Windows Event Collector vs XDR collector

SeanDeHarris — Tue, 02 Dec 2025 09:44:28 GMT

Hello guru,

it seems both served the same purpose to me. all i would like to ingest the event logs for analystic purpose.

except the configuration nature, like WEC required AD config and XDR collector need an agent installed.

what is the pros and cons for for WEC and XDR collector?

any use case for each?

thanks

SdG

Re: Windows Event Collector vs XDR collector

susekar — Mon, 22 Dec 2025 20:30:28 GMT

Hello @SeanDeHarris

Greetings for the day!

Both the Windows Event Collector (WEC) applet and the Cortex XDR Collector (XDRC) are designed to ingest Windows event logs into the Cortex XDR / XSIAM data lake for analysis and detection. While they share the same primary objective, they differ significantly in architecture, deployment complexity, and supported use cases.

Feature	Windows Event Collector (WEC)	Cortex XDR Collector (XDRC)
Architecture	Centralized collection using a Broker VM with the WEC applet	Distributed collection using a dedicated XDR Collector service installed per host
Host Configuration	Agentless on source servers; relies on native Windows Event Forwarding (WEF)	Agent-based; requires installation of the XDR Collector service (separate from the standard XDR Agent)
Setup Complexity	High; requires configuration of WEF, subscription managers, Group Policy Objects (GPOs), and TLS certificates	Moderate; requires agent installation but avoids complex WEF infrastructure
Data Types Supported	Windows Event Logs (Security, System, Application)	Windows Event Logs, file-based logs, and DNS/DHCP logs
Operating System Support	Windows only	Windows and Linux

Advantages and Limitations

Windows Event Collector (WEC)

Advantages

Agentless deployment: Uses built-in Windows capabilities without requiring additional software on source servers.
Centralized efficiency: Well suited for aggregating logs from a large number of servers through a single Broker VM.
Rich event data: Recommended for detailed and well-parsed Windows event logging.

Limitations

Complex configuration: Requires careful management of GPOs, certificates, and WEF subscriptions across the domain.
Infrastructure dependency: Relies on a functioning Broker VM and stable WinRM connectivity.

Cortex XDR Collector (XDRC)

Advantages
- Simplified deployment: Faster to deploy compared to building and maintaining a full WEF infrastructure.
- Versatility: Supports Linux systems and can ingest a wider range of log types, including file-based logs that WEC cannot collect.
- Granular control: YAML-based configuration allows precise filtering and custom collection rules.
Limitations
- Additional agent overhead: Requires maintaining an extra service on the endpoint.
- Configuration sensitivity: YAML configuration files are strict; syntax or indentation errors can cause log ingestion to fail.

FYI: Licensing Considerations

Both WEC and XDRC generally require Cortex XDR Pro per GB licensing for log ingestion. While the standard Cortex XDR Agent with an Extended Threat Hunting (XTH) add-on can collect a limited subset of Windows event logs, it is subject to rate limiting and is not intended for high-volume audit logging environments such as heavily utilized Domain Controllers.

If this response has answered your query, please let us know by clicking Like and selecting Mark this as a Solution.

Thanks & Regards,
S. Subashkar Sekar

Re: Windows Event Collector vs XDR collector

SeanDeHarris — Mon, 16 Mar 2026 03:10:25 GMT

Hello Sekar,

Just wondering if XDRC required internet connection for each XDRC agent, can I leverage BVM for this?

Thanks,

SDH

topic Re: Windows Event Collector vs XDR collector in Cortex XDR Discussions

Windows Event Collector vs XDR collector

Re: Windows Event Collector vs XDR collector

Advantages and Limitations

Windows Event Collector (WEC)

Re: Windows Event Collector vs XDR collector