Applies To: WatchGuard SIEMFeeder
Before you try to configure and run WatchGuard Event Importer, make sure the computer, network, and SIEM server meet these requirements.
- Processor —1 GHz or faster
- RAM — 512 MB minimum
- Free Disk Space —Stores the log data that Event Importer imports
On average, Event Importer uses 1 MB of storage space for each computer, for each hour.
Supported Operating Systems
- Windows 7 SP1 (32 and 64-bit)
- Windows 8 (32 and 64-bit)
- Windows 8.1 (32 and 64-bit)
- Windows 10 (32 and 64-bit)
- Windows 11
- Linux Distributions
- Windows Server 2008 R2 SP1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Linux Distributions
Event Importer requires Microsoft .NET Framework 4.6.2 or higher and is compatible with .NET Framework up to version 4.8.
Event Importer requires Microsoft .NET Core 3.1.
For information about compatible Linux distributions, see Install .NET on Linux.
You can run Event Importer from the command-line or unattended as a Windows service.
- When you run Event Importer from the command-line, it does not require any specific permissions, other than write access to the folder that you configure to store the logs that Event Importer downloads.
- When you run Event Importer as a service, it runs under the local system computer account and must have administrator permissions to run correctly.
You can run Event Importer from the command-line or unattended as a system daemon.
- When you run Event Importer in command-line mode as an administrator, it does not require any specific permissions, other than write access to the folder you configure to store the logs that Event Importer downloads.
- When you run Event Importer in daemon mode, it runs under a user account. Event Importer requires root permissions for configuration.
For Event Importer to download log files from Microsoft Azure, any firewall on the computer that runs Event Importer must allow these network settings:
- Communication source — Event Importer computer
- Communication target — Azure infrastructure
- Connection type — Outbound from the user network
- Layer 3 (transport) protocol — Transport Layer Security (TLS) 1.2
- Layer 4 (application) protocol — HTTPS (port 443), Amqp (ports 5671 and 5672), Amqp WebSockets (port 443)
Based on your location, configure your firewall to allow these authentication URLs:
- https://api.usa.cloud.watchguard.com (North America)
- https://api.jpn.cloud.watchguard.com (Japan)
- https://api.deu.cloud.watchguard.com (Europe)
Based on your location, configure your firewall to allow these Microsoft Azure Service Bus authentication URLs:
- sb://pac-prodv3-us1-siemfeeder.servicebus.windows.net (North America)
- sb://pac-prodv3-jp1-siemfeeder.servicebus.windows.net (Japan)
- sb://pac-prodv3-eu1-siemfeeder.servicebus.windows.net (Europe)
To download the log files stored in the Azure infrastructure, an authentication process that involves the generation of a token must complete. To improve security, this token has an expiration date. The system time of both communication endpoints must be the same. The computer that runs Event Importer must use a time service (for example, the Windows Time Service) to synchronize with the time from an NTP server.
SIEM products that are compatible with the SIEMFeeder service are those that support the Common Event Format (CEF) or the Log Event Extended Format (LEEF).
For more information about supported SIEM servers, see About SIEM Servers.
If the computer that hosts Event Importer uses a proxy server, the proxy server must use WebSockets to enable access. Event Importer uses the Amqp WebSockets protocol and not Amqp.
For each hour of use, Event Importer generates an average of 500 KB of compressed data, stored in the GZIP format. The required bandwidth depends on the number of computers monitored on the network, the maximum of the allowable delay, and any administrator requirements.
A low bandwidth value leads to a delay in when you can receive logs, and so prevents a SIEM server from receiving and processing data in real time.
The minimum bandwidth to receive all logs without loss of files, due to expiration of the log retention period. The log generation rate depends on multiple factors (computer activity, the role of the computer within the organization, and so on). With a low bandwidth value, the service uses non-work hours to receive the log files that Event Importer generates while in peak hours. A low bandwidth value leads to delays for when Event Importer receives log files and prevents the receiving and processing of logs in real time by the SIEM server of the organization.
The bandwidth required to download all log files as they generate.