Active Directory Sensor Installation

Updated Sep 27, 2023

Install Active Directory Sensor

Install Arctic Wolf® Active Directory (AD) Sensor to provide additional visibility into your AD environments.

Note: AD Sensor does not automatically update. To update an existing AD Sensor installation, see Update AD Sensor.

Before you begin


Note: Only install AD Sensor on DCs. Do not install the AD Sensor on servers that do not function as DCs. If you need to forward all Windows Event Logs from other servers, or have another special use case, contact your Concierge Security® Team (CST) for assistance before proceeding.

  1. Download the AD Sensor installation files.
  2. Install AD Sensor on each domain controller.
  3. Contact Arctic Wolf to provide information about your AD Sensor installation.

Step 1: Download the AD Sensor installation files

  1. In the Arctic Wolf Portal, click Account > Downloads.

  2. In the Active Directory (AD) Sensor section, in the Receiving Sensor field, enter the IP address of the Arctic Wolf Sensor or Virtual Log Collector (vLC). Alternatively, select the sensor or vLC from the list.

  3. Click Download Sensor.

    Tip: You can use the SHA-256 hash, which appears on the Downloads page of Arctic Wolf Portal, to verify that the downloaded file is authentic.

Step 2: Install AD Sensor on each DC

On each DC:

  1. Copy to the DC where you want to install it.

  2. Right-click the file, and then select Extract All.

    The ZIP file extracts the awn-ad-sensor folder, which contains a awn-ad-sensor.msi, nxlog.conf , and nxlog3.conf file. Do not move or delete these files.

  3. Run awn-ad-sensor.msi as an administrator.

    When you run the MSI file, these files are created in the specified default location, and then the NXLog service starts:

    Description Default location
    nxlog.conf The Arctic Wolf custom configuration file for NXLog. It contains the Sensor IP address for a particular deployment.

    Note: If an nxlog.conf file currently exists at that location, the file is overwritten.

    C:\Program Files (x86)\nxlog\conf
    nxlog-client.exe An NXLog executable that runs every two hours to retrieve AD information. This executable runs under the local system account. C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client

Step 3: Contact Arctic Wolf

After you install the AD Sensor on all DCs, submit a ticket or reply to your existing Site ticket if you are in the onboarding phase, to notify your CST:

See also