01-11-2023 08:14 PM
HI
We are using cortex XDR and planning to deploy the XSIAM. We are working on the deployment. While reading the below document for collecting Windows events,
My question is,
We have the broker VM configured.
All the Windows Servers are running XDR agents 7.9
As per document, the solution requires to install XDR collector in the servers. So, As we are running XDR agents, so do we need to install XDR collectors in the server which will reside with XDR agents parallelly and will collect the Windows Events ?
01-12-2023 09:24 AM
Hi @Ariq_Aziz
Thank you for writing to live community.
Please allow me to explain the difference between using BrokerVM and XDR Collectors to collect windows events:
Both BrokerVM and the XDR Collector are able to collect any kind of windows event log.
The main difference between the two would be that BrokerVM needs to be configured on the domain controller level, establishes a remote connection and allows all Windows domain members to push their logs into BrokerVM. Whereas, the XDR Collector is an agent reading directly from the filesystem and enables you to collect file and log data using the Elasticsearch Filebeat default configuration file.
In your instance, if you are already using BrokerVM to collect Windows event longs (assuming you tested and made sure it works) installing the XDR Collector is optional.
01-12-2023 09:24 AM
Hi @Ariq_Aziz
Thank you for writing to live community.
Please allow me to explain the difference between using BrokerVM and XDR Collectors to collect windows events:
Both BrokerVM and the XDR Collector are able to collect any kind of windows event log.
The main difference between the two would be that BrokerVM needs to be configured on the domain controller level, establishes a remote connection and allows all Windows domain members to push their logs into BrokerVM. Whereas, the XDR Collector is an agent reading directly from the filesystem and enables you to collect file and log data using the Elasticsearch Filebeat default configuration file.
In your instance, if you are already using BrokerVM to collect Windows event longs (assuming you tested and made sure it works) installing the XDR Collector is optional.
01-14-2023 02:02 PM
HI Mavraham
Thanks a lot for the reply. It's really helpful. 🙂 it seems like we dont need Collector as we have the Broker VM. Thanks again.
02-27-2024 03:24 AM
Hi @mavraham, If we use XDR collector to colelct WEC logs, do we need to install that agent on all endpoints?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
