XDRC Connection Error

SeanDeHarris — Wed, 18 Mar 2026 09:24:25 GMT

Hello experts,

I have two XDRC installed on W2016 server, both are connected through same BrokerVM. Even tried test if the BVM and XDRC connection was fine, I did a test to run "uninstall collector" from Console, it was successful.

From XDRC Adminsitration, The status shown :Warning, however, the last seen was up to date.

From XQL queries:

dataset = collection_auditing

It shown "Failed to get local ip by connecting to server address: 'distributions.traps.paloaltonetworks.com'."

SSH to the BVM

1. openssl s_client -connect distributions.traps.paloaltonetworks.com:443

2. ping distributions.traps.paloaltonetworks.com

Both succeeded.
Any ides?

Re: XDRC Connection Error

Vinothkumar_SBA — Thu, 19 Mar 2026 10:36:06 GMT

Hello SeanDeHarris,

Please review the warning descriptions below. If the descriptions match your observations, kindly follow the troubleshooting steps provided.

XDRC Log Collector Type	Event Type	Message in the XDR Collectors Administration Page and Description in the collection_auditing dataset	Root Cause	Recommended Action
Filebeat / Winlogbeat	Warning	Filebeat / Winlogbeat not installed	The Filebeat / Winlogbeat file is missing at the content folder:"C:\ProgramData\XDR Collector\Data\content\filebeat-windows-x86_64\filebeat.exe""C:\ProgramData\XDR Collector\Data\content\winlogbeat-windows-x86_64\winlogbeat.exe"	Stop the collector. Delete the Data folder. Start the collector.
XDRC	Warning	No incoming data for more than 24 hours	The Filebeat / Winlogbeat didn't upload new data in the last 24 hours since the last upload.	Check why the configured files no longer receive log files to upload.
XDRC	Warning	No incoming data for more than 7 days	The Filebeat / Winlogbeat didn't upload new data for the last 7 days since the last upload.	Check why the configured files no longer receive log files to upload.

Step 1: Check if Filebeat / Winlogbeat processes are running

1. On the collector server, open Task Manager (or PowerShell).

2. Look for these processes:

- filebeat.exe

- winlogbeat.exe

3. If they are not running, the collector cannot send logs.

If not running:

- Start the collector service:

net start "XDR Collector"

Step 2: Verify the log file paths

1. Check which files are configured to be collected:

- Filebeat: C:\ProgramData\XDR Collector\Data\content\filebeat-windows-x86_64\filebeat.yml

- Winlogbeat: C:\ProgramData\XDR Collector\Data\content\winlogbeat-windows-x86_64\winlogbeat.yml

2. Open the .yml configuration files and verify:

- Input paths exist (C:\Windows\System32\winevt\Logs\*.evtx for Winlogbeat, custom logs for Filebeat)

- There are no syntax errors

Step 3: Check permissions

1. Ensure the XDR Collector service account can read the log files and write to the Data folder.

2. Verify permissions on:

- C:\ProgramData\XDR Collector\Data\content

- The directories containing the log files to be collected

Step 4: Review Filebeat / Winlogbeat logs

1. Navigate to log folder:

C:\ProgramData\XDR Collector\Data\log

2. Open filebeat.log and winlogbeat.log

3. Look for errors like:

- File not found

- Permission denied

- Network errors (cannot reach broker or distribution server)

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

topic Re: XDRC Connection Error in Cortex XSIAM Discussions

XDRC Connection Error

Re: XDRC Connection Error

XDRC Log Collector Type

Event Type

Message in the XDR Collectors Administration Page and Description in the collection_auditing dataset

Root Cause

Step 1: Check if Filebeat / Winlogbeat processes are running

Step 2: Verify the log file paths

Step 3: Check permissions

Step 4: Review Filebeat / Winlogbeat logs