New to Advanced Reporting Tool or Siem feeder?

Gill_McDonaldGill_McDonald WatchGuard Representative
edited June 2022 in Advanced Reporting Tool/SIEMFeeder

Here are some helpful links to get you started:

About the Advanced Reporting Tool

About the Advanced Visualization Tooll

About SIEM Servers

About SIEMFeeder

SIEMFeeder Requirements

About Event Importer

Configure and Run Event Importer

Configure Multiple Event Importer Instances

Configure Event Log Storage and Forwarding

Gill McDonald | WatchGuard Representative
WatchGuard Technologies, Inc.

Comments

  • AngelAngel
    edited April 27

    Subject: SIEMFeeder Event Importer connected to Azure Service Bus but receiving zero events — how to enable endpoint forwarding?

    Hi everyone,

    I'm setting up SIEMFeeder to forward EPDR events to our internal SIEM. I have a trial license active until 2026-05-24 for our WatchGuard Endpoint Security 360 account (56 endpoints).

    Current status:

    • Event Importer v3.10 installed and running (tested on both Linux and Windows)
    • Successfully authenticated against WatchGuard Cloud API (EUR region)
    • Azure Service Bus connection: ESTABLISHED → 20.82.244.146:5671
    • Subscription active: sb://pac-prodv3-eu1-siemfeeder.servicebus.windows.net/siemfeeder_6386/Subscriptions/siemfeeder_6386
    • Log output: "Azure Service Bus subscription ready. Waiting for messages..."
    • Zero messages received after 48+ hours

    What I've verified:

    • SIEMFeeder trial license is active and visible under Inventory → Endpoint Security → Licenses
    • Endpoints have active EPDR (Endpoint Security 360) — detections and ThreatSync incidents confirmed via API
    • No SIEMFeeder configuration option visible anywhere in the Endpoint Security console (no policy setting, no module toggle)
    • Tried both platform options during setup: [C]urrent and [W]G Endpoint Security

    Questions:
    1. Is there a specific step required to enable EPDR event forwarding to the Service Bus topic, beyond activating the trial license?
    2. Should SIEMFeeder appear as a configurable module/policy inside the Endpoint Security console? We see nothing there.
    3. Does Event Importer need to run inside the same network as the EPDR endpoints, or is a cloud/VPS deployment supported?
    4. Is there a way to verify whether the Service Bus topic is actually receiving events from WatchGuard's side?

    Any help or guidance from someone who has SIEMFeeder working would be much appreciated. Thank you.

  • David_CarroDavid_Carro WatchGuard Representative

    Hello, @Angel

    Without data, we cannot know what the issue is in your specific case.
    So the best thing to do here is to open a case with support so they can start analysing it from provision to packet-send and identify where the error might be.

    David Carro | Technical support
    WatchGuard Technologies, Inc. | www.watchguard.com

Sign In to comment.