On Prem AD Connector

On-Prem Active Directory (AD) Connector Setup Guide

This guide provides step-by-step instructions to set up the On-Prem AD Connector in the XDR platform using Docker and PowerShell.


1. Connector Configuration in XDR

  1. Go to the XDR platform.
  2. Navigate to ConnectorsIngestion.
  3. Select On-prem AD Connector and click Configure.
  4. Enter the following:

    • Collector ID
    • Password
    • Create Table: Set to Yes
    • Time Interval (in minutes)
    • Threshold (number of failed login attempts)
  5. Click Validate and Save.

🔍 What are Time Interval and Threshold?

If Time Interval = 5 minutes and Threshold = 3, then if a user attempts 3 failed logins within 5 minutes, 1 alert will be generated.


2. System Requirements

Start Docker:

systemctl start docker

3. Firewall Port Configuration

For Linux/macOS:

firewall-cmd --permanent --add-port=514/udp
firewall-cmd --reload

For Windows (PowerShell as Administrator):

New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Inbound -Protocol UDP -LocalPort 514 -Action Allow
New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Outbound -Protocol UDP -LocalPort 514 -Action Allow

4. Docker Collector Setup

Download the collector image:

https://connectors-xdr.seqrite.com/connectors/collector/download?collectorId=<COLLECTOR_ID>&password=<PASSWORD>&tid=<TENANT_ID>

Load the Docker image:

docker load --input <path_to/hhcollector-1.0.0.tar>

Start the agent:

docker run -p 514:514/udp \
  --env COLLECTOR_ID=<COLLECTOR_ID> \
  --env TID=<TENANT_ID> \
  hhcollector

5. PowerShell Script Setup for Log Forwarding

✅ Prerequisites:

  • Admin privileges
  • PowerShell script downloaded
  • NSSM (Non-Sucking Service Manager) installed

Step 1: Download the PowerShell Script

Download the script:

https://connectors-xdr.seqrite.com/connectors/collector/scriptDownload?collectorId=<COLLECTOR_ID>&password=<PASSWORD>&tid=<TENANT_ID>

Save the script as:

C:\SyslogForwarder\SyslogForwarder.ps1

Step 2: Download & Install NSSM

Download NSSM from the official site and extract to:

C:\nssm\

Step 3: Install the PowerShell Script as a Windows Service

Open Command Prompt as Administrator and run:

C:\nssm\nssm.exe install SyslogForwarder

In the NSSM GUI:

  • Application:
    powershell.exe

  • Arguments:
    -ExecutionPolicy Bypass -File "C:\SyslogForwarder\SyslogForwarder.ps1"

  • Startup Directory:
    C:\SyslogForwarder

(Optional) Under Log on tab:
Use Local System or a user account with required permissions.

Click Install service.


Step 4: Set the Service to Start Automatically

Option 1: PowerShell

Set-Service -Name "SyslogForwarder" -StartupType Automatic

Option 2: Services Console

  • Open services.msc
  • Find SyslogForwarder
  • Right-click → Properties
  • Set Startup Type to Automatic
  • Click OK

Step 5: Start the Service

You can use any of the following:

nssm start SyslogForwarder

or

net start SyslogForwarder

or via services.msc → right-click → Start


Step 6: Verify Operation

Check log output at:

C:\SyslogForwarder\SyslogForwarder.log

Ensure the file is updating with the expected logs.

Was this page helpful?