https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/1232093#M8456 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167148">@mavraham</a>&nbsp;</P> <P>Does the XDR collector support Event Forwarding funtion?&nbsp;<BR />Or we need to install the XDRC on each endpoints/servers/DC to collect the Windows event?</P> <P>Thanks</P> Thu, 19 Jun 2025 05:50:19 GMT SeanDeHarris 2025-06-19T05:50:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/526746#M3387 <P>HI</P> <P>We are using cortex XDR and planning to deploy the XSIAM. We are working on the deployment. While reading the below document for collecting Windows events,</P> <P>&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/XDR-Collector-Machine-Requirements-and-Supported-Operating-Systems" target="_blank">XDR Collector Machine Requirements and Supported Operating Systems • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal</A></P> <P>My question is,</P> <P>We have the broker VM configured.</P> <P>All the Windows Servers are running XDR agents 7.9</P> <P>As per document, the solution requires to install XDR collector in the servers. So, As we are running XDR agents, so do we need to install XDR collectors in the server which will reside with XDR agents parallelly and will collect the Windows Events ?</P> Thu, 12 Jan 2023 04:14:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/526746#M3387 Ariq_Aziz 2023-01-12T04:14:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/526813#M3394 <P><SPAN>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/248058">@Ariq_Aziz</a>&nbsp;</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Thank you for writing to live community.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Please allow me to explain the difference between using BrokerVM and XDR Collectors to collect windows events:</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Both BrokerVM and the XDR Collector are able to collect any kind of windows event log.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>The main difference between the two would be that BrokerVM needs to be </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Activate-the-Windows-Event-Collector?tocId=3WWvlzLnB_9RU9HZjnJyVw" target="_blank"><SPAN>configured on the domain controller level</SPAN></A><SPAN>, establishes a remote connection and allows all Windows domain members to push their logs into BrokerVM. Whereas, the XDR Collector is an agent reading directly from the filesystem and enables you to </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-an-XDR-Collector-Profile-for-Windows" target="_blank"><SPAN>collect file and log data using the Elasticsearch Filebeat default</SPAN> <SPAN>configuration file</SPAN></A><SPAN>.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>In your instance, if you are already using BrokerVM to collect Windows event longs (assuming you tested and made sure it works) installing the XDR Collector is optional.</SPAN></P> Thu, 12 Jan 2023 17:24:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/526813#M3394 mavraham 2023-01-12T17:24:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/527062#M3398 <P>HI Mavraham</P> <P>Thanks a lot for the reply. It's really helpful. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> it seems like we dont need Collector as we have the Broker VM. Thanks again.</P> Sat, 14 Jan 2023 22:02:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/527062#M3398 Ariq_Aziz 2023-01-14T22:02:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/578452#M6155 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167148">@mavraham</a>, If we use XDR collector to colelct WEC logs, do we need to install that agent on all endpoints?&nbsp;</P> Tue, 27 Feb 2024 11:24:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/578452#M6155 JahidAliyev 2024-02-27T11:24:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/1232093#M8456 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167148">@mavraham</a>&nbsp;</P> <P>Does the XDR collector support Event Forwarding funtion?&nbsp;<BR />Or we need to install the XDRC on each endpoints/servers/DC to collect the Windows event?</P> <P>Thanks</P> Thu, 19 Jun 2025 05:50:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/do-we-need-to-install-xdr-collectors-in-our-servers-to-collect/m-p/1232093#M8456 SeanDeHarris 2025-06-19T05:50:19Z