Active Directory Sensor InstallationUpdated Sep 27, 2023
Install Arctic Wolf® Active Directory (AD) Sensor to provide additional visibility into your AD environments.
Note: AD Sensor does not automatically update. To update an existing AD Sensor installation, see Update AD Sensor.
- Complete these steps:
Configure audit policies for each domain to generate events in the Windows Event Log. This allows Arctic Wolf to monitor security and operational events on your Windows server.
See Arctic Wolf Group Policy Object Advanced Audit Policy for instructions.
Note: Additional items can cause delays in observations, for example, enabling auditing of object access.
For each domain controller (DC), configure the Windows server to log DNS packets. This allows Arctic Wolf to monitor DNS logs on your Windows server.
See Enabling DNS Logging for a Windows Server for instructions.
Install NXLog on all DCs. AD Sensor requires NXLog, which is a third-party tool that collects and processes logs.
See NXLog installation and version updates for instructions.
Install the Arctic Wolf Agent on all devices that you plan to install the AD Sensor on.
Note: This task is optional but recommended.
See Arctic Wolf Agent Installation Guide for instructions.
Note: Only install AD Sensor on DCs. Do not install the AD Sensor on servers that do not function as DCs. If you need to forward all Windows Event Logs from other servers, or have another special use case, contact your Concierge Security® Team (CST) for assistance before proceeding.
- Download the AD Sensor installation files.
- Install AD Sensor on each domain controller.
- Contact Arctic Wolf to provide information about your AD Sensor installation.
In the Arctic Wolf Portal, click Account > Downloads.
In the Active Directory (AD) Sensor section, in the Receiving Sensor field, enter the IP address of the Arctic Wolf Sensor or Virtual Log Collector (vLC). Alternatively, select the sensor or vLC from the list.
Click Download Sensor.
Tip: You can use the SHA-256 hash, which appears on the Downloads page of Arctic Wolf Portal, to verify that the downloaded file is authentic.
On each DC:
awn-ad-sensor.zipto the DC where you want to install it.
Right-click the file, and then select Extract All.
The ZIP file extracts the
awn-ad-sensorfolder, which contains a
nxlog3.conffile. Do not move or delete these files.
awn-ad-sensor.msias an administrator.
When you run the MSI file, these files are created in the specified default location, and then the NXLog service starts:File
Description Default location
The Arctic Wolf custom configuration file for NXLog. It contains the Sensor IP address for a particular deployment.
Note: If an
nxlog.conffile currently exists at that location, the file is overwritten.
C:\Program Files (x86)\nxlog\conf
An NXLog executable that runs every two hours to retrieve AD information. This executable runs under the local system account.
C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client
After you install the AD Sensor on all DCs, submit a ticket or reply to your existing Site ticket if you are in the onboarding phase, to notify your CST:
- Include any relevant information, such as the results of
auditpol.exe /get /category:*or
gpresult /h auditsettings.htmlfrom the audit policy configuration.
- If you previously configured remote AD scanning from the sensor, notify your CST so they can disable it to avoid duplicate logging.