NXLog for log collection Direct link to this section

NXLog is a third-party tool that collects and processes logs. Arctic Wolf® uses NXLog to package the following log files into Snare files that are generated by the Windows Server domain controller directory service:

Windows Event Logs
DNS logs when configured
DHCP logs if the DHCP service is installed on the same server

The Snare files are sent to the Arctic Wolf syslog listener, located on an Arctic Wolf Sensor or Virtual Log Collector (vLC), where they are preprocessed and then sent to the Arctic Wolf platform.

Install NXLog Direct link to this section

This section provides instructions for installing NXLog Community Edition.

Note: NXLog does not automatically update. To update an existing NXLog installation, see Update NXLog and AD Sensor.

Before you begin Direct link to this section

Ensure that you meet the minimum system resources required for NXLog. See the NXLog User Guide for additional information.
Contact your CST if you require a custom NXLog configuration. For example, to forward logs from sources such as Internet Information Services (IIS) or Sophos.

Steps Direct link to this section

Go to the NXLog Community Edition Downloads page of the NXLog website.
In the Available Downloads section, set the version to NXLog Community Edition 2.11.2190.

Note: Optimal performance, stability, and timely delivery of logs to the Arctic Wolf platform was observed with NXLog Community Edition version 2.11.2190.
To download the .msi file, select Windows x86-64 and click Download.
For each domain controller, complete the following steps:
1. Copy the NXLog Community Edition installer to the computer where you will install it.
2. Double-click the NXLog installer to run it.
3. On the first page of the Setup Wizard, click Next.
4. Select the I accept the terms in the License Agreement checkbox, and then click Next.
5. Leave the destination folder as the default, and then click Next.
6. Click Install.
7. When the Completed the NXLog-CE Setup Wizard message appears, click Finish.

Update NXLog and AD Sensor Direct link to this section

NXLog is used in conjunction with AD Sensor to provide telemetry into the Arctic Wolf security triage pipeline. To update both applications:

(Optional) Create a backup of your nxlog.conf file if you use NXLog for purposes other than AD Sensor.

During the installation of NXLog, the existing nxlog.conf file is overwritten.
Uninstall AD Sensor:
1. Click Start > Settings > Control Panel > Add/Remove Programs.
2. Locate AD Sensor, and then click Remove.
3. Click Yes.
4. Click Close.
Delete any AD Sensor folders or files from these paths that were not removed during the uninstall:
- C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client
- C:\Program Files (x86)\nxlog\conf
Uninstall NXLog:
1. Click Start > Settings > Control Panel > Add/Remove Programs.
2. Locate NXLog, and then click Remove.
3. Click Yes.
4. Click Close.
Install NXLog.
If you created a backup of your nxlog.conf file, restore your NXLog custom configuration.
Download the AD Sensor installation files.
Install AD Sensor on each domain controller.
Restart the NXLog service.

NXLog Installation

Installation Guide