Download Event Logs to Multiple Locations

Applies To: WatchGuard SIEMFeeder This topic applies to the WatchGuard endpoint security module, SIEMFeeder. SIEMFeeder is available with WatchGuard EPDR and WatchGuard EDR.

WatchGuard Event Importer can simultaneously download log files to multiple locations. To download log files to multiple locations, Event Importer uses a channels method, where the channel contains information about the storage type it uses and other configuration settings for Event Importer to import log files.

When a channel method updates, it removes a log entry from the download queue. If errors occur while log collection takes place, different locations might have a different number of logs at completion of the process.

Complete the steps in this procedure to configure Event Importer to download log files to multiple locations:

1. Install Event Importer. For detailed steps, see Configure and Run Event Importer.
2. Stop Event Importer. For detailed steps, see Start and Stop Event Importer.
3. From the root folder location of Event Importer, in the configuration.json file, manually add a delivery channel to the current collection of channels. You can find the JSON file in the root folder that contains the Event Importer program files.
   The parameter syntax to add a channel is:
   "Channels":[{ channel 1 parameters},{channel 2 parameters}, …]
   
4. Save the JSON file, and then start Event Importer. For detailed steps, see Start and Stop Event Importer.

This is an example of the configuration.json file that implements two channels stored locally on a Windows computer. Each channel indicates the storage type to use to store log files and its associated settings. The first channel saves log files to the Log1 folder, and the second channel saves log files to the Log2 folder.

"Channels": [

{

	"Type": "LocalDisk",

	"Name": "LD1",

	"Configuration": {

		"fullPath": "C:\\Logs1",

		"fileSplitFormat": "1m",

		"fileSizeLimitInBytes": 102400,

		"directoryMaxSizeInMb": 1024

		}

}, {

	"Type": "LocalDisk",

	"Name": "LD2",

	"Configuration": {

		"fullPath": "C:\\Logs2",

		"fileSplitFormat": "1m",

	"fileSizeLimitInBytes": 102400,

	"directoryMaxSizeInMb": 1024

	}

   },

]

For information about parameters in the configuration.json file, see Parameters Related to Log File Events.

Related Topics

About SIEMFeeder

About Event Importer

Configure Multiple Event Importer Instances