Event Importer Requirements

Applies To: WatchGuard SIEMFeeder This topic applies to the WatchGuard endpoint security module, SIEMFeeder. SIEMFeeder is available with WatchGuard EPDR and WatchGuard EDR.

Before you try to configure and run WatchGuard Event Importer, make sure the computer, network, and SIEM server meet these requirements.

Hardware Requirements

• Processor —1 GHz or faster
• RAM — 512 MB minimum
• Free Disk Space —Stores the log data that Event Importer imports

On average, Event Importer uses 1 MB of storage space for each computer, for each hour.

Windows Requirements

Supported Workstations (32- and 64 bit)

• Windows 7 SP1
• Windows 8
• Windows 8.1
• Windows 10
• Windows 11

Supported Servers

• Windows Server 2008 R2 SP1
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

.NET

Event Importer requires Microsoft .NET Framework 4.6.2 or higher and is compatible with .NET Framework up to version 4.8.

If an earlier version is installed, go to https://dotnet.microsoft.com/en-us/download/dotnet-framework/net462 to download the appropriate version.

Required Permissions

You can run Event Importer from the command-line or unattended as a Windows service.

• When you run Event Importer from the command-line, it does not require any specific permissions, other than write access to the folder that you configure to store the logs that Event Importer downloads.
• When you run Event Importer as a service, it runs under the local system computer account and must have administrator permissions to run correctly.

Linux Requirements

Operating System and Required Libraries

The download package contains everything Event Importer requires for these distributions:

• Ubuntu 18.04.4 LTS Desktop (64 bit)
• Red Hat Enterprise Linux 7.2 Server (64 bit)

Required Permissions

You can run Event Importer from the command-line or unattended as a system daemon.

• When you run Event Importer in command-line mode as an administrator, it does not require any specific permissions, other than write access to the folder you configure to store the logs that Event Importer downloads.
• When you run Event Importer in daemon mode, it runs under a user account. Event Importer requires root permissions for configuration.

Firewall Configuration

For Event Importer to download log files from Microsoft Azure, any firewall on the computer that runs Event Importer must allow these network settings:

• Communication source — Event Importer computer
• Communication target — Azure infrastructure
• Connection type — Outbound from the user network
• Layer 3 (transport) protocol — Transport Layer Security (TLS) 1.2
• Layer 4 (application) protocol — HTTPS (port 443), Amqp (ports 5671 and 5672), Amqp WebSockets (port 443)

Configure your firewall to allow these URLs:

• https://auth.pandasecurity.com.
• https://storage.accesscontrolmngr.pandasecurity.com.
• sb://pac100siemfeeder.servicebus.windows.net.

Based on your location, configure your firewall to allow these authentication URLs:

• https://api.usa.cloud.watchguard.com (North America)
• https://api.jpn.cloud.watchguard.com (Japan)
• https://api.deu.cloud.watchguard.com (Europe)

Based on your location, configure your firewall to allow these Microsoft Azure Service Bus authentication URLs:

• sb://pac-prodv3-us1-siemfeeder.servicebus.windows.net (North America)
• sb://pac-prodv3-jp1-siemfeeder.servicebus.windows.net (Japan)
• sb://pac-prodv3-eu1-siemfeeder.servicebus.windows.net (Europe)

NTP Server

To download the log files stored in the Azure infrastructure, an authentication process that involves the generation of a token must complete. To improve security, this token has an expiration date. The system time of both communication endpoints must be the same. The computer that runs Event Importer must use a time service (for example, the Windows Time Service) to synchronize with the time from an NTP server. For more information, go to https://www.ntppool.org/en/use.html (external link).

Supported SIEM Servers

SIEM products that are compatible with the SIEMFeeder service are those that support the Common Event Format (CEF) or the Log Event Extended Format (LEEF).

For more information about supported SIEM servers, go to About SIEM Servers.

By default, logs are sent in LEEF format. To receive logs in CEF format, send an email message with your request and your WatchGuard account number to [email protected].

Proxy Server Settings

If the computer that hosts Event Importer uses a proxy server, the proxy server must use WebSockets to enable access. Event Importer uses the Amqp WebSockets protocol and not Amqp.

Bandwidth

For each hour of use, Event Importer generates an average of 500 KB of compressed data, stored in the GZIP format. The required bandwidth depends on the number of computers monitored on the network, the maximum of the allowable delay, and any administrator requirements.

A low bandwidth value leads to a delay in when you can receive logs, and so prevents a SIEM server from receiving and processing data in real time.

Minimum threshold

The minimum bandwidth to receive all logs without loss of files, due to expiration of the log retention period. The log generation rate depends on multiple factors (computer activity, the role of the computer within the organization, and so on). With a low bandwidth value, the service uses non-work hours to receive the log files that Event Importer generates while in peak hours. A low bandwidth value leads to delays for when Event Importer receives log files and prevents the receiving and processing of logs in real time by the SIEM server of the organization.

Maximum threshold

The bandwidth required to download all log files as they generate.

Related Topics

About SIEMFeeder

SIEMFeeder Requirements

Configure WatchGuard Cloud API Settings