Configure and Run Event Importer

Applies To: WatchGuard SIEMFeeder

You use WatchGuard Event Importer to download event log files that the WatchGuard SIEMFeeder service creates. This help topic describes how to run the Event Importer configuration wizard and generate a configuration file. Event Importer uses the configuration file to apply options that include where to store log files and whether to run from the command-line or in service mode.

For information about requirements, go to Event Importer Requirements.

  1. Download the Event Importer install package from the Software Downloads page on the WatchGuard website, in the Endpoint Software section.
  2. Unpack the install folder to a location of your choice.
  3. Browse to the root folder of your Event Importer install.
  4. Right-click the EventsFeederImporter.ConfigAssistant.exe file and select Run as Administrator.
    The Command Prompt window opens.
  5. At the command prompt, type Y to change the configuration:
    Do you want to change the current channel configuration? [Yes/No]:
    Event Importer generates a new configuration file that overrides the existing file, then launches the configuration wizard.
  6. At the command prompt, type Y or N to configure a proxy connection:
    Is Event Importer behind a proxy server? [Yes/No]:
  7. If the Event Importer computer is behind a proxy server, Event Importer prompts you to type the proxy server IP address, as well as the user name and password if the proxy server requires authentication. For example: example.com:9092 or 192.0.2.1:9092.

    Event Importer uses the configured proxy server to connect to the Azure infrastructure assigned to the user. It is not used to connect to other resources such as a file server, an Apache Kafka server, or a syslog server. The use of the system proxy for SIEMFeeder communication is not supported.


    Screen shot of Proxy settings
  8. At the command prompt, type W to configure the WatchGuard Endpoint Security platform:
    Select your platform: [C]urrent, [L]egacy, or [W]G Endpoint Security:

  9. At the command prompt, type your WatchGuard Cloud API key:
    Enter WatchGuard user credentials:
    API key:

    For information about WatchGuard user credentials and the API key, go to Configure WatchGuard Cloud API Settings.


  10. At the command prompt, type your WatchGuard Cloud account ID:
    Account ID:
    To find your WatchGuard Cloud account ID, go to See My Account Information.
  11. At the command prompt, type your WatchGuard Cloud account User Access ID (read only):
    Access ID (Read-only):
  12. At the command prompt, type your WatchGuard Cloud account password:
    Password:
  13. At the command prompt, type N, J, or E to select the region of your WatchGuard Cloud account:
    Region ((N)orth America, (J)apan, (E)urope):
  14. At the command prompt, type Y to configure delivery channels for the event log files:
    Event Importer enables you to send received events simultaneously to various channels.
    Do you want to change the current channel configuration? [Yes/No]:
  15. At the command prompt, type F, K, or S to configure a delivery channel for the event log files:
    Select where you want to deliver received events: [F]ile on disk, [K]afka topic/queue, or [S]yslog server:
    For more information on delivery channels, go to Configure Event Log Storage and Forwarding.
  16. At the command prompt, type Y or N to set up another delivery channels:
    Do you want to configure another delivery channel? [Yes/No]:
    Configure delivery channel.

  17. At the command prompt, type Y or N to configure the execution mode:
    Do you want to register Event Importer as a Windows service? [Yes/No]:
    Event Importer can run as a service or in command-line mode.

    Y

    Registers Event Importer as a Windows service, and the service starts to download event log files to your chosen delivery channel location. The user who started the installation process must have administrator permissions.

    N

    EventsFeederImporter.Host.exe launches in a new command window and begins to download log files to your delivery channel location.

For information about the Event Importer configuration settings and how to update them, go to Modify Event Importer Settings.

