This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

[Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

Go to solution
j.chen644219
L1 Bithead

‎12-08-2025 06:27 PM

Currently, I'm using the default templates.

Despite trying many tests, this error message persists.

Am I missing any information?

 

XDR Collectors Administration Status display "Error".

Error Message : 
Exiting: no modules or inputs enabled and configuration reloading disabled.
What files do you want me to watch?

 

XDR Collectors Administration

jchen644219_0-1765245869642.png

 

View Collector Policy - Filebeat  (Use Default Template)
View Collector Policy - Winlogbeat (Windows Security / Microsoft ADFS Template)

jchen644219_2-1765246646357.png

 

Query Builder - search microsoft_windows_raw  (collected windows security log)

jchen644219_3-1765246972416.png

 

I would appreciate any further suggestions on how to resolve this.

Thank you.

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
F.Ronchi
L1 Bithead

‎01-15-2026 01:42 AM

Dear, 

Same problem using cortex xdr, i have opened a Tac a days before, below what they said:

 

//***************************//

Hi Fabrizio,

Greetings of the day!

Thank you for your patience.

I would like to update you that if the profile running on this machine—or the YAML configuration applied—is only a Winlogbeat profile, then this error is expected. As long as the customer has not configured or is not using any Filebeat service on these XDR Collectors, this error can be safely ignored.

Additionally, the backend team is aware of this issue, and it is expected to be fixed in the next release of the XDR Collector.
//***************************//

 

Regards

View solution in original post

Go to solution
j.chen644219
L1 Bithead

‎01-15-2026 05:39 PM

Hi 

 

Anothenr one solution :

- Add Filebeat profile for XDR Collector Logs

- Aplly  winlogbet and filebeat Profile on policy

 - View target status on XDR Collctors Administration 

 

This necessitated the collection of additional xdr logs.

 

jchen644219_0-1768527313806.png

jchen644219_1-1768527333788.png

 

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
j.chen644219
L1 Bithead

‎12-09-2025 11:38 PM

Now the profile changed Configuration .

I'm wondering if the YAML itself is the problem.

 

It's possible that XDRC is unable to communicate with XSIAM.

1. Remove the agent remotely via XSIAM.

2. Changes to the weblogbeat profile's YAML file can be synchronized to the Windows server.

 

Therefore, I don't understand...

1. What does this "error" status affect?

​​2. What does this "Error" status mean?

 

  • winlogbeat YAML :
---
winlogbeat.event_logs:
- name: Security
ignore_older: 1h
processors:
- drop_event.when.not.or:
- regexp.winlog.event_id: (110[0-2]|462[45]|4634|464[78]|4662|4672|4674|46[89]8)
- regexp.winlog.event_id: (4702|4713|4720|472[2-9]|473[1-3578]|474[0-3]|475[4-7]|476[4-9])
- regexp.winlog.event_id: (477[0126]|4780|4799|480[0-3]|482[1-5]|488[67]|4899|4900|505[89]|5061|5140)
- name: System
- name: Application
 
  • YAML Test is "Valid YAML!"
jchen644219_0-1765351369556.png

 

  • Query Log
jchen644219_1-1765352148619.png

 

0 Likes Likes

Go to solution
F.Ronchi
L1 Bithead

‎01-15-2026 01:42 AM

Dear, 

Same problem using cortex xdr, i have opened a Tac a days before, below what they said:

 

//***************************//

Hi Fabrizio,

Greetings of the day!

Thank you for your patience.

I would like to update you that if the profile running on this machine—or the YAML configuration applied—is only a Winlogbeat profile, then this error is expected. As long as the customer has not configured or is not using any Filebeat service on these XDR Collectors, this error can be safely ignored.

Additionally, the backend team is aware of this issue, and it is expected to be fixed in the next release of the XDR Collector.
//***************************//

 

Regards

Go to solution
j.chen644219
L1 Bithead

‎01-15-2026 05:39 PM

Hi 

 

Anothenr one solution :

- Add Filebeat profile for XDR Collector Logs

- Aplly  winlogbet and filebeat Profile on policy

 - View target status on XDR Collctors Administration 

 

This necessitated the collection of additional xdr logs.

 

jchen644219_0-1768527313806.png

jchen644219_1-1768527333788.png

 

0 Likes Likes
  • 2 accepted solutions
  • 2393 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks