Install Active Directory Sensor

Install Arctic Wolf® Active Directory (AD) Sensor to provide additional visibility into your AD environments.

Only install AD Sensor on DCs. Do not install the AD Sensor on servers that do not function as DCs. If you need to forward all Windows Event Logs from other servers, or have another special use case, contact your Concierge Security® Team (CST) for assistance before proceeding
Note:

AD Sensor does not automatically update. To update an existing AD Sensor installation, see Update AD Sensor.

To continue with Active Directory installation, see Active Directory Integrations.

Configure your environment

  1. Configure audit policies for each domain to generate events in the Windows Event Log. This allows Arctic Wolf to monitor security and operational events on your Windows server.

    See Configure an Arctic Wolf GPO Advanced Audit Policy for more information.

    Note:

    Additional items can cause delays in observations, for example, enabling auditing of object access.

  2. Install NXLog on all DCs. AD Sensor requires NXLog, which is a third-party tool that collects and processes logs.

    For more information, see Install NXLog.

  3. Install the Arctic Wolf Agent on all devices that you plan to install the AD Sensor on.
    Note:

    This task is optional but recommended.

    For more information, see Install Arctic Wolf Agent.

Download the AD Sensor installation files

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Downloads.
  3. In the Active Directory (AD) Sensor section, in the Receiving Sensor field, enter the IP address of the Arctic Wolf Sensor or Virtual Log Collector (vLC), or select the sensor or vLC from the list.
  4. Click Download Sensor.
    Tip:

    You can use the SHA-256 hash value to verify that the downloaded file is authentic.

Install AD Sensor on each DC

On each DC:

  1. Copy awn-ad-sensor.zip to the DC where you want to install it.
  2. Right-click the file, and then select Extract All.

    The ZIP file extracts the awn-ad-sensor folder, which contains a awn-ad-sensor.msi, nxlog.conf , and nxlog3.conf file. Do not move or delete these files.

  3. Run awn-ad-sensor.msi as an administrator.

    When you run the MSI file, these files are created in the specified default location, and then the NXLog service starts:

    File

    Description

    Default location

    nxlog.conf

    The Arctic Wolf custom configuration file for NXLog. It contains the Sensor IP address for a particular deployment.

    Note:

    If an nxlog.conf file currently exists at that location, the file is overwritten.

    For 32-bit — C:\Program Files (x86)\nxlog\conf

    For 64-bit — C:\Program Files\nxlog\conf

    nxlog-client.exe

    An NXLog executable that runs every two hours to retrieve AD information. This executable runs under the local system account.

    C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client

Contact Arctic Wolf

  1. After you install the AD Sensor on all DCs, do one of these actions:
    • New customers — Open the existing [Deploy] Site Config: <ticket_subject> ticket.
      Tip: To find this ticket in the Unified Portal, click Tickets & Alerts > All Tickets, and then, in the Ticket Type list, select Onboarding.
    • Existing customers — In the Unified Portal, click Open a New Ticket.
  2. On the Open a New Ticket page, include any relevant information. For example, the results of auditpol.exe /get /category:* or gpresult /h auditsettings.html from the audit policy configuration.
  3. If you previously configured remote AD scanning from the sensor, notify your CST so they can disable it to avoid duplicate logging.