Configure and Run Event Importer for a Linux Distribution

Applies To: WatchGuard SIEMFeeder This topic applies to the WatchGuard endpoint security module, SIEMFeeder. SIEMFeeder is available with WatchGuard EPDR and WatchGuard EDR.

You use WatchGuard Event Importer to download event log files that the WatchGuard SIEMFeeder service creates. This help topic describes how to run the Event Importer configuration wizard and generate a configuration file for Linux distributions.

For information on how to configure and run Event Importer for Microsoft Windows, go to Configure and Run Event Importer for Microsoft Windows.

Requirements

Event Importer is compatible with all Linux platforms that support .NET Framework 8.0. WatchGuard certifies and supports these distributions:

• Ubuntu 24.04 LTS
• Red Hat Enterprise Linux 9.5

The install package contains everything SIEMFeeder requires.

You can run Event Importer from the command line or unattended as a system daemon:

• When you run Event Importer in daemon mode, it runs under a user account. Event Importer requires root permissions for configuration.
• When you run Event Importer in command line mode as an administrator, it only requires write access to the folder you configure to store the logs that Event Importer downloads.

For more information on requirements, go to Event Importer Requirements.

Steps to Install and Configure Event Importer

Event Importer uses a configuration file to apply options that include where to store log files and whether to run from the command line or as a daemon.

The high-level steps to install and configure Event Importer are:

1. Download and Extract the Install Package.
2. Edit File Execution Properties.
3. Generate a Configuration File to Configure Event Importer.
4. Configure the Connection Method.
5. Configure the Endpoint Security Platform.
6. Configure the Method to Store and Forward Log Files.
7. Configure Event Importer to Run as a Daemon (Optional).

Download and Extract the Install Package

To download the Event Importer install package:

1. Download the Event Importer install package from the Software Downloads page on the WatchGuard website, in the Endpoint Software section.
2. Extract all files in the install package. The EventsFeederImporter x.x Pro.zip package contains these files:

   • EventsFeederImporter.Multiplatform.Host: Downloads the log files that contain the events that occur on user computers. It stores them on the computer hard disk or forwards them to another computer, depending on the settings you configure.

   • EventsFeederImporter.Multiplatform.ConfigAssistant: Starts the configuration wizard that contains the parameters to configure.

   • Configuration.json: Contains the program settings. To prevent security leaks, all personal data is stored obfuscated.

Edit File Execution Properties

For a Linux distribution to run an application, you must enable execute properties of the SIEMFeeder files.

1. Open a command prompt.
2. Enter these commands:

sudo chmod a+x /#_SAMPLEFOLDER_SiemFeeder#/EventsFeederImporter.Multiplatform.Host

$ sudo chmod a+x /#_SAMPLEFOLDER_SiemFeeder#/EventsFeederImporter.Multiplatform.ConfigAssistant

The variable /#_SAMPLEFOLDER_SiemFeeder#/ is the full path to the folder where the extracted package resides on your computer. This file imports the log files that contain the events that occur on user computers.

Generate a Configuration File to Configure Event Importer

This section describes the steps to generate the configuration file required to run a single Event Importer instance in command line mode and to connect to the Azure platform to download log files.

In this procedure, Event Importer generates a configuration file that overrides the existing file, then launches the configuration wizard.

To configure Event Importer:

1. To open the configuration wizard, run the EventsFeederImporter.Multiplatform.ConfigAssistant program.
2. Type Y for the question: Do you want to change the configuration settings? [Yes/No].
   The configuration wizard opens.
   

Configure the Connection Method

Configure the connection method supported by the IT infrastructure that will host the Event Importer computer: direct or corporate proxy.

If the Event Importer computer is behind a proxy server:

1. In the configuration wizard, type Y for the question: Is Event Importer behind a proxy server? [Yes/No].
2. Enter the proxy server IP address.
3. Enter the user name and password, if the proxy server requires authentication.
   The password must be a string of alphanumeric characters, spaces, and symbols, except for: “:”, “/”, “?”, “#”, “[“, “]”, “@”, “!”, “$”, “&”, “'”, “(“, “)”, ”*”, “+”, ”;” , ”=”, ”,”.

When a proxy server is selected, Event Importer uses the configured proxy server to connect to the Azure platform assigned to the user. It is not used to connect to other resources such as a file server, an Apache Kafka server, or a syslog server.

Configure the Endpoint Security Platform

Select the Endpoint Security platform and specify the access credentials for the management UI. These credentials are for the account used to access the service.

1. In the configuration wizard, type W at the prompt: Select your platform: [C]urrent or [W]G Endpoint Security.
2. Enter the email address of the operator account used to access the Endpoint Security management UI.
3. Enter the password.
4. If the account has 2FA enabled, enter the 6-digit OTP code immediately after the password, without any blank spaces.
5. Enter the customer ID from the Welcome email.
   Event Importer generates a new access token it uses to access the Azure platform and download the generated log files.

Configure the Method to Store and Forward Log Files

Event Importer provides several methods to store or forward event log files. Network architecture, available resources, and the volume of event log files that Event Importer receives from the Microsoft Azure platform can help you decide which method to use.

To select a storage method:

• In the configuration wizard, type Y for the question: Event Importer enables you to send received events simultaneously to various channels. Do you want to change the current channel configuration? [Yes/No]

This deletes existing storage and forwarding settings (if any) and generates new settings based on your selection. For more information, go to Configure Event Log Storage and Forwarding

Configure Event Importer to Run as a Daemon (Optional)

Event Importer can run automatically as a background process at system startup (daemon). No messages will show on the screen.

To configure Event Importer to run as a daemon:

1. In the configuration wizard, type N for the question: Do you want to start the Event Importer process?
   This is not necessary when Event Importer runs as a daemon.
2. Open the siemfeeder.service file in the .GZ package.
3. In the ExecStart line, type the path to the folder that contains the EventsFeederImporter.Multiplatform.Host file. For example, type: ExecStart="/home/panda/Desktop/SIEMFeeder 3.10 Linux/EventsFeederImporter.Multiplatform.Host"
4. Copy the siemfeeder.service file to the system directory of your Linux distribution. For example:
   • Ubuntu: /lib/systemd/system
   • Red Hat /usr/lib/systemd/system
5. If the computer has Security-Enhanced Linux (SELinux) enabled and a Red Hat Enterprise distribution installed, use the selinux-checks.sh script to configure the execution environment:
   • To enable execution permissions for the script, run the command: chmod +x selinux-checks.sh
   • Run the command: sudo #_PATH_#/selinux-checks.sh. Make sure there are no spaces in the path.
6. To add the script to the system startup sequence, run the command: sudo systemctl enable siemfeeder
7. Start SIEMFeeder. For more information, go to Start and Stop Event Importer.

For information about Event Importer configuration settings and how to update them, go to Modify Event Importer Settings.

Related Topics

About SIEMFeeder

Configure Multiple Event Importer Instances

Configure Event Log Storage and Forwarding