S I E M

Perch Log Shipper for Windows

If you haven’t purchased Perch SIEM please reach out to your sales representative or contact us at sales@perchsecurity.com.

If you need to download the Perch Log Shipper, please log into the Perch Application and navigate to Settings > Sensors and click “download the installer” at the top of the page.

Supported OS versions - Windows 7 or Server 2012 R2 or greater.

What's included in the Perch Log Shipper?

  1. Winlogbeat - Winlogbeat sends your Windows Event Logs for processing and storage.
  2. Auditbeat - Auditbeat sends audit data from the endpoint for processing and storage.
  3. Sysmon - Sysmon is a free utility provided by Microsoft Sysinternals groups that provides a higher fidelity of insight in how your Windows systems are operating.

Installing Perch Log Shipper

  1. Locate and execute the downloaded installer.

  2. Choose Next> and agree to the License Agreement.

  3. If you choose to send the logs to the Perch Sensor, select Send to Sensor and provide the IP address of the Perch Sensor.
    If you choose to send the logs directly to the Perch Cloud, choose Send to Cloud (API) and provide the Client Token (API). You can obtain the Client Token by navigating in the Perch App to Settings > Sensors and copy the Agent Token from the top of the sensors settings page.

  4. Click Finish to complete the setup.

Command Line Options

The Perch Log Shipper for Windows includes simple command line options to deploy the Log Shipper silently and set the IP address or Client Token.

Examples:

perch-log-shipper-latest.exe /qn OUTPUT="IP" VALUE="10.10.10.205"

This will install the Perch Log Shipper silently and set a Sensor IP address of 10.0.0.205.

perch-log-shipper-latest.exe /qn OUTPUT="TOKEN" VALUE="abc-123-def-456"

This will install the Perch Log Shipper silently and set a Client Token to send the log data directly to the Perch Cloud.

Installer notes

If there is a host-based firewall, network firewall, or network ACL between the endpoint and the Perch sensor, TCP/5044 will need to be allowed to traverse from the endpoint to the Perch sensor for data sent to the sensor. If the Cloud API option is chosen, TCP/443 will need to be allowed outbound to ingest.perchsecurity.com.

The installer writes data to C:Program FilesPerch (or C:Program Files (x86), for x86 based systems), C:ProgramDataPerch and creates three services - perch-winlogbeat, perch-auditbeat and sysmon.