Active Directory Sensor
Active Directory Sensor Direct link to this section
Arctic Wolf® Active Directory (AD) Sensor deployments provide additional visibility into AD environments.
AD Sensor installation Direct link to this section
This section provides instructions for installing the AD Sensor.
Note: AD Sensor does not automatically update. To update an existing AD Sensor installation, see Update AD Sensor.
Before you begin Direct link to this section
-
To allow Arctic Wolf to monitor security and operational events on your Windows server, configure audit policies for each domain to generate events in the Windows Event Log.
Note that auditing additional items can cause delays in observations, for example, enabling auditing of object access. See Arctic Wolf Group Policy Object Advanced Audit Policy for instructions.
-
To allow Arctic Wolf to monitor DNS logs on your Windows server, for each domain controller, configure the Windows server to log DNS packets.
See Enabling DNS Logging for a Windows Server for instructions.
-
Install NXLog on all domain controllers. AD Sensor requires NXLog, which is a third-party tool that collects and processes logs.
See NXLog installation and version updates for instructions.
-
Install the Arctic Wolf Agent on all devices that you plan to install the AD Sensor on.
Note: This task is optional but recommended.
See Arctic Wolf Agent Installation Guide for instructions.
Steps Direct link to this section
Note: Only install AD Sensor on domain controllers. Do not install the AD Sensor on servers that do not function as domain controllers. If you need to forward all Windows Event Logs from other servers, or have another special use case, contact your Concierge Security® Team (CST) for assistance before proceeding.
- Download the AD Sensor installation files.
- Install AD Sensor on each domain controller.
- Contact Arctic Wolf to provide information about your AD Sensor installation.
Step 1: Download the AD Sensor installation files Direct link to this section
-
In the Arctic Wolf Portal, click My Account > Downloads.
-
In the Active Directory (AD) Sensor section, in the Receiving Sensor field, enter the IP address of the Arctic Wolf Sensor or Virtual Log Collector (vLC). Alternatively, select the sensor or vLC from the list.
-
Click Download Sensor.
Tip: You can use the SHA-256 hash, which appears on the Downloads page of Arctic Wolf Portal, to verify that the downloaded file is authentic.
Step 2: Install AD Sensor on each domain controller Direct link to this section
On each domain controller:
-
Copy
awn-ad-sensor.zip
to the domain controller where you want to install it. -
Right-click the file and select Extract All.
The ZIP file extracts the
awn-ad-sensor
folder, which contains aawn-ad-sensor.msi
,nxlog.conf
, andnxlog3.conf
file. Do not move or delete these files. -
Run
awn-ad-sensor.msi
as an administrator.When you run the MSI file, the following files are created in the specified default location, and then the NXLog service starts:
FileDescription Default location nxlog.conf
The Arctic Wolf custom configuration file for NXLog. It contains the Sensor IP address for a particular deployment. Note: If an
nxlog.conf
file currently exists at that location, the file is overwritten.C:\Program Files (x86)\nxlog\conf
nxlog-client.exe
An NXLog executable that runs every two hours to retrieve AD information. This executable runs under the local system account. C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client
Step 3: Contact Arctic Wolf Direct link to this section
After you have installed the AD Sensor on all domain controllers, submit a ticket or reply to your existing Site ticket if you are in the onboarding phase, to notify your CST:
- Include any relevant information, such as the results of
auditpol.exe /get /category:*
orgpresult /h auditsettings.html
from the audit policy configuration. - If you previously configured remote AD scanning from the sensor, notify your CST so they can disable it to avoid duplicate logging.
Update AD Sensor Direct link to this section
-
Identify your AD Sensor version:
Note: Arctic Wolf only supports the latest version of AD Sensor.
- Right-click the
awn-ad-sensor.msi
file, and then select Properties. - In the Description section, view the Subject to identify the AD Sensor version.
- Right-click the
-
Verify the installed version of NXLog. See NXLog installation and version updates for details.
-
Uninstall AD Sensor:
- Click Start > Settings > Control Panel > Add/ Remove Programs.
- Locate AD Sensor, and then click Remove.
- Click Yes.
- Click Close.
-
Delete any AD Sensor folders or files from these paths that were not removed during the uninstall:
C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client
C:\Program Files (x86)\nxlog\conf
-
Contact Arctic Wolf to provide information about your AD Sensor installation.
Troubleshooting AD Sensor Direct link to this section
Contact your CST for assistance if any of the following is true:
- DNS logs are not stored at
C:\Windows\<sysnative>\DNS\*.log
, where<sysnative>
is the System32 directory. - DHCP logs are not stored at
C:\Windows\sysnative\dhcp\DhcpSrvLog-.log*
, where<sysnative>
is the System32 directory. - The IP address of the Arctic Wolf Sensor or vLC has changed.