Perch Log Shipper Install

kevinthegreat
New Contributor

Hello,

Has anyone deployed the Perch Log Shipper for MacOS? I am having some issues deploying it with their documented method. https://beta.perch.help/siem/perch-log-shipper-on-macos/

curl 'https://cdn.perchsecurity.com/downloads/pls_install' | bash -s "perch-client-token-here"

I get the following result. Any help would be appreciated.

kevinthegreat_0-1684501895820.png

 

 

3 REPLIES 3

jamf-42
Valued Contributor II

you maybe better off capturing this with composer and deploying the pkg it creates

pkg will need script to load lauchdeamon 

this the installer script you trying to run

 

echo "
                   *
                   ****,
                   ********,
                   .************
                   .****************
                    ********************.
                     ***********************.
                     ***************************,
                      *******************************
                       *********************************,
    ,,,,,,,,,,,,,,,,,,,,,************************************
      ,,,,,,,,,,,,,,,,,,,,**************************************(
       .,,,,,,,,,,,,,,,,,,,,************.                  .***((((((
         .,,,,,,,,,,,,,,,***********                         ((((((((((,
            ,,,,,,,,,,,**********        %%%%%%/            (((((*,,/(((((
              ,,,,,,,**********        %%%%%%%%%%%        (((((((((((((((((,
               ***,,*********,        %%%%%%%%%%%%/     .((((((((((((((((((((
            ****************.         ,%%%%%%%%%%%     (((((((((((((((((((((((
        .******************,            #%%%%%%%*    ,(((((((((((((((((((((((((
     **********************                         (((((((((((((((((((((((((((/
  *************************                       ,(((((((((((((((((((((((((((((
  *************************                      (((((((((((((((((((((((((((((((
         .*****************                     /(((((((((((((((((((((((((((((((
               ,************                  ,,/(((((((((((((((((((((((((((((((
               ,*************               .,,,,(((((((((((((((((((((((((((((((
                **************             ,,,,,,,(((((((((((((((((((((((((((((/
                ****************         .,,,,,,,,,,/((((((((((((((((((((((((((
                ,*****************      ,,,,,,,,,,,,,,,,,,,,,,,,,,     ,((((((
                 ******************** .,,,,,,,,,,,,,,,,,,,,,,,,          ((((
                  *******************     ,,,,,,,,,,,,,,,,                (
                   ****************,
                    **************
                     ***********.
                      *********
                       ******.
                         ***
"
echo "***************PERCH LOG SHIPPER***************"

if [ -z "$1" ]; then
echo "Enter TOKEN:"
read TOKEN
else
TOKEN=$1
fi

echo ""
echo ""
echo "Installing..."

curl "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.5-darwin-x86_64.tar.gz" -o auditbeat-7.17.5-darwin-x86_64.tar.gz
tar -zxvf auditbeat-7.17.5-darwin-x86_64.tar.gz auditbeat-7.17.5-darwin-x86_64/auditbeat
sudo mkdir /etc/PLS
sudo mv auditbeat-7.17.5-darwin-x86_64/auditbeat /etc/PLS
sudo rm -r auditbeat-7.17.5-darwin-x86_64
sudo rm auditbeat-7.17.5-darwin-x86_64.tar.gz

sudo echo "
auditbeat.modules:

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /usr/local/bin
  - /sbin
  - /usr/sbin
  - /usr/local/sbin

- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes

  state.period: 12h



processors:
  - add_host_metadata: ~

#================================ Custom Perch Output ============================

output.elasticsearch:
  hosts: ['ingest.perchsecurity.com:443/elastic']
  headers:
    X-Perch-Header: '$TOKEN'
  protocol: https
  compression_level: 5
  #path: /elastic
" > auditbeat.yml
sudo cp auditbeat.yml /etc/PLS
sudo rm auditbeat.yml
sudo chown root /etc/PLS/auditbeat.yml

sudo echo '
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.PLS</string>
	<key>ProgramArguments</key>
	<array>
		<string>sh</string>
		<string>-c</string>
		<string>/etc/PLS/auditbeat</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>UserName</key>
	<string>root</string>
	<key>WorkingDirectory</key>
	<string>/etc/PLS</string>
</dict>
</plist>
' > com.PLS.plist
sudo cp com.PLS.plist /Library/LaunchDaemons
sudo rm com.PLS.plist
sudo launchctl load -w /Library/LaunchDaemons/com.PLS.plist

 

 

 

Thanks, I will give that a shot. 

Ever get anywhere with this?