Configure Event Log Storage and Forwarding

Applies To: WatchGuard SIEMFeeder This topic applies to the WatchGuard endpoint security module, SIEMFeeder. SIEMFeeder is available with WatchGuard EPDR and WatchGuard EDR.

WatchGuard Event Importer provides several methods to store or forward event log files. Network architecture, available resources, volume of event log files that Event Importer receives from the Microsoft Azure infrastructure, and the event log files the WatchGuard SIEMFeeder service creates, can help you to decide the method to use.

This topic describes how Event Importer can:

• Save log files to a local or remote folder
• Send log files to an Apache Kafka server
• Send log files to a syslog server
  

Save Log Files to a Local or Remote Folder

Complete these steps to save log files to a local or remote folder:

1. On the computer that runs Event Importer, or on a shared drive or resource, create a folder to store the log files.
   
2. Proceed through the configuration wizard until the wizard prompts you to select a storage location where you want to deliver events that you receive. At the command prompt, type F to select the [F]ile on Disk option:
   Select where you want to deliver received events: [F]ile on disk, [K]afka topic/queue, or [S]yslog server.
3. At the command prompt, enter the folder path location, local or remote.
4. At the command prompt, type N to complete configuration of this delivery method:
   Do you want to configure another delivery channel? [Yes/No]

Send Log Files to an Apache Kafka Server

You can use an Apache Kafka server to help manage your log files. Kafka is an open-source, event streaming platform, used for data pipelines and integration.

Complete the steps in this procedure to send to a Kafka server:

1. Proceed through the configuration wizard until the wizard prompts you to select a storage location where you want to deliver events that you receive. At the command prompt, type K to select the Kafka Topic/Queue option:
   Select where you want to deliver received events: [F]ile on disk, [K]afka topic/queue, or [S]yslog server.
2. At the command prompt, enter the IP address or domain name of the Kafka server and the listening port, separated by a colon. For example: example.com:9092 or 192.0.2.1:9092
   Enter the Kafka broker endpoint (including the full URI with schema, domain/IP and port):
   
3. At the command prompt, enter the name of the queue or topic to send log files to on the Kafka server. For example: SiemFeederTopic
   Enter the Kafka topic/queue where you want to send messages:
4. At the command prompt, enter the communication protocol to use to send log files to the Kafka server.
   Enter the secure protocol you want to use to communicate with the server: [N]one, [S]SL, S[A]SL_SSL, or SASL_PLAIN[T]EXT:
   The options include:
   • None — Type N to use the unencrypted format.
   • SSL — Type S to use SSL encryption.
   • SASL_SSL — Type A to use SASL/SSL encryption.
   • SASL_PLAINTEXT — Type T and to use SASL/PLAIN text encryption.
     

5. (Optional) If the chosen communication protocol encrypts data, you must enter the path of the file that contains the certificate issued by the CA configured on the Kafka server.
   Depending on the communication protocol, you might have to provide a server user name and password.
   
6. At the command prompt, type N to complete configuration of this delivery method:
   Do you want to configure another delivery channel? [Yes/No]

Send Log Files to a Syslog Server

You can use a syslog server to help manage your log files and centralize the collection of log files from different locations and systems.

Complete these steps to send log files to a syslog server:

1. Proceed through the configuration wizard until the wizard prompts you to select a storage location where you want to deliver events that you receive. At the command prompt, type S to select the Syslog server option:
   Select where you want to deliver received events: [F]ile on disk, [K]afka topic/queue, or [S]yslog server.
2. At the command prompt, select the message format configured on the syslog server for the received log files:
   Which message format do you want to use?
   RFC[5]424 or RFC[3]164.
3. At the command prompt, enter the IP address or domain name of the syslog server and the listening port, separated by a colon. For example: example.com:9092 or 192.0.2.1:9092
   Enter the host name and port that the Syslog server listens to (domain/IP and port):

4. At the command prompt, select the transport protocol configured on the syslog server for the received log files:
   Which transport protocol do you want to use to communicate with the server? [T]CP or [U]DP:

   To make sure the syslog server receives all the log files that Event Importer sends, we recommend use of the TCP transport protocol on both ends of the communication. If the transport protocol is UDP, no end-of-line marker is used. If the transport protocol is TCP or TLS, a null end-of-line marker is used.

5. At the command prompt, select the cryptographic protocol to use to encrypt communications between the syslog server and Event Importer:
   Which secure protocol do you want to use? [N]one or TLS 1.[2]:
6. If the communication protocol chosen encrypts data, indicate the location of the certificate issued by the CA configured on the syslog server.
   The options to indicate the location of the certificate command include:
   
   • [F]ile — CA certificate is in a separate file.
   • [C]ert Store — CA certificate found in the local certificate store on the computer where Event Importer runs, in the Trusted People certificates branch (Windows only).
7. At the command prompt, select the end-of-message marker that the syslog server configures for the received log files:
   Which message delimiter do you want to use? [C]R,[L]F, or C[R]LF:

8. At the command prompt, type N to complete configuration of this delivery method:
   Do you want to configure another delivery channel? [Yes/No]

Related Topics

About SIEMFeeder

About Event Importer

Configure and Run Event Importer