Setting up the XDR Collector for Windows

Last updated on 2024-11-19 13:33:03

This setup is for the XDR Collector only. If you are using a physical or virtual sensor, please contact the XDR Enablement team for assistance.

The XDR Collector runs as a service in your environment. While the minimum specifications are listed below, the required resources depend on the number of active integrations and the amount of data being processed.

Network Monitoring vs Server Monitoring

When setting up Network Monitoring, always set up the XDR Collector on a dedicated host server. Don't use an existing server because the amount of data produced by Windows event logs can impact critical infrastructure.

You can install the XDR Collector on an existing server if you are monitoring only Windows event logs from that server.

If you're collecting logs from one or more data sources, install the XDR Collector on a dedicated host.

The table below shows the difference between the XDR Collector installed on a dedicated host and installed on an existing server.

	Dedicated Host	Existing Server
Can collect	Logs from all data sources on the network	Windows event logs from the Windows Server only
Supports collecting logs from multiple sources	Yes	No
Requires a private static IP address	Yes	No

The steps for installing the XDR Collector on a dedicated host or an existing server are the same, except that a dedicated host requires a private static IP address and an existing server doesn't.

Minimum Requirements

To set up the XDR Collector, the minimum requirements are the following:

Minimum requirements
CPU	2vCPU
Disk Size	10GB SSD
Memory	1GB

When monitoring Barracuda IDS/Suricata, the host must have 2 Network Interface Cards. One to monitor span traffic and one for host traffic. For more information, see Setting up the Barracuda XDR Elastic Collector for Barracuda IDS for Windows .

Operating System

Windows Server 2016 and higher
Windows 10 and higher

Windows Server 2022 is recommended.

IP Address requirements

A private static IP address is required, except when installing on a standalone instance.

Required Endpoint/Port Communication

The XDR Collector must be able to communicate to the following endpoints/ports:

Logstash	a96190b49bd294a5fbb3725ff20aab78-c7f64fe7557a87d2.elb.us-east-1.amazonaws.com:5044
Management Server	b5e9a5096e0a4f7782cc444c8edbbd5e.fleet.us-east-1.aws.found.io:443
Update Server	artifacts.elastic.co:443

Setting Up the XDR Collector

If you have already installed the XDR Collector on a dedicated host, you don't need to reinstall it, even if you enable multiple integrations.

To set up the XDR Collector, you must do the following procedures:

To configure a private static IP address (Not required when installing on a standalone instance)
To install the XDR Collector

To configure a private static IP address

A private static IP address is required when installing on a dedicated host. If you're setting up a standalone instance to only monitor Windows events, a private static IP address is not required.

See the documentation for your specific version of Windows.

To install the XDR Collector

The install command is unique for each account and should only be run on systems within that account's network.

In Barracuda XDR Dashboard, click Infrastructure > Collectors.
In the Policies table, next to On-Prem, click Action > Install.
Click Windows.
Copy the install command at the bottom of the dialog box.
On the appropriate system, run Powershell as an administrator, paste the install command, and run it.

It may take up to 30 minutes for the install to complete.

Whenever possible, follow the procedure to install the agent.

If downloading the agent package from the Dashboard fails, you can download the package from a browser. Save the package to a temp folder. If you save it to your desktop, the install fails.