Active Directory Sensor Installation

Updated Sep 27, 2023

Install Active Directory Sensor
- Before you begin
- Steps
See also

Install Active Directory Sensor

Install Arctic Wolf® Active Directory (AD) Sensor to provide additional visibility into your AD environments.

Note: AD Sensor does not automatically update. To update an existing AD Sensor installation, see Update AD Sensor.

Before you begin

Complete these steps:
1. Configure audit policies for each domain to generate events in the Windows Event Log. This allows Arctic Wolf to monitor security and operational events on your Windows server.
  
  See Arctic Wolf Group Policy Object Advanced Audit Policy for instructions.
  
  Note: Additional items can cause delays in observations, for example, enabling auditing of object access.
2. For each domain controller (DC), configure the Windows server to log DNS packets. This allows Arctic Wolf to monitor DNS logs on your Windows server.
  
  See Enabling DNS Logging for a Windows Server for instructions.
3. Install NXLog on all DCs. AD Sensor requires NXLog, which is a third-party tool that collects and processes logs.
  
  See NXLog installation and version updates for instructions.
4. Install the Arctic Wolf Agent on all devices that you plan to install the AD Sensor on.
  
  Note: This task is optional but recommended.
  
  See Arctic Wolf Agent Installation Guide for instructions.

Steps

Note: Only install AD Sensor on DCs. Do not install the AD Sensor on servers that do not function as DCs. If you need to forward all Windows Event Logs from other servers, or have another special use case, contact your Concierge Security® Team (CST) for assistance before proceeding.

Download the AD Sensor installation files.
Install AD Sensor on each domain controller.
Contact Arctic Wolf to provide information about your AD Sensor installation.

Step 1: Download the AD Sensor installation files

In the Arctic Wolf Portal, click Account > Downloads.
In the Active Directory (AD) Sensor section, in the Receiving Sensor field, enter the IP address of the Arctic Wolf Sensor or Virtual Log Collector (vLC). Alternatively, select the sensor or vLC from the list.
Click Download Sensor.

Tip: You can use the SHA-256 hash, which appears on the Downloads page of Arctic Wolf Portal, to verify that the downloaded file is authentic.

Step 2: Install AD Sensor on each DC

On each DC:

Copy awn-ad-sensor.zip to the DC where you want to install it.
Right-click the file, and then select Extract All.

The ZIP file extracts the awn-ad-sensor folder, which contains a awn-ad-sensor.msi, nxlog.conf , and nxlog3.conf file. Do not move or delete these files.

Run awn-ad-sensor.msi as an administrator.

When you run the MSI file, these files are created in the specified default location, and then the NXLog service starts:

File	Description	Default location
`nxlog.conf`	The Arctic Wolf custom configuration file for NXLog. It contains the Sensor IP address for a particular deployment. Note: If an `nxlog.conf` file currently exists at that location, the file is overwritten.	`C:\Program Files (x86)\nxlog\conf`
`nxlog-client.exe`	An NXLog executable that runs every two hours to retrieve AD information. This executable runs under the local system account.	`C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client`

Step 3: Contact Arctic Wolf

After you install the AD Sensor on all DCs, submit a ticket or reply to your existing Site ticket if you are in the onboarding phase, to notify your CST:

Include any relevant information, such as the results of auditpol.exe /get /category:* or gpresult /h auditsettings.html from the audit policy configuration.
If you previously configured remote AD scanning from the sensor, notify your CST so they can disable it to avoid duplicate logging.