12-02-2025 01:44 AM
Hello guru,
it seems both served the same purpose to me. all i would like to ingest the event logs for analystic purpose.
except the configuration nature, like WEC required AD config and XDR collector need an agent installed.
what is the pros and cons for for WEC and XDR collector?
any use case for each?
thanks
SdG
12-22-2025 12:30 PM
Hello @SeanDeHarris
Greetings for the day!
Both the Windows Event Collector (WEC) applet and the Cortex XDR Collector (XDRC) are designed to ingest Windows event logs into the Cortex XDR / XSIAM data lake for analysis and detection. While they share the same primary objective, they differ significantly in architecture, deployment complexity, and supported use cases.
| Feature | Windows Event Collector (WEC) | Cortex XDR Collector (XDRC) |
|---|---|---|
| Architecture | Centralized collection using a Broker VM with the WEC applet | Distributed collection using a dedicated XDR Collector service installed per host |
| Host Configuration | Agentless on source servers; relies on native Windows Event Forwarding (WEF) | Agent-based; requires installation of the XDR Collector service (separate from the standard XDR Agent) |
| Setup Complexity | High; requires configuration of WEF, subscription managers, Group Policy Objects (GPOs), and TLS certificates | Moderate; requires agent installation but avoids complex WEF infrastructure |
| Data Types Supported | Windows Event Logs (Security, System, Application) | Windows Event Logs, file-based logs, and DNS/DHCP logs |
| Operating System Support | Windows only | Windows and Linux |
Advantages
Agentless deployment: Uses built-in Windows capabilities without requiring additional software on source servers.
Centralized efficiency: Well suited for aggregating logs from a large number of servers through a single Broker VM.
Rich event data: Recommended for detailed and well-parsed Windows event logging.
Limitations
Complex configuration: Requires careful management of GPOs, certificates, and WEF subscriptions across the domain.
Infrastructure dependency: Relies on a functioning Broker VM and stable WinRM connectivity.
Cortex XDR Collector (XDRC)
Advantages
Simplified deployment: Faster to deploy compared to building and maintaining a full WEF infrastructure.
Versatility: Supports Linux systems and can ingest a wider range of log types, including file-based logs that WEC cannot collect.
Granular control: YAML-based configuration allows precise filtering and custom collection rules.
Limitations
Additional agent overhead: Requires maintaining an extra service on the endpoint.
Configuration sensitivity: YAML configuration files are strict; syntax or indentation errors can cause log ingestion to fail.
FYI: Licensing Considerations
Both WEC and XDRC generally require Cortex XDR Pro per GB licensing for log ingestion. While the standard Cortex XDR Agent with an Extended Threat Hunting (XTH) add-on can collect a limited subset of Windows event logs, it is subject to rate limiting and is not intended for high-volume audit logging environments such as heavily utilized Domain Controllers.
If this response has answered your query, please let us know by clicking Like and selecting Mark this as a Solution.
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
