Applies To: WatchGuard SIEMFeeder
On first run, the WatchGuard Event Importer configuration wizard uses your entered information to update the configuration.json file . You can find this JSON file in the root folder of the Event Importer install.
After the Event Importer configuration wizard completes, Event Importer begins to download event log files stored on the Microsoft Azure infrastructure. Event Importer routes the log files to your specified channel location, based on the information that the configuration.json file contains.
The configuration.json file contains this data:
- Information about the user who owns the log files.
- Information about the method used to send and store the log files.
- Information about the Event Importer execution mode (for example, command line or service).
To change Event Importer settings, you can modify the configuration.json file. After you modify the configuration.json file, you must stop and start the Event Importer process to apply any changes made to the file.
Complete the steps in this procedure to modify Event Importer settings with the configuration wizard:
- If running, stop the Event Importer process. To stop the Event Importer process, follow the steps described in Start and Stop Event Importer.
- Browse to the root folder location of your Event Importer install.
- Run EventsFeederImporter.ConfigAssistant.exe, as described in Configure and Run Event Importer.
- Type Y, when prompted:
Do you want to change the current channel settings? [Yes/No]: - At the command prompts, modify the settings that you want and complete the configuration wizard.
EventsFeederImporter.Host.exe launches in a new command window and begins to download event logs to your delivery channel location.
Complete the steps in this procedure to change settings with the Event Importer configuration wizard:
- If running, stop the Event Importer process. To stop the Event Importer process, follow the steps described in Start and Stop Event Importer.
- Browse to the root folder location of your Event Importer install.
- Run EventsFeederImporter.Multiplatform.ConfigAssistant, as described in Configure and Run Event Importer.
- Type Y, when prompted:
Do you want to change the current channel settings? [Yes/No]: - At the command prompts, modify the settings that you want and complete the configuration wizard.
EventsFeederImporter.Multiplatform.Host runs and begins to download event logs to your delivery channel location.
To manually modify Event Importer settings, you can edit the configuration.json file with a text editor of your choice.
Complete the steps in this procedure to manually modify settings for Event Importer:
- If running, stop the Event Importer process. To stop the Event Importer process, follow the steps described in Start and Stop Event Importer.
- From the root folder location of Event Importer, open the configuration.json file with a text editor of your choice.
- Save any changes you made, and close the configuration.json file.
- Start Event Importer. To start the Event Importer process, follow the steps described in Start and Stop Event Importer.
Parameters Related to Log File Events
These configuration.json parameters decide how Event Importer generates log files.
Channels
Indicates the characteristics of the channel used to download log files.
Type
Storage type used in the channel.
Name
Channel name.
Configuration
Channel settings (fullPath, fileSizeLimitInBytes, directoryMaxSizeInMB, fileSplitFormat).
fullPath
Absolute path to the log folder.
fileSizeLimitInBytes
Maximum size of the log files.
directoryMaxSizeInMB
Maximum size of the content in the folder that stores the log files. When Event Importer reaches the maximum size, it deletes 10 percent of the oldest files.
fileSplitFormat
Rotation interval of the log files. The file name contains the year(yyyy), month(MM), day (dd), hour(HH), and minute (mm) of when Event Importer creates the file.
“1h” or empty
yyyyMMdd-HH format. A file generates every hour.
"1m"
yyyyMMdd-HHmm format. Generates a file every minute.
"5m"
yyyyMMdd-HHmm format. Generates a file every 5 minutes.
"10m"
yyyyMMdd-HHmm format. Generates a file every 10 minutes.
"15m"
yyyyMMdd-HHmm format. Generates a file every 15 minutes.
"30m"
yyyyMMdd-HHmm format. Generates a file every 30 minutes.
Parameters Related to the Execution Log
Event Importer saves all operations it executes to text files. It stores the text files in the log folder of the application.
These parameters in the configuration.json file decide how Event Importer generates the text files.
LogsPath
Absolute or relative path and file name. Make sure to escape the backlash character (“\”).
For example, .\\log\\log.txt.
LogFileSizeLimitKBytes
Rotates the log file when it reaches a certain size in kilobytes, adds the suffix – SequenceNumber.
For example, log-3.txt.
LogRetainedFileCountLimit
Indicates the maximum number of files that Event Importer stores on the storage device. Event Importer deletes the oldest file when it reaches this number.
Interval
Rotation interval of the log files:
0
No rotation. The suffix is null. The file name is the same as the name the LogsPath parameter defines.
1
File rotates every year. The suffix for the name defined in LogsPath is LognameYear(YYYY).
For example, log2021.txt.
2
File rotates every month. LogsPath defines the suffix for the name as LognameYearMonth(YYYYMM).
For example, log202107.txt.
3
File rotates every day. The suffix for the name defined in LogsPath is LognameYearMonthDay(YYYYMMDD).
For example, log20210722.txt.
4
File rotates every hour. The suffix for the name defined in LogsPath is LognameYearMonthDayHour(YYYYMMDDhh).
For example, log2021072210.txt.
5
File rotates every minute. The suffix for the name defined in LogsPath is LognameYearMonthDayHourMinute(YYYYMMDDhhmm).
For example, log202107221055.txt.
For more information about event log parameters, see the WatchGuard SIEMFeeder Event Guide.