  1. Download the Event Importer install package from the Software Downloads page on the WatchGuard website, in the Endpoint Software section.
  2. Unpack the install folder to a location of your choice.
  3. For a Linux distribution to run an application, you must first turn on the execute bit of the file. At the command prompt, type:
    sudo chmod a+x /#_SAMPLEFOLDER_SiemFeeder#/EventsFeederImporter.Multiplatform.Host
    The variable /#_SAMPLEFOLDER_SiemFeeder#/ is the full path to the folder where the uncompressed package resides on your computer.
    This file imports the log files that contain the events that occur on user computers.
  4. Then, using the same instructions from Step 3, turn on the execute bit of the file for:
    EventsFeederImporter.Multiplatform.ConfigAssistant
    This file starts the configuration wizard that contains the parameters to configure Event Importer.
  5. To configure Event Importer, at the command line, type the command:
    ./EventsFeederImporter.Multiplatform.ConfigAssistant
  6. At the command prompt, type Y to change the configuration:
    Do you want to change the current channel configuration? [Yes/No]:
    Event Importer generates a new configuration file that overrides the existing file, then launches the configuration wizard.
  7. At the command prompt, type Y or N to configure a proxy connection:
    Is Event Importer behind a proxy server? [Yes/No]:
  8. If the Event Importer computer is behind a proxy server, Event Importer prompts you to enter the proxy server IP address, as well as the user name and password if the proxy server requires authentication. For example: example.com:9092 or 192.0.2.1:9092.

    Event Importer uses the configured proxy server to connect to the Azure infrastructure assigned to the user. It is not used to connect to other resources such as a file server, an Apache Kafka server, or a syslog server. The use of the system proxy for SIEMFeeder communication is not supported.

  9. At the command prompt, type W to configure the WatchGuard Endpoint Security platform:
    Select your platform: [C]urrent, [L]egacy, or [W]G Endpoint Security:
  10. At the command prompt, type your WatchGuard Cloud API key:
    Enter WatchGuard user credentials:
    API key:
    For information about user credentials and the API key, go to Configure WatchGuard Cloud API Settings.
  11. At the command prompt, type your WatchGuard Cloud account ID:
    Account ID:
    To find your WatchGuard Cloud account ID, go to See My Account Information.
  12. At the command prompt, type your WatchGuard Cloud account User Access ID (read only):
    Access ID (Read-only):
  13. At the command prompt, type your WatchGuard Cloud account password:
    Password:
  14. At the command prompt, type N, J, or E to select the region of your Cloud account:
    Region ((N)orth America, (J)apan, (E)urope):
  15. At the command prompt, type Y to configure delivery channels for the event log files:
    Event Importer enables you to send received events simultaneously to various channels.
    Do you want to change the current channel configuration? [Yes/No]:
  16. At the command prompt, type F, K, or S to configure a delivery channel for the event log files:
    Select where you want to deliver received events: [F]ile on disk, [K]afka topic/queue, or [S]yslog server:
    For more information on delivery channels, go to Configure Event Log Storage and Forwarding.

  1. At the command prompt, type Y or N to set up another delivery channels:
    Do you want to configure another delivery channel? [Yes/No]:

    Y

    Add another delivery channel.

    N

    EventsFeederImporter.Multiplatform.Host runs and begins to download event log files to your delivery channel location.

  2. (Optional) After you configure Event Importer, you can run it automatically as a background process at system startup. In daemon mode, Event Importer can run under a user account, but an administrator requires root permissions to configure it.
    1. Configure Event Importer in command-line mode. Event Importer runs and obtains access and refresh tokens.
    2. At the command line, stop Event Importer.
    3. From the install folder of the application, open the siemfeeder.service file and at the ExecStart line, replace the
      #_SAMPLEFOLDER_SiemFeeder# variable with the path to the folder that contains the EventsFeederImporter.Multiplatform.Host file.

    Event Importer folder variable.

    1. Copy the siemfeeder.service file to the system directory of your Linux distribution. In most cases, the path is /lib/systemd/system or /user/lib/systemd/system.
    2. To add the script to the system startup sequence, run the command:
      sudo systemctl enable siemfeeder
    3. To start the siemfeeder service, run the command:
      sudo systemctl start siemfeeder

    Enable the siemfeeder service.

    For information about Event Importer configuration settings and how to update them, go to Modify Event Importer Settings.

Related Topics

About SIEMFeeder

Configure Multiple Event Importer Instances

Configure Event Log Storage and Forwarding