About SIEM Servers

Applies To: WatchGuard SIEMFeeder

A security information and event management (SIEM) server can receive the WatchGuard Cloud infrastructure data that WatchGuard Event Importer downloads from the Microsoft Azure infrastructure. Event Importer manages the data in the form of log files. When a SIEM server receives the log files, you can store and use the log files to help detect suspicious processes that could pose a security threat to your network of computers.

To manage the log files, you must use a SIEM server that is compatible with the log formats that the WatchGuard SIEMFeeder service supports. The SIEMFeeder service requires a SIEM server that supports Common Event Format (CEF) or Log Event Extended Format (LEEF).

Supported SIEM Servers

The SIEM server must be able to receive data in either the CEF or LEEF format. Here is a partial list of SIEM servers that are compatible with these two formats:

  • AlienVault Unified Security Management (USM)
  • Fortinet (AccelOps) FortiSIEM
  • Micro Focus ArcSight
  • IBM QRadar Security Intelligence Platform
  • Intel Security McAfee Enterprise Security Manager (ESM)
  • LogRhythm
  • SolarWinds Log & Event Manager (LEM)
  • Splunk Security Intelligence Platform

SIEM Server Log File Access

For the SIEM server to obtain the log files, you configure a storage channel in the Event Importer application to indicate where Event Importer sends the log files that it receives. The SIEM server can obtain files from these storage locations:

See Also

About SIEMFeeder

About Event Importer

SIEMFeeder Requirements