Applies To: WatchGuard SIEMFeeder
A security information and event management (SIEM) server can receive the WatchGuard Cloud infrastructure data that WatchGuard Event Importer downloads from the Microsoft Azure infrastructure. Event Importer manages the data in the form of log files. When a SIEM server receives the log files, you can store and use the log files to help detect suspicious processes that could pose a security threat to your network of computers.
To manage the log files, you must use a SIEM server that is compatible with the log formats that the WatchGuard SIEMFeeder service supports. The SIEMFeeder service requires a SIEM server that supports Common Event Format (CEF) or Log Event Extended Format (LEEF).
Supported SIEM Servers
The SIEM server must be able to receive data in either the CEF or LEEF format. Here is a partial list of SIEM servers that are compatible with these two formats:
- AlienVault Unified Security Management (USM)
- Fortinet (AccelOps) FortiSIEM
- Micro Focus ArcSight
- Hewlett Packard Enterprise (HPE) ArcSight
- IBM QRadar Security Intelligence Platform
- Intel Security McAfee Enterprise Security Manager (ESM)
- LogRhythm
- SolarWinds Log & Event Manager (LEM)
- Splunk Security Intelligence Platform
By default, logs are sent in LEEF format. To receive logs in CEF format, send an email message with your request and your WatchGuard account number to [email protected].
SIEM Server Log File Access
For the SIEM server to obtain the log files, you configure a storage channel in the Event Importer application to indicate where Event Importer sends the log files that it receives. The SIEM server can obtain files from these storage locations:
- Local folder where the Event Importer computer stores the received logs.
- Apache Kafka queue server that collects the logs sent by Event Importer.
- Syslog server that collects the logs sent by Event Importer.