1. Winlogbeat - Winlogbeat sends your Windows Event Logs for processing and storage.
2. Auditbeat - Auditbeat sends audit data from the endpoint for processing and storage.
3. Sysmon - Sysmon is a free utility provided by Microsoft Sysinternals groups that provides a higher fidelity of insight into how your Windows systems are operating.

1. Locate and execute the downloaded installer.
   

2. Choose Next> and agree to the License Agreement.

   

3. Choose to install the base Perch Log Shipper and optionally Enable External Syslog

   Collection
   
   Note about Syslog ports: You only need to enable external Syslog collection on one device in the organization. This will be the destination you can send Syslog from firewalls, switches, routers, etc to. You will use the following ports
   UDP Syslog: 42514
   TCP Syslog: 42515

   Perch doesn’t adjust the settings of your host-based firewall such as Windows Firewall. You will need to make a policy exception to allow the traffic inbound on those ports if your security policy blocks inbound traffic by default.

   Note about IIS Log collection: If you enable the Syslog collection feature, it will also enable collecting IIS logs on the local server by default.

4. If you choose to send the logs to the Perch Sensor, select Send to Sensor and provide the IP address of the Perch Sensor.
   If you choose to send the logs directly to the Perch Cloud, choose Send to Cloud (API) and provide the Client Token (API). You can obtain the Client Token by navigating in the Perch App to Settings > Sensors and copy the Agent Token from the top of the sensors settings page.
   

5. Click Finish to complete the setup.

The Perch Log Shipper for Windows includes simple command-line options to deploy the Log Shipper silently and set the IP address or Client Token.

Examples:

perch-log-shipper-latest.exe /qn OUTPUT="IP" VALUE="10.10.10.205"

This will install the Perch Log Shipper silently and set a Sensor IP address of 10.0.0.205.

perch-log-shipper-latest.exe /qn OUTPUT="TOKEN" VALUE="abc-123-def-456"

This will install the Perch Log Shipper silently and set a Client Token to send the log data directly to the Perch Cloud.

If there is a host-based firewall, network firewall, or network ACL between the endpoint and the Perch sensor, TCP/5044 will need to be allowed to traverse from the endpoint to the Perch sensor for data sent to the sensor. If the Cloud API option is chosen, TCP/443 will need to be allowed outbound to ingest.perchsecurity.com.

The installer writes data to C:\Program Files\Perch (or C:\Program Files (x86), for x86 based systems), C:\ProgramData\Perch and creates three services - perch-winlogbeat, perch-auditbeat, and sysmon. A fourth service named perch-filebeat will be created if you choose to enable external Syslog collection