Troubleshoot SIEMFeeder
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR
WatchGuard SIEMFeeder can send WatchGuard Endpoint Security data to a SIEM platform. Before SIEMFeeder sends the data, SIEMFeeder enriches the data with security intelligence. SIEMFeeder then creates a single data flow to deliver the data to a compatible SIEM server. Administrators can use this data to help detect unknown threats, targeted attacks, and advanced malware.
WatchGuard Event Importer is an application that you can use to download data that the SIEMFeeder service generates from computer process activity on the network.
To troubleshoot the SIEMFeeder service:
- Configure your firewall to allow authentication URLs. For more information, see the Firewall Configuration section of Event Importer Requirements.
- Make sure the computer, network, and SIEM server meet these requirements.
- Make sure to use the latest version of SIEMFeeder. You can download the install package from the Software Downloads page on the WatchGuard website, in the Endpoint Software section.
- Make sure that you have an active SIEMFeeder license. You must have as many active licenses for the SIEMFeeder service as you do for WatchGuard EDR or WatchGuard EPDR. For more information, see SIEMFeeder Requirements.
- Make sure to use the correct credentials to configure Event Importer. For more information, see Configure WatchGuard Cloud API Settings.
Collect Data
You can edit the configuration.json file to collect logs that you can send to Support.
To edit the .JSON file:
- Stop the Event Importer service.
- Browse to the Event Importer install directory.
- Use a notepad application to open the configuration.json file.
- Change the text, "TrazeLevel": "Error" to "TrazeLevel": "Information".
- Save the file.
- Start the Event Importer service and reproduce the issue.
Collect this data and contact Support:
- Compress and save the log folder located in the Event Importer install directory.
- Make a copy of the configuration.json file located in the Event Importer install directory.
- Make a note of your email address and Event Importer credentials.
- Make a copy of the version.txt file located in the Event Importer install directory.
- Create a screenshot of the output when you run these commands, which list all open ports and active connections.
Open a command window prompt with administrator privileges and type:- netstat –ano | findstr "5671"
- netstat –ano | findstr "5672"
If you run more than one Event importer instance simultaneously, provide data for each instance.
After you collect this data, send it to Support. You can also revert changes made to the configuration.json file.
You can use the PSInfo tool to provide diagnostic logs to help Support troubleshoot your issue. For more information, go to Get Started with PSInfo.
Before you contact Support, enable Support Access to your WatchGuard Cloud account.