Applies To: WatchGuard SIEMFeeder
If the computer that hosts WatchGuard Event Importer reports low system resources, you can configure multiple instances of Event Importer to help fix the issue. Multiple instances of Event Importer can run concurrently.
The computer can report these low resource incidents.
High CPU usage with free cores
Event Importer is a single-thread application. If system resources report a sustained CPU usage of more than 80% on one core, you can run multiple instances of Event Importer with different delivery target folders.
High CPU usage without free cores
If system resources report a sustained CPU usage of more than 80% on all cores, install Event Importer to a more powerful computer or upgrade to a more powerful CPU.
High bandwidth consumption from the storage system
If system resources indicate high bandwidth usage for hard disk access, it is advisable to upgrade one or all of the storage components.
Multiple Instances of Event Importer in Command Line Mode
Complete the steps in this procedure to run multiple instances of Event Importer from the command prompt:
- Download the latest version of Event Importer from the WatchGuard Software Downloads website. For each instance of Event Importer, decompress the file contents to a separate folder.
- Complete the steps described in Configure and Run Event Importer to run each instance of the application separately in command-line mode.
Configure each instance of Event Importer independently. For example, use different storage channels for the log files that Event Importer downloads. - Run each instance of the application independently.
Multiple Instances of Event Importer in Service Mode (Windows)
To run multiple instances of Event Importer in service mode, you must first run each instance of the application in command-line mode. You then manually register each Event Importer instance as a service.
Complete the steps in this procedure to run multiple instances of Event Importer in service mode:
This example uses the folders C:\customer1 and C:\customer2. Each folder contains a separate instance of the Event Importer install files.
- Complete the steps in the previous section, Multiple Instances of Event Importer in Command Line Mode, to create Event Importer instances. Do not opt to run the instances as a service.
- On completion of each instance, at the command prompt, press the keyboard shortcut Ctrl+C to stop each instance of EventsFeederImporter.Host.exe that runs.
- To run an Event Importer instance as a service, you must register it manually as an administrator. To register multiple instances, from a Microsoft Windows PowerShell prompt, give each instance a different name and use the parameters:servicename, description, displayname
cd C:\customer1 ./EventsFeederImporter.Host.exe install -servicename:ServiceCustomer1 -description:ServiceCustomer1 -displayname:ServiceCustomer1
cd C:\users\customer2
./EventsFeederImporter.Host.exe install -servicename:ServiceCustomer2 -description:ServiceCustomer2 -displayname:ServiceCustomer2
- From the root of each Event Importer folder, start each instance of Event Importer.
cd C:\customer1
./EventsFeederImporter.Host.exe start -servicename:ServiceCustomer1
cd C:\customer2
./EventsFeederImporter.Host.exe start -servicename:ServiceCustomer2
- In Windows, open Task Manager and verify that each independent service runs as expected.
Multiple Instances in Command Line Mode (Linux)
- Download the latest version of Event Importer from the WatchGuard Software Downloads website. For each instance of log files that you want to download, decompress the Event Importer files to a separate folder.
- Complete the steps described in Configure and Run Event Importer to install each instance of Event Importer in command-line mode (Linux distribution).
- Configure each Event Importer instance independently. For example, you can configure different storage channels to store the log files that Event Importer downloads.
- Run each instance independently.