Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Active Directory Sensor Installation

Updated Mar 11, 2024

Install Active Directory Sensor

Install Arctic Wolf® Active Directory (AD) Sensor to provide additional visibility into your AD environments.

Note: AD Sensor does not automatically update. To update an existing AD Sensor installation, see Update AD Sensor.

Before you begin


Note: Only install AD Sensor on DCs. Do not install the AD Sensor on servers that do not function as DCs. If you need to forward all Windows Event Logs from other servers, or have another special use case, contact your Concierge Security® Team (CST) for assistance before proceeding.

  1. Download the AD Sensor installation files.
  2. Install AD Sensor on each domain controller.
  3. Contact Arctic Wolf to provide information about your AD Sensor installation.

Step 1: Download the AD Sensor installation files

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click > Downloads.

  3. In the Active Directory (AD) Sensor section, in the Receiving Sensor field, enter the IP address of the Arctic Wolf Sensor or Virtual Log Collector (vLC), or select the sensor or vLC from the list.

  4. Click Download Sensor.

    Tip: You can use the SHA-256 hash value to verify that the downloaded file is authentic.

Step 2: Install AD Sensor on each DC

On each DC:

  1. Copy awn-ad-sensor.zip to the DC where you want to install it.

  2. Right-click the file, and then select Extract All.

    The ZIP file extracts the awn-ad-sensor folder, which contains a awn-ad-sensor.msi, nxlog.conf , and nxlog3.conf file. Do not move or delete these files.

  3. Run awn-ad-sensor.msi as an administrator.

    When you run the MSI file, these files are created in the specified default location, and then the NXLog service starts:

    File Description Default location
    nxlog.conf The Arctic Wolf custom configuration file for NXLog. It contains the Sensor IP address for a particular deployment. Note: If an nxlog.conf file currently exists at that location, the file is overwritten. C:\Program Files (x86)\nxlog\conf
    nxlog-client.exe An NXLog executable that runs every two hours to retrieve AD information. This executable runs under the local system account. C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client

Step 3: Contact Arctic Wolf

  1. After you install the AD Sensor on all DCs, do one of these actions:
    • New customers — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • Existing customers — Click Open a New Ticket.
  2. On the Open a New Ticket page, include any relevant information. For example, the results of auditpol.exe /get /category:* or gpresult /h auditsettings.html from the audit policy configuration.
  3. If you previously configured remote AD scanning from the sensor, notify your CST so they can disable it to avoid duplicate logging.

See also