Virtual Log Collector Installation in an AWS Environment

Updated Sep 13, 2023

Install a vLC using the AWS Management Console

The Arctic Wolf® Virtual Log Collector (vLC) is a virtualized log collector for syslog. Arctic Wolf Managed Detection and Response (MDR) uses one or more vLC deployments to monitor events in your network and identify potential threats. You can use a vLC independently or with Arctic Wolf network sensors.


  • vLCs do not support all AWS service logs, including AWS Directory Service logs. Generally, if the structure of a log is not a single line of text, it is not supported.
  • vLCs do not support auto-scaling in AWS.

Before you begin


  1. Provide AWS account IDs to Arctic Wolf
  2. Create a vLC instance.
  3. Configure the vLC instance.
    1. Configure network settings.
    2. Configure security group rules.
    3. Launch and verify the EC2 instance.
  4. Configure the vLC.
  5. Activate the vLC.

Step 1: Provide AWS account IDs to Arctic Wolf

For the vLC Amazon Machine Image (AMI) to appear in AWS, you must first provide your AWS account IDs to Arctic Wolf.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. In the Search Services field, type appliance.

  6. Click vSensor AMI.

  7. On the Add Account page, configure these settings:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. Account ID — Enter the AWS account number.
  8. Click Test and Submit Credentials.

Step 2: Create a vLC instance

  1. In the Amazon Machine Images (AMI) section, in the AWS console, select the vLC AMI to use to create the instance

    Note: The name of the AMI is Arctic Wolf Appliance-<version>.

  2. Click Launch Instance from AMI.

  3. In the Name and tags section, enter the name for your vLC.

  4. In the Application and OS Images (Amazon Machine Image) section, keep the default settings.

  5. In the Key pair (login) section, select Proceed without a key pair.

  6. In the Configure storage section, keep the default settings unless you require more storage.

  7. In the Advanced details section, for Termination Protection, select the Enable checkbox.

  8. Click Save.

  9. In the Instance Type section, select t3.large.

Step 3a: Configure network settings

  1. In the AWS console, in the Network settings section, click Edit, and then select one of these options:
    • VPC — The VPC to deploy the vLC on.
    • Subnet — The subnet to deploy the vLC on.


      • Whether you use a private or public subnet depends on your network. Arctic Wolf recommend using a private subnet.
      • Do not select No preference.
    • Auto-assign public IP — Select one of these options:
      • Enable
      • Disable — If you are using a private subnet, or if your environment requires you to enter a specific IP address.

Step 3b: Configure security group rules

Depending on your environment, you may need to configure new security group rules to allow outgoing and incoming traffic for the vLC.

Tip: Arctic Wolf recommends that you create a new security group to avoid having more permissions than necessary. However, you can use an existing security group if it has the required rules configured.

  1. Find the Firewall (security groups) section.

  2. Do one of these actions:

    • Using an existing security group — Click Select an existing security group, and then choose the appropriate security group and proceed to Launch and verify the EC2 instance.
    • Creating a new security group — Click Create a new security group.
  3. Remove any default security rules.

  4. In the Security group name section, enter a name for the security group.

  5. In the Description section, enter a description for the security group.

  6. Add rules to allow the following:

    • All outgoing traffic

      Note: There may be a rule allowing all outgoing traffic by default.

    • Incoming traffic from the addresses or subnets of the log sources to be ingested by the vLC the on following network ports, as applicable for the environment:

      • UDP port 514 for plaintext syslog over UDP
      • TCP port 514 for plaintext syslog over TCP
      • TCP port 6514 for TLS-encrypted syslog
      • TCP port 9081 for logs in the Bluecoat SG format

Step 3c: Launch and verify the EC2 instance

  1. Click Launch Instance.
  2. Click the instance ID, where the ID value is i-<hexadecimals>.
  3. Click the instance ID to view details.

    Note: If the instance ID does not appear, refresh the page.

  4. Verify that the Instance state is Running.

Step 4: Configure the vLC

Note: See the Serial Console User Guide for more information on using the Arctic Wolf serial console.

  1. If you have not used the serial console before, you may need to configure access. To configure serial console access:

    1. Click Actions > Account Attributes.
    2. In the Account Attributes section, select EC2 Serial Console.
    3. In the EC2 Serial Console section, select the Allow checkbox.
    4. Click Update.
  2. Locate the EC2 management console, select Instances, and then enter the vLC instance ID.

  3. Click Actions > Monitor and Troubleshoot > EC2 Serial Console > Connect.

  4. When prompted, or if the screen is blank, press the Enter key three times.

    Note: If you selected an unsupported EC2 instance type, an error message displays after this step. To proceed, terminate the vSensor and create a new one using a supported EC2 instance type.

  5. Click Next.

    A series of connectivity checks begin.

  6. If any of the connectivity checks fail, modify the VPC, subnet, or security group as required, and then reattempt the connectivity checks.

  7. When the connectivity check passes, click Next.

  8. In the Shorthand section, enter a name for the vLC in the Arctic Wolf Portal.

  9. Select the VLC deployment type.

  10. Click Next.

  11. When prompted, do one of these actions to connect the vLC to the Arctic Wolf Platform:

    • Using a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
    • Using a web browser — Enter the displayed URL into a web browser, and then follow the on-screen prompts.

    Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.

    After the vLC successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to go to the Arctic Wolf Appliance Management.

Step 5: Activate the vLC

Note: Only the user who performed the steps to configure the vLC can activate the vLC.

  1. In the Arctic Wolf Portal, click Account > Arctic Wolf Appliance Management.

  2. Locate the name or the serial number of the vLC you want to activate.

  3. In the Actions column, click Activate virtual appliance, and then click Activate Virtual Network Appliance when prompted.

    The console displays Appliance activation in progress, please wait.

  4. When prompted, press Enter three times to activate the console.

Reconfigure a vLC using the AWS Management Console

You cannot reconfigure a vLC that was deployed using AWS. If you want a different configuration, delete the old vLC and configure a new vLC. See Uninstall a vLC using the AWS Management Console for more information.

Uninstall a vLC using the AWS Management Console

  1. Decommission the vLC:
    1. Sign in to the Arctic Wolf Portal.

    2. Click Account > Arctic Wolf Appliance Management.

    3. Find the short name or serial number of the vLC you want to decommission.

    4. Under Actions, click Decomission virtual appliance, and then select Decommission Virtual Appliance when prompted.

  2. Turn off termination protection:
    1. In the AWS web console, click to Instances.
    2. Click Actions > Instance Settings > Change termination protection.
    3. Clear the Enable checkbox.
    4. Click Save.
  3. Delete the EC2 instance:
    1. In the AWS web console, click Instance state.

    2. Click Terminate Instance.

      The EC2 instance shuts down and the associated disk resources are removed.