topic 回應： [Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error". in Cortex XSIAM Discussions

[Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

j.chen644219 — Tue, 09 Dec 2025 02:27:34 GMT

Currently, I'm using the default templates.

Despite trying many tests, this error message persists.

Am I missing any information?

XDR Collectors Administration Status display "Error".

Error Message :
Exiting: no modules or inputs enabled and configuration reloading disabled.
What files do you want me to watch?

XDR Collectors Administration

View Collector Policy - Filebeat (Use Default Template)
View Collector Policy - Winlogbeat (Windows Security / Microsoft ADFS Template)

Query Builder - search microsoft_windows_raw (collected windows security log)

I would appreciate any further suggestions on how to resolve this.

Thank you.

回應： [Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

j.chen644219 — Wed, 10 Dec 2025 07:38:15 GMT

Now the profile changed Configuration .

I'm wondering if the YAML itself is the problem.

It's possible that XDRC is unable to communicate with XSIAM.

1. Remove the agent remotely via XSIAM.

2. Changes to the weblogbeat profile's YAML file can be synchronized to the Windows server.

Therefore, I don't understand...

1. What does this "error" status affect?

2. What does this "Error" status mean?

winlogbeat YAML :

---
winlogbeat.event_logs:
- name: Security
ignore_older: 1h
processors:
- drop_event.when.not.or:
- regexp.winlog.event_id: (110[0-2]|462[45]|4634|464[78]|4662|4672|4674|46[89]8)
- regexp.winlog.event_id: (4702|4713|4720|472[2-9]|473[1-3578]|474[0-3]|475[4-7]|476[4-9])
- regexp.winlog.event_id: (477[0126]|4780|4799|480[0-3]|482[1-5]|488[67]|4899|4900|505[89]|5061|5140)
- name: System
- name: Application

YAML Test is "Valid YAML!"

Query Log

Re: [Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

F.Ronchi — Thu, 15 Jan 2026 09:42:51 GMT

Dear,

Same problem using cortex xdr, i have opened a Tac a days before, below what they said:

//***************************//

Hi Fabrizio,

Greetings of the day!

Thank you for your patience.

I would like to update you that if the profile running on this machine—or the YAML configuration applied—is only a Winlogbeat profile, then this error is expected. As long as the customer has not configured or is not using any Filebeat service on these XDR Collectors, this error can be safely ignored.

Additionally, the backend team is aware of this issue, and it is expected to be fixed in the next release of the XDR Collector.
//***************************//

Regards

回應： [Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

j.chen644219 — Fri, 16 Jan 2026 01:39:17 GMT

Anothenr one solution :

- Add Filebeat profile for XDR Collector Logs

- Aplly winlogbet and filebeat Profile on policy

- View target status on XDR Collctors Administration

This necessitated the collection of additional xdr logs.