Event Importer Requirements

Applies To: WatchGuard SIEMFeeder This topic applies to the WatchGuard endpoint security module, SIEMFeeder. SIEMFeeder is available with WatchGuard EPDR and WatchGuard EDR.

Before you try to configure and run WatchGuard Event Importer, make sure the computer, network, and SIEM server meet these requirements.

Hardware Requirements

• Processor —1 GHz or faster
• RAM — 512 MB minimum
• Free Disk Space —Stores the log data that Event Importer imports

On average, Event Importer uses 1 MB of storage space for each computer, for each hour. Event Importer must have permission to write to the selected local folder.

Windows Requirements

Supported Workstations (32- and 64 bit)

• Windows 7 SP1
• Windows 8
• Windows 8.1
• Windows 10
• Windows 11

Supported Servers

• Windows Server 2008 R2 SP1
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

.NET

Event Importer requires Microsoft .NET Framework 4.6.2 or higher and is compatible with .NET Framework up to version 4.8.

If an earlier version is installed, go to https://dotnet.microsoft.com/en-us/download/dotnet-framework/net462 to download the appropriate version.

Required Permissions

You can run Event Importer from the command line or unattended as a Windows service.

• When you run Event Importer from the command-line, it does not require any specific permissions, other than write access to the folder or drive that you configure to store the logs that Event Importer downloads.
• When you run Event Importer as a service, it runs under the local system computer account and must have administrator permissions to run correctly.

Linux Requirements

Operating System and Required Libraries

The download package contains everything Event Importer requires for these distributions:

• Ubuntu 24.04 LTS Desktop (64 bit)
• Red Hat Enterprise Linux 9.5 Server (64 bit)

Required Permissions

You can run Event Importer from the command line or unattended as a system daemon.

• When you run Event Importer in command-line mode as an administrator, it does not require any specific permissions, other than write access to the folder you configure to store the logs that Event Importer downloads.
• When you run Event Importer in daemon mode, it runs under a user account. Event Importer requires root permissions for configuration.

Firewall Configuration

For Event Importer to download log files from Microsoft Azure, any firewall on the computer that runs Event Importer must allow these network settings:

• Communication source — Event Importer computer
• Communication target — Azure platform
• Connection type — Outbound from the user network
• Layer 3 (transport) protocol — Transport Layer Security (TLS) 1.2
• Layer 4 (application) protocol — HTTPS (port 443), Amqp (ports 5671 and 5672), Amqp WebSockets (port 443)

Configure your firewall to allow these URLs:

• https://auth.pandasecurity.com.
• https://storage.accesscontrolmngr.pandasecurity.com.
• sb://pac100siemfeeder.servicebus.windows.net.

Based on your location, configure your firewall to allow these authentication URLs:

• https://api.usa.cloud.watchguard.com (North America)
• https://api.jpn.cloud.watchguard.com (Japan)
• https://api.deu.cloud.watchguard.com (Europe)

Based on your location, configure your firewall to allow these Microsoft Azure Service Bus authentication URLs:

• sb://pac-prodv3-us1-siemfeeder.servicebus.windows.net (North America)
• sb://pac-prodv3-jp1-siemfeeder.servicebus.windows.net (Japan)
• sb://pac-prodv3-eu1-siemfeeder.servicebus.windows.net (Europe)

NTP Server

To download the log files stored in the Azure infrastructure, an authentication process that involves the generation of a token must complete. To improve security, this token has an expiration date. The system time of both communication endpoints must be the same. The computer that runs Event Importer must use a time service (for example, the Windows Time Service) to synchronize with the time from an NTP server. For more information, go to https://www.ntppool.org/en/use.html (external link).

Supported SIEM Servers

SIEM products that are compatible with the SIEMFeeder service are those that support the Common Event Format (CEF) or the Log Event Extended Format (LEEF).

For more information about supported SIEM servers, go to About SIEM Servers.

By default, logs are sent in LEEF format. To receive logs in CEF format, send an email message with your request and your WatchGuard account number to [email protected].

Proxy Server Settings

If the computer that hosts Event Importer uses a proxy server, the proxy server must use WebSockets to enable access. Event Importer uses the Amqp WebSockets protocol and not Amqp.

Bandwidth

For each hour of use, Event Importer generates an average of 500 KB of compressed data, stored in the GZIP format. The required bandwidth depends on the number of computers monitored on the network, the maximum of the allowable delay, and any administrator requirements.

A low bandwidth value leads to a delay in when you can receive logs, and so prevents a SIEM server from receiving and processing data in real time.

Minimum Threshold

The minimum bandwidth to receive all logs without loss of files, due to expiration of the log retention period. The log generation rate depends on multiple factors (computer activity, the role of the computer within the organization, and so on). With a low bandwidth value, the service uses non-work hours to receive the log files that Event Importer generates while in peak hours. A low bandwidth value leads to delays for when Event Importer receives log files and prevents the receiving and processing of logs in real time by the SIEM server of the organization.

Maximum Threshold

The bandwidth required to download all log files as they generate.

Calculate Bandwidth Requirements

Calculate the bandwidth required based on the number of monitored user computers (for example, 500 KB each computer each hour). Use this value to configure QoS rules on your organization router that connects the Event Importer computer to the Internet and monitor your bandwidth usage at all times.

To find out whether there are delays in receiving data, compare the date the log files were received on the Event Importer computer to the date the events were generated. The generation date for log files is provided by the operating system. The generation date for each event is part of the log file internal information schema.

For more information about event logs, go to the WatchGuard SIEMFeeder Event Guide. (external link)

If the difference between the event receipt and generation dates increases gradually over time, check the received data flow. If the data flow uses all bandwidth reserved by the QoS rule, WatchGuard SIEMFeeder is generating too many log files for the bandwidth allocated to the Event Importer computer. After seven days, if the difference does not decrease, or the organization requires a shorter event receipt time, increase the bandwidth allocated to the service by the QoS rule.

If the bandwidth allocated to the service is not completely used, but the difference between the log receipt date and the event generation date increases, there is a bottleneck in the Event Importer computer hardware. For more information, go to Hardware Requirements.

Related Topics

About SIEMFeeder

SIEMFeeder Requirements

Configure WatchGuard Cloud API Settings