This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

[Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

j.chen644219
L0 Member

‎12-08-2025 06:27 PM

Currently, I'm using the default templates.

Despite trying many tests, this error message persists.

Am I missing any information?

 

XDR Collectors Administration Status display "Error".

Error Message : 
Exiting: no modules or inputs enabled and configuration reloading disabled.
What files do you want me to watch?

 

XDR Collectors Administration

jchen644219_0-1765245869642.png

 

View Collector Policy - Filebeat  (Use Default Template)
View Collector Policy - Winlogbeat (Windows Security / Microsoft ADFS Template)

jchen644219_2-1765246646357.png

 

Query Builder - search microsoft_windows_raw  (collected windows security log)

jchen644219_3-1765246972416.png

 

I would appreciate any further suggestions on how to resolve this.

Thank you.

0 Likes Likes
1 REPLY 1

j.chen644219
L0 Member

‎12-09-2025 11:38 PM

Now the profile changed Configuration .

I'm wondering if the YAML itself is the problem.

 

It's possible that XDRC is unable to communicate with XSIAM.

1. Remove the agent remotely via XSIAM.

2. Changes to the weblogbeat profile's YAML file can be synchronized to the Windows server.

 

Therefore, I don't understand...

1. What does this "error" status affect?

​​2. What does this "Error" status mean?

 

  • winlogbeat YAML :
---
winlogbeat.event_logs:
- name: Security
ignore_older: 1h
processors:
- drop_event.when.not.or:
- regexp.winlog.event_id: (110[0-2]|462[45]|4634|464[78]|4662|4672|4674|46[89]8)
- regexp.winlog.event_id: (4702|4713|4720|472[2-9]|473[1-3578]|474[0-3]|475[4-7]|476[4-9])
- regexp.winlog.event_id: (477[0126]|4780|4799|480[0-3]|482[1-5]|488[67]|4899|4900|505[89]|5061|5140)
- name: System
- name: Application
 
  • YAML Test is "Valid YAML!"
jchen644219_0-1765351369556.png

 

  • Query Log
jchen644219_1-1765352148619.png

 

0 Likes Likes
  • 197 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks