Troubleshoot XDR Collectors errors - Learn more about how to verify the XDR Collectors application, connectivity, and processing errors and troubleshoot. - Administrator Guide - Cortex XSIAM - Cortex

Troubleshoot XDR Collectors errors - Learn more about how to verify the XDR Collectors application, connectivity, and processing errors and troubleshoot. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-12-14

Category

Administrator Guide

Abstract

Learn more about how to verify the XDR Collectors application, connectivity, and processing errors and troubleshoot.

You can monitor the status of XDR Collectors from the XDR Collectors Administration page in the Status column. For all XDR Collectors, a status indicator icon indicates whether the collector is connected or has an error. The XDR Collectors provide information to help you troubleshoot by listing specific errors and warnings from the following types of XDR Collectors logs: Filesbeat, Winlogbeat, and XDRC. For a number of these errors and warnings, a recommended action is provided so that you can easily resolve the problem. In addition, you can always monitor your XDR Collectors application, connectivity, and processing errors for supported collectors using the Cortex Query Language (XQL) and the collection_auditing dataset, and by creating correlation rules to trigger collection security issues.

On the XDR Collectors Administration page, XDR Collectors with an error status display an error icon in the Status column:

Green (Connected): Indicates the collector has no issues.
Orange (Warning): Indicates the collector has minor processing issues. There are no errors, but data is not coming in for <x> amount of time. If the <x> amount of time is more than 24 hours, a tooltip is displayed.
Red (Error): Indicates the collector has application or connectivity errors from XDRC components, including Filebeat, Winlogbeat, and XDRC.

Each status change of XDR Collectors is logged in the collection_auditing dataset. Querying this dataset can help you see all the connectivity changes of an instance over time, the escalation or recovery of the connectivity status, and the error, warning, and informational messages related to status changes.

You can use the collection_auditing dataset to monitor XDR Collectors. For example, you can query the collection_auditing dataset to understand what error was thrown, and then use the troubleshooting table provided in Understand how to troubleshoot to resolve the problem. Once the problem is resolved, you can ensure the collector is active again by querying the collection_auditing dataset, or by observing the Connected green status of the collector in the XDR Collectors Administration page in the Status column. The example below explains the different status changes on a collector that can be used to help you troubleshoot the collector's connectivity issues.

When the collection_auditing dataset receives a new entry with an Error or Warning classification, a corresponding health issue is automatically generated for the collector. Errors map to High severity and Warnings map to Medium severity. These alerts are dedicated to XDR Collectors (XDRC), include collector details (ID, hostname, and IP address), and are deduplicated if identical alerts are generated within four hours for a given collector.

Note

For more information on creating correlation rules to trigger collection health issues, see How can I set up correlation rules to trigger collection health issues?.

Example 116.

This example searches for status changes related to XDR Collectors, where the instance is A1786452WIN1001:

dataset = collection_auditing 
|filter  instance = "A1786452WIN1001"

Output results:

The results indicate that the collector was connected on Oct 18th 2025 08:23:07. On Oct 24th 2025 11:57:38, this collector had an application error as the Winlogbeat was not running. On Oct 24th 2025 19:15:44, this collector had another application error as the Filebeat was not running. On Oct 25th 2025 09:47:03, a warning message was displayed that this collector had no incoming data for more than 7 days. All of these issues were finally resolved on Oct 27th 2025 12:53:18 when the collector was back to a connected status.

COLLECTOR_TYPE	INSTANCE	CLASSIFICATION	DESCRIPTION	COLLECTOR_ID	COLLECTOR-HOST_NAME	_TIME
XDRC	A1786452WIN1001	Informational	Connected	58999fc7ff264a3698274e40043ea829	A1786452WIN1001	Oct 27th 2025 12:53:18
XDRC	A1786452WIN1001	Warning	No incoming data for more than 7 days	58999fc7ff264a3698274e40043ea829	A1786452WIN1001	Oct 25th 2025 09:47:03
XDRC	A1786452WIN1001	Error	filebeat is not running , error code: 1, b'Exiting: no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?\n'	58999fc7ff264a3698274e40043ea829	A1786452WIN1001	Oct 24th 2025 19:15:44
XDRC	A1786452WIN1001	Error	winlogbeat is not running , error code: 1, b"Exiting: error reading configuration file: 1 error: at least one event log must be configured as part of event_logs accessing 'winlogbeat' (source:'command line flag')\n"	58999fc7ff264a3698274e40043ea829	A1786452WIN1001	Oct 24th 2025 11:57:38
XDRC	A1786452WIN1001	Informational	Connected	58999fc7ff264a3698274e40043ea829	A1786452WIN1001	Oct 18th 2025 08:23:07

You can create correlation rules that are based on the fields in the collection_auditing dataset, so you are notified whenever the status of XDR Collectors changes to an error and warning.

Example 117. Example: Trigger collection issues for error statuses on XDR Collectors

In this example, a correlation rule triggers an issue if the collector changes to an error status.

Example XQL:

dataset = collection_auditing 
|filter classification = "Error" and instance = "A1786452WIN1001"

Additional fields to specify in the correlation rule:

Field	Value
Time Schedule	Hourly
Query time frame	1 Hour
Issue Suppression	Select Enable issue suppression.
Action	Select Generate issue.
Issue Domain	Health
Severity	For errors, select High, and for warnings, select Medium.
Type	Collection

To help you troubleshoot your XDR Collectors, the table below lists some of the main possible warning and error event types, including the applicable error or warning that is displayed as a tooltip in the Status column on the XDR Collectors Administration page, which is the same description displayed in the collection_auditing dataset, the root cause of the problem, and the recommended action to resolve the problem. We recommend that you use this table as a first resource to troubleshoot your application, connectivity, and processing errors.

XDRC Log Collector Type	Event Type	Message in the XDR Collectors Administration Page and Description in the collection_auditing dataset	Root Cause	Recommended Action
Filebeat	Error	ERROR [reader] reader/reader.go:<line number> Line is larger than max_bytes (10485760): <...log line content...>write error: data size (<number of bytes> bytes) is greater than the max file size (10485760 bytes)	The line in the monitored file is too long	You can set a new maximum size limit on the profile. Example 118. This increases the maximum line size to 20 MB so `message_max_bytes` is 20971520. filebeat.inputs: - type: filestream id: my-app-logs enabled: true paths: - /var/log/my-app/*.log #
Filebeat	Error	Filebeat is not running , error code: 1, b'Exiting: error loading config file: yaml: line <line number>: found unknown escape character\n'	The filebeat YAML file contains a path that is wrapped with double quotes, but only contains single backslashes, such as: `“C:\windows\somefile.log”`	Use double backslashes after windows when using double quotes: “C:\windows\\somefile.log” OR Put path in single quotes: ‘C:\windows\\somefile.log’
Filebeat / Winlogbeat	Warning	Filebeat / Winlogbeat not installed	The Filebeat / Winlogbeat file is missing at the content folder:"C:\ProgramData\XDR Collector\Data\content\filebeat-windows-x86_64\filebeat.exe""C:\ProgramData\XDR Collector\Data\content\winlogbeat-windows-x86_64\winlogbeat.exe"	Stop the collector. Delete the Data folder. Start the collector.
Filebeat / Winlogbeat	Error	Error: Filebeat.Winlogbeat is not running , error code: 1, b' Exiting: no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?\n'	The Filebeat / Winlogbeat profile does not contain a valid YAML it can process.	Check that the policy has a valid profile with a valid YAML configuration.
XDRC	Warning	No incoming data for more than 24 hours	The Filebeat / Winlogbeat didn't upload new data in the last 24 hours since the last upload.	Check why the configured files no longer receive log files to upload.
XDRC	Warning	No incoming data for more than 7 days	The Filebeat / Winlogbeat didn't upload new data for the last 7 days since the last upload.	Check why the configured files no longer receive log files to upload.
XDRC	Error	file filebeat.yml . winlogbeat.yml couldn’t be found	The configuration file `filebeat.yml` / `winlogbeat.yml` is missing.	Stop the collector. Delete the Data folder. Start the collector.
XDRC	Error	Winlogbeat: The config file winlogbeat.yml is missing read or write permissions Filebeat: The config file filebeat.yml is missing read or write permissions	The configuration file `filebeat.yml` / `winlogbeat.yml` is missing is missing read or write permissions.	Stop the collector. Add Read / Write Permissions. Start the collector.
XDRC	Error	Error: HTTP POST request failed, through proxy:{'http': '<IP number>', 'https': '	The collector is configured to use a proxy that returned a 503 HTTP error. This usually indicates a server error.	If you own the proxy, check it. If the error appears to be from a Cortex XSIAM tenant, open a support ticket for the server team.