NXLog Installation
NXLog for log collection Direct link to this section
NXLog is a third-party tool that collects and processes logs. Arctic Wolf® uses NXLog to package the following log files into Snare files that are generated by the Windows Server domain controller directory service:
- Windows Event Logs
- DNS logs when configured
- DHCP logs if the DHCP service is installed on the same server
The Snare files are sent to the Arctic Wolf syslog listener, located on an Arctic Wolf Sensor or Virtual Log Collector (vLC), where they are preprocessed and then sent to the Arctic Wolf platform.
Install NXLog Direct link to this section
This section provides instructions for installing NXLog Community Edition.
Note: NXLog does not automatically update. To update an existing NXLog installation, see Update NXLog and AD Sensor.
Before you begin Direct link to this section
- Ensure that you meet the minimum system resources required for NXLog. See the NXLog User Guide for additional information.
- Contact your CST if you require a custom NXLog configuration. For example, to forward logs from sources such as Internet Information Services (IIS) or Sophos.
Steps Direct link to this section
-
Go to the NXLog Community Edition Downloads page of the NXLog website.
-
In the Available Downloads section, set the version to NXLog Community Edition 2.11.2190.
Note: Optimal performance, stability, and timely delivery of logs to the Arctic Wolf platform was observed with NXLog Community Edition version 2.11.2190.
-
To download the
.msi
file, select Windows x86-64 and click Download. -
For each domain controller, complete the following steps:
- Copy the NXLog Community Edition installer to the computer where you will install it.
- Double-click the NXLog installer to run it.
- On the first page of the Setup Wizard, click Next.
- Select the I accept the terms in the License Agreement checkbox, and then click Next.
- Leave the destination folder as the default, and then click Next.
- Click Install.
- When the
Completed the NXLog-CE Setup Wizard
message appears, click Finish.
Update NXLog and AD Sensor Direct link to this section
NXLog is used in conjunction with AD Sensor to provide telemetry into the Arctic Wolf security triage pipeline. To update both applications:
-
(Optional) Create a backup of your
nxlog.conf
file if you use NXLog for purposes other than AD Sensor.During the installation of NXLog, the existing
nxlog.conf
file is overwritten. -
Uninstall AD Sensor:
- Click Start > Settings > Control Panel > Add/Remove Programs.
- Locate AD Sensor, and then click Remove.
- Click Yes.
- Click Close.
-
Delete any AD Sensor folders or files from these paths that were not removed during the uninstall:
C:\Program Files (x86)\Arctic Wolf Networks\nxlog-client
C:\Program Files (x86)\nxlog\conf
-
Uninstall NXLog:
- Click Start > Settings > Control Panel > Add/Remove Programs.
- Locate NXLog, and then click Remove.
- Click Yes.
- Click Close.
-
If you created a backup of your
nxlog.conf
file, restore your NXLog custom configuration. -
Restart the NXLog service.