Configure and Run Event Importer for Microsoft Windows

Applies To: WatchGuard SIEMFeeder

You use WatchGuard Event Importer to download event log files that the WatchGuard SIEMFeeder service creates. This help topic describes how to run the Event Importer configuration wizard and generate a configuration file for Microsoft Windows.

For information on how to configure and run Event Importer for Linux distributions, go to Configure and Run Event Importer for a Linux Distribution.

Configure Event Importer for Microsoft Windows

For information about requirements, go to Event Importer Requirements.

Event Importer uses the configuration file to apply options that include where to store log files and whether to run from the command line or in service mode.

The high-level steps to install and configure Event Importer are:

Download and Extract the Install Package.
Configure the Connection Method.
Configure the Endpoint Security Platform.
Configure the Delivery Channel.
Configure the Execution Mode.

Download and Extract the Install Package

When you download and extract the install package, it contains these files:

EventsFeederImporter.Host.exe: Downloads the log files that contain the events that occur on the customer computers. It stores them on the computer hard disk or forwards them to another computer, depending on the settings you configure.
EventsFeederImporter.ConfigAssistant.exe: Starts the configuration wizard that contains the parameters to configure.
Configuration.json: Contains the program settings. To prevent security leaks, all personal data is stored obfuscated.

To download the Event Importer install package:

Download the Event Importer install package from the Software Downloads page on the WatchGuard website, in the Endpoint > SIEMFeeder section.
Extract the files from the install folder.
Browse to the root folder of your Event Importer install.
To open the configuration wizard, right-click the EventsFeederImporter.ConfigAssistant.exe file and select Run as Administrator.
The Command Prompt window opens.

Configure the Connection Method

This section describes the steps to generate the configuration file requires to run a single instance in command-line or service mode and connect to the Azure platform to download log files.

To configure the connection method:

At the command prompt, type Y to change the configuration:
Do you want to change the current channel configuration? [Yes/No]:
Event Importer generates a new configuration file that overrides the existing file, then launches the configuration wizard.
At the command prompt, type Y or N to configure a proxy connection:
Is Event Importer behind a proxy server? [Yes/No]:
If the Event Importer computer is behind a proxy server, Event Importer prompts you to type the proxy server IP address, as well as the user name and password if the proxy server requires authentication. For example: example.com:9092 or 192.0.2.1:9092.
Event Importer uses the configured proxy server to connect to the Azure infrastructure assigned to the user. It is not used to connect to other resources such as a file server, an Apache Kafka server, or a syslog server. The use of the system proxy for SIEMFeeder communication is not supported.
Configure the Endpoint Security Platform
Configure the WatchGuard Endpoint Security platform and access credentials for the management UI.

To configure the Endpoint Security platform:

At the command prompt, type W to configure the WatchGuard Endpoint Security platform:
Select your platform: [C]urrent or [W]G Endpoint Security:
At the command prompt, type your WatchGuard Cloud API key:
Enter WatchGuard user credentials:
API key:

For information about WatchGuard user credentials and the API key, go to Configure WatchGuard Cloud API Settings.
At the command prompt, type your WatchGuard Cloud account ID:
Account ID:
To find your WatchGuard Cloud account ID, go to See My Account Information.
At the command prompt, type your WatchGuard Cloud account User Access ID (read only):
Access ID (Read-only):
At the command prompt, type your WatchGuard Cloud account password:
Password:
At the command prompt, type N, J, or E to select the region of your WatchGuard Cloud account:
Region ((N)orth America, (J)apan, (E)urope):

Configure the Delivery Channel

To configure the delivery channel:

At the command prompt, type Y to configure delivery channels for the event log files:
Event Importer enables you to send received events simultaneously to various channels.
Do you want to change the current channel configuration? [Yes/No]:
At the command prompt, type F, K, or S to configure a delivery channel for the event log files:
Select where you want to deliver received events: [F]ile on disk, [K]afka topic/queue, or [S]yslog server:
For more information on delivery channels, go to Configure Event Log Storage and Forwarding.
At the command prompt, type Y or N to set up another delivery channels:
Do you want to configure another delivery channel? [Yes/No]:

Configure the Execution Mode

Event Importer can run as a service or in command line mode. Only run Even Importer as a Windows service if you want to install and run a single instance as a service on the computer. For information on how to run multiple instances, go to Configure Multiple Event Importer Instances.

To configure execution mode:

At the command prompt, type Y or N to configure the execution mode:
Do you want to register Event Importer as a Windows service? [Yes/No]:

Y

Registers Event Importer as a Windows service, and the service starts to download event log files to your chosen delivery channel location. The user who started the installation process must have administrator permissions.

N

EventsFeederImporter.Host.exe launches in a new command window and begins to download log files to your delivery channel location.

For information about the Event Importer configuration settings and how to update them, go to Modify Event Importer Settings.