Perch Log Shipper for Windows

If you haven’t purchased Perch SIEM please reach out to your sales representative or contact us at sales@perchsecurity.com.

If you need to download the Perch Log Shipper, please log into the Perch Application and navigate to Settings > Sensors and click “download the installer” at the top of the page.

Supported OS versions - Windows 7 or Server 2012 R2 or greater.

What's included in the Perch Log Shipper?

  1. Winlogbeat - Winlogbeat sends your Windows Event Logs for processing and storage.
  2. Auditbeat - Auditbeat sends audit data from the endpoint for processing and storage.
  3. Sysmon - Sysmon is a free utility provided by Microsoft Sysinternals groups that provides a higher fidelity of insight into how your Windows systems are operating.

Installing Perch Log Shipper

  1. Locate and execute the downloaded installer.

  2. Choose Next> and agree to the License Agreement.

  3. Choose to install the base Perch Log Shipper and optionally Enable External Syslog


    Note about Syslog ports: You only need to enable external Syslog collection on one device in the organization. This will be the destination you can send Syslog from firewalls, switches, routers, etc to. You will use the following ports
    UDP Syslog: 42514
    TCP Syslog: 42515

    Perch doesn’t adjust the settings of your host-based firewall such as Windows Firewall. You will need to make a policy exception to allow the traffic inbound on those ports if your security policy blocks inbound traffic by default.

    Note about IIS Log collection: If you enable the Syslog collection feature, it will also enable collecting IIS logs on the local server by default.

  4. If you choose to send the logs to the Perch Sensor, select Send to Sensor and provide the IP address of the Perch Sensor.
    If you choose to send the logs directly to the Perch Cloud, choose Send to Cloud (API) and provide the Client Token (API). You can obtain the Client Token by navigating in the Perch App to Settings > Sensors and copy the Agent Token from the top of the sensors settings page.

  5. Click Finish to complete the setup.

Command Line Options

The Perch Log Shipper for Windows includes simple command-line options to deploy the Log Shipper silently and set the IP address or Client Token.


perch-log-shipper-latest.exe /qn OUTPUT="IP" VALUE=""

This will install the Perch Log Shipper silently and set a Sensor IP address of

perch-log-shipper-latest.exe /qn OUTPUT="TOKEN" VALUE="abc-123-def-456"

This will install the Perch Log Shipper silently and set a Client Token to send the log data directly to the Perch Cloud.

Installer notes

If there is a host-based firewall, network firewall, or network ACL between the endpoint and the Perch sensor, TCP/5044 will need to be allowed to traverse from the endpoint to the Perch sensor for data sent to the sensor. If the Cloud API option is chosen, TCP/443 will need to be allowed outbound to ingest.perchsecurity.com.

The installer writes data to C:\Program Files\Perch (or C:\Program Files (x86), for x86 based systems), C:\ProgramData\Perch and creates three services - perch-winlogbeat, perch-auditbeat, and sysmon. A fourth service named perch-filebeat will be created if you choose to enable external Syslog collection