,,,,,,,,,,,,,,,,,,,, ,((((((
******************** .,,,,,,,,,,,,,,,,,,,,,,,, ((((
******************* ,,,,,,,,,,,,,,,, (
****************,
**************
***********.
*********
******.
***
"
echo "***************PERCH LOG SHIPPER***************"
if [ -z "$1" ]; then
echo "Enter TOKEN:"
read TOKEN
else
TOKEN=$1
fi
echo ""
echo ""
echo "Installing..."
curl "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.5-darwin-x86_64.tar.gz" -o auditbeat-7.17.5-darwin-x86_64.tar.gz
tar -zxvf auditbeat-7.17.5-darwin-x86_64.tar.gz auditbeat-7.17.5-darwin-x86_64/auditbeat
sudo mkdir /etc/PLS
sudo mv auditbeat-7.17.5-darwin-x86_64/auditbeat /etc/PLS
sudo rm -r auditbeat-7.17.5-darwin-x86_64
sudo rm auditbeat-7.17.5-darwin-x86_64.tar.gz
sudo echo "
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /usr/local/bin
- /sbin
- /usr/sbin
- /usr/local/sbin
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- package # Installed, updated, and removed packages
- process # Started and stopped processes
state.period: 12h
processors:
- add_host_metadata: ~
#================================ Custom Perch Output ============================
output.elasticsearch:
hosts: ['ingest.perchsecurity.com:443/elastic']
headers:
X-Perch-Header: '$TOKEN'
protocol: https
compression_level: 5
#path: /elastic
" > auditbeat.yml
sudo cp auditbeat.yml /etc/PLS
sudo rm auditbeat.yml
sudo chown root /etc/PLS/auditbeat.yml
sudo echo '
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.PLS</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/etc/PLS/auditbeat</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>WorkingDirectory</key>
<string>/etc/PLS</string>
</dict>
</plist>
' > com.PLS.plist
sudo cp com.PLS.plist /Library/LaunchDaemons
sudo rm com.PLS.plist
sudo launchctl load -w /Library/LaunchDaemons/com.PLS.plist
Thanks, I will give that a shot.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
