Learn more about how to collect Windows Event Logs for Cortex XSIAM using Cribl.
There are two primary methods for streaming Windows Event Logs to Cortex XSIAM using Cribl. The choice depends on whether you prefer a centralized, agentless architecture or a distributed, agent-based approach.
Important
Avoid data duplication: Do not enable both WEF and Cribl Edge on the same endpoint for the same log channels.
Note
For the general Cribl-to-XSIAM integration workflow (credentials, destination, XSIAM pack, and verification), see Cribl integration documentation.
Option | Method | Description |
|---|---|---|
A | Cribl Stream + WEF | Agentless: Cribl Stream acts as the Windows Event Collector. Endpoints forward events via mutual TLS (port 5986). |
B | Cribl Edge | Agent-based: The Cribl Edge agent is installed on every endpoint to read local logs directly. |
Use this method if you want to avoid installing software on every Windows endpoint. This requires existing Windows-side configurations for certificates and Group Policy. Cribl Stream receives Windows events directly from endpoints using the Windows Event Forwarder Source with mutual TLS authentication.
Prerequisite
Windows endpoints must be configured to forward events to Cribl Stream. For the Windows-side configuration (certificate generation, Group Policy, Subscription Manager), see Cribl WEF Configuration Guide.
Import the CA certificate that signed the client certificates on the Windows endpoints.
In the Cribl Stream Worker Group UI, select Settings → Security → Certificates → New Certificate.
Cribl Stream requires every CA certificate to be accompanied by a cert/key pair. Generate a placeholder pair:
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -sha256 -days 365 -subj "/CN=placeholder"
Configure the certificate:
Certificate: Paste the placeholder
cert.pemcontents.Private key: Paste the placeholder
key.pemcontents.CA certificate: Paste the CA certificate PEM from your Windows environment.
If the client certificates contain a CA chain (root and intermediate signers), import the entire chain. Concatenate the PEM files in the CA certificate field, ordered from host to root CA.
Save the certificate configuration.
Select Data → Sources → Push → Windows Event Forwarder → New Source.
Configure General Settings:
Input ID: Enter a descriptive name, such as wef-windows-events.
Address:
0.0.0.0Port:
5986(do not change as this is the WEF mTLS port)Authentication method: Client certificate
Configure Certificate Settings:
Certificate: Select the certificate created in Task 1.
Private key path: For Cribl.Cloud, use
/opt/criblcerts/criblcloud.keyCertificate path: For Cribl.Cloud, use
/opt/criblcerts/criblcloud.crt
Configure Advanced Settings:
MachineID Mismatch: Set to Yes if using a shared certificate, or No if using auto-enrollment for higher security.
In the WEF Source configuration, click Subscriptions in the left navigation.
Add the event log channels to collect:
Query Path
Query Expression
Security*[System]System*[System]Application*[System]Microsoft-Windows-Sysmon/Operational*[System]Save, Commit, and Deploy the configuration.
All settings, including certificate configuration, only take effect after committing and deploying.
Cribl Edge collects Windows Event Logs directly from the endpoint where it is installed.
Download the Cribl Edge MSI from the Cribl portal.
Install the Edge agent on the target Windows machine.
Verify the Edge node appears in the Cribl Edge interface under Fleet.
In the Cribl Edge interface, add a new Windows Event Logs source tile.
Configure the event logs to collect:
Event Log Name
Description
SecurityWindows Security events
SystemWindows System events
ApplicationWindows Application events
Microsoft-Windows-Sysmon/OperationalSysmon events (requires Sysmon installed on the endpoint)
Expand the Optional Settings section and set the following:
Setting | Value | Reason |
|---|---|---|
Read Mode |
| Ensures complete data ingestion from the beginning of the log |
Event Format |
| Guarantees properly structured data for downstream parsing in Cortex XSIAM |
Save the source configuration and deploy to the Edge node.