Installing Virtual Log Collector

Installation Guide

Overview of the Virtual Log Collector

The Virtual Log Collector (vLC) is a virtual appliance that collects security relevant logs for Arctic Wolf® analysis. You can download the vLC as an OVA package and deploy it onto a VMware ESXi hypervisor.

Tip: If your browser downloads the OVA file in .ovf format, rename the file to change the file extension to .ova.

Supported hypervisor for installing the vLC

The supported hypervisor for the vLC is VMware ESXi 6.5 and newer. This hypervisor can run standalone or as part of a VMware vCenter Server.

Minimum VMware requirements to install the vLC

These resource requirements apply for the vLC:

Note: Reducing and/or limiting resource allocations below the specified requirements impacts vLC performance.

vLC deployment and activation

Complete these tasks to deploy a vLC:

  1. Deploy the vLC OVA using the vCenter Server.

  2. (Optional) Encrypt the vLC VM.

  3. Verify that the vLC deployed correctly.

  4. Connect the vLC to the Arctic Wolf Platform.

  5. Activate the vLC.

Note: Each vLC VM only supports a single network interface. If you need additional network interfaces, you must deploy additional vLC VMs. If deploying multiple vLC instances, we recommend reusing the OVA file. However, you must repeat the installation and activation process for each vLC. Cloning a vLC instance is not supported. Cloning a vLC introduces errors in the operation of both the original vLC and the cloned instance.

Deploying the vLC OVA using the vCenter Server

To deploy the Arctic Wolf virtual appliance OVA using the vCenter Server, also known as the vSphere Client:

  1. Open the Deploy OVF Template wizard.

  2. Under Select an OVF template, select the vLC OVA file, and then click Next.

  3. Under Select a name and folder, enter a name for the virtual machine (VM) of the virtual appliance, and the VM folder that it will deploy to, such as <site_name>_Arctic-Wolf, and then click Next.

  4. Under Select a compute resource, select the ESXi host or cluster that you want to deploy the virtual appliance to, and then click Next.

  5. Under Review details, verify the VM template details that you set, and then click Next.

  6. Under Select Storage:

    1. Choose the virtual disk format and the storage volume that you want to deploy the virtual appliance to.

    2. Click Next.

  7. Under Select networks:

    1. Choose the Destination Network to connect the vLC to. Log traffic is sent to the vLC over this network.

      Note: If your firewall performs SSL/TLS inspection, AllowList the sensor management IP address and verify that your firewall allows outbound access from that IP address over port 443 to the IP addresses listed under If you are a Managed Detection and Response (MDR) customer on the Arctic Wolf IP Addresses page in the Arctic Wolf Portal.

    2. Click Next.

  8. Under Additional settings:

    Tip: You may need to expand these fields to set the corresponding values.

    1. In the Identification field, enter a short name to identify the virtual appliance instance in the Arctic Wolf Portal.

    2. In the Network Configuration field, select DHCP or enter a static IP address for the virtual appliance network interface configuration.

      Note: If you select DHCP, you must use a DHCP reservation to prevent log collection and connection errors. Alternatively, assign a static IP address.

    3. Click Next.

  9. Under Ready to complete, review the summary of the virtual appliance deployment, and then click Finish to start the deployment.

  10. After the deployment is complete, power on the virtual appliance VM.

Encrypting the vLC

While optional, Arctic Wolf strongly recommends that you encrypt the virtual appliance to ensure that all data stored and flowing through the appliance has an additional layer of protection.

To encrypt the appliance, see the VMware vSphere product documentation for how to encrypt an existing virtual machine or virtual disk.

Verifying the vLC deployment

To verify that the Arctic Wolf virtual appliance was deployed correctly:

  1. If the virtual appliance is off, power on the virtual appliance VM.

  2. In the vCenter Server or vSphere Client, check if the virtual appliance VM is running.

  3. Verify that the VM IP address is reported in the VM summary.

Connecting a deployed vLC to the Arctic Wolf Platform

To connect a deployed Artic Wolf virtual appliance to the Arctic Wolf Platform:

  1. Select one of these options to open the newly deployed virtual appliance VM console:

    • Launch Web Console — Opens the VM console in a web browser window.

    • Launch Remote Console — Launches the VMware Remote Console application.

  2. Look for a QR code:

    • If a QR code appears — Proceed to step 3.

    • If a QR code does not appear — The virutal appliance is unable to access the services required to connect, likely due to internet connectivity.

  3. Connect the virtual appliance to the Arctic Wolf Platform in one of these ways:

    • Using a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.

      Tip: You may need to sign in to your Arctic Wolf account on your mobile device as part of this process.

    • In a web browser — Enter the URL that appears under the QR code. Alternatively, go to https://auth.arcticwolf.com/activate, and then enter the eight-character device activation code displayed in the console window in this hyphenated format: AAAA-AAAA.

    Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.

After the virtual appliance successfully connects to the Arctic Wolf Platform, the Arctic Wolf logo replaces the QR code in the virtual appliance VM console. The logo may take up to five minutes to appear.

Note: If the logo does not appear after five minutes, contact your Concierge Security Team® (CST).

Activating a deployed vLC

Activating a deployed vLC enables log collection.

Note: Only the user who performed the steps for Connecting a deployed vLC to the Arctic Wolf Platform can activate a deployed vLC.

To activate a deployed virtual appliance:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Virtual Network Appliance Management from the menu under your organization name to open the Virtual Network Appliance Management page. A list of deployed virtual appliances appear on this page.

  3. Locate the short name or the serial number of the virtual appliance that you want to activate.

  4. Under Actions, select the Power icon, and then select Activate Virtual Network Appliance when prompted.

The activated vLC can now collect and forward security-relevant logs to your Concierge Security Team.

Reconfiguring a deployed vLC

You have the option to change these network settings for a deployed Arctic Wolf virtual appliance:

To reconfigure a deployed Arctic Wolf virtual appliance:

  1. Shut down the virtual appliance that you want to reconfigure.

  2. Wait for the VM to shut down.

  3. In vCenter Server or vSphere Client, select the Configure tab.

  4. Select vApp Options from the navigation pane.

    Note: Do not disable vApp Options for a deployed virtual appliance. Disabling this functionality removes all properties used to configure the network settings of the VM.

  5. Under Properties, select the virtual appliance item that you want to reconfigure.

    For example, select the option that lets you reconfigure the network interface.

  6. Above the table, click Set Value and enter the new value for the property.

    Note: Do not click Edit. The Edit option lets you edit the name of the property, not the value assigned to it.

  7. Repeat steps 5 to 6 to change the other network settings, as necessary.

  8. Restart the virtual appliance VM.

Removing the vLC

To remove the Arctic Wolf virtual appliance:

  1. Decommission the sensor:

    1. Sign in to the Arctic Wolf Portal.

    2. Select Virtual Network Appliance Management from the menu under your organization name to open the Virtual Network Appliance Management page. A list of deployed virtual appliances appear on this page.

    3. Locate the short name or serial number of the virtual appliance that you want to decommission.

    4. Under Actions, select the Trash icon, and then select Decommission Log Collector when prompted.

  2. Power down the virtual appliance VM.

  3. In the vCenter Server or vSphere Client, select the virtual appliance deployment, and then select Delete from Disk.