03-18-2026 02:20 AM - edited 03-18-2026 02:24 AM
Hello experts,
I have two XDRC installed on W2016 server, both are connected through same BrokerVM. Even tried test if the BVM and XDRC connection was fine, I did a test to run "uninstall collector" from Console, it was successful.
From XDRC Adminsitration, The status shown :Warning, however, the last seen was up to date.
From XQL queries:
dataset = collection_auditing
It shown "Failed to get local ip by connecting to server address: 'distributions.traps.paloaltonetworks.com'."
SSH to the BVM
1. openssl s_client -connect distributions.traps.paloaltonetworks.com:443
2. ping distributions.traps.paloaltonetworks.com
Both succeeded.
Any ides?
03-19-2026 03:36 AM
Hello SeanDeHarris,
Please review the warning descriptions below. If the descriptions match your observations, kindly follow the troubleshooting steps provided.
XDRC Log Collector Type |
Event Type |
Message in the XDR Collectors Administration Page and Description in the collection_auditing dataset |
Root Cause |
Recommended Action |
|
Filebeat / Winlogbeat |
Warning |
Filebeat / Winlogbeat not installed |
The Filebeat / Winlogbeat file is missing at the content folder:"C:\ProgramData\XDR Collector\Data\content\filebeat-windows-x86_64\filebeat.exe""C:\ProgramData\XDR Collector\Data\content\winlogbeat-windows-x86_64\winlogbeat.exe" |
|
|
XDRC |
Warning |
No incoming data for more than 24 hours |
The Filebeat / Winlogbeat didn't upload new data in the last 24 hours since the last upload. |
Check why the configured files no longer receive log files to upload. |
|
XDRC |
Warning |
No incoming data for more than 7 days |
The Filebeat / Winlogbeat didn't upload new data for the last 7 days since the last upload. |
Check why the configured files no longer receive log files to upload. |
1. On the collector server, open Task Manager (or PowerShell).
2. Look for these processes:
- filebeat.exe
- winlogbeat.exe
3. If they are not running, the collector cannot send logs.
If not running:
- Start the collector service:
1. Check which files are configured to be collected:
- Filebeat: C:\ProgramData\XDR Collector\Data\content\filebeat-windows-x86_64\filebeat.yml
- Winlogbeat: C:\ProgramData\XDR Collector\Data\content\winlogbeat-windows-x86_64\winlogbeat.yml
2. Open the .yml configuration files and verify:
- Input paths exist (C:\Windows\System32\winevt\Logs\*.evtx for Winlogbeat, custom logs for Filebeat)
- There are no syntax errors
1. Ensure the XDR Collector service account can read the log files and write to the Data folder.
2. Verify permissions on:
- C:\ProgramData\XDR Collector\Data\content
- The directories containing the log files to be collected
1. Navigate to log folder:
2. Open filebeat.log and winlogbeat.log
3. Look for errors like:
- File not found
- Permission denied
- Network errors (cannot reach broker or distribution server)
Please help out other users and “Accept as Solution” if a post helps solve your problem !
Read more about how and why to accept solutions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
