- 0 minutes to read

Prerequisites for the Nodinite Log API

This page describes the prerequisites for installing and running the Nodinite Log API.

The Log API is a Web Application hosted within the IIS. You will install and maintain it as part of the Nodinite Core Services package.

graph LR subgraph "Integration Platform" roLogSink[fal:fa-bolt Integration Flow Application] end subgraph "App Server" roLogSink2[fal:fa-bolt Custom Logging Solution ] end subgraph "Web Server" roLogAPI(fal:fa-cloud-download LogAPI) end subgraph "SQL Server" roSQL1(fal:fa-database Configuration Database) --- roSQL2(fal:fa-database Active Log Database) roLogSink -->|HTTP/HTTPS| roLogAPI roLogAPI -->|SQL, DTC, DNS, RPC|roSQL1 roLogSink2 -->|HTTP/HTTPS|roLogAPI end
Verified Topic
IIS
MSDTC
Windows rights
Database rights
Firewall

Use the checklist above to verify that you have performed all steps required to get Nodinite a flying start.

IIS

before the installation, you must pre-configure your IIS target environment for use with Nodinite. Some Windows Roles and Features must be in place.

Important

The Default Web Site must exist within your IIS(!), otherwise, the installer will fail. There is no supported workaround. The Nodinite Core Services may be installed in other Web Sites (this is not our recommendation).

Prerequisites for IIS Web Server

Feature Name Comment
Common HTTP Features HTTP Redirection
Static Content
Performance Features Dynamic Content Compression
Static Content Compression
Security Features Basic Authentication
Windows Authentication
Application Development .Net Extensibility 4.x
ASP.NET 4.x
ISAPI Extensions
ISAPI Filters
WCF Features .Net Framework 4.X WCF Requirement for the Log API (Version 1-5)
This feature has been deprecated. It was available in Nodinite version 1-5.

Info

Your client browser must support HTML 5, review the Client Browser prerequisites for additional details.

Review the IIS Authentication settings user guide to verify your environment has the proper settings at run-time.

Microsoft Distributed Transaction Coordinator (DTC)

The Log API is involved in SQL Server related operations and Nodinite uses the Windows Service Microsoft Distributed Transaction Coordinator (DTC) that is responsible for coordinating transactions that span multiple resource managers. We have written a dedicated tutorial for Nodinite with our best practices for how to install and configure the DTC Windows Service.

You must configure the DTC as documented, otherwise, Nodinite will not be operational.

What Windows rights does the Log API require?

When you install Nodinite using the install and update tool the Log API is assigned an IIS App Pool. This IIS App Pool is set to run with a dedicated Windows Service account. The Log API uses integrated security which is a feature built-into IIS and further call to SQL Server are being performed as this identity.

1. Rights to run as IIS Application

If the configured service account for IIS App Pool is not a local administrator then the Windows Domain account must be added to the local 'IIS_IUSRS' group. The account used must also be assigned certain SQL Rights, see next paragraph.

Important

If the Windows User account for the Application pool is not assigned the sysadmin role, then you must make sure the account is added to the list of logins to apply correct user rights for (as new databases are created). This settings is governed by the ImLogServiceUsers system parameter.

2. Rights to read redirection.config file

Make sure the account for the App Pool has Read rights on the %windows%\system32\inetsrv\config folder.

Review the 'Cannot read configuration file due to insufficient permissions` user guide for additional information

What SQL Rights does the Log API require?

For performance reasons the Log API accesses the databases directly using the Windows Service Account configured for the Log API and must have the following SQL rights assigned:

Master

Grant VIEW SERVER STATE rights.

GRANT VIEW SERVER STATE TO [Domain\user]

Replace [Domain\user] with the Windows account being used for the Log API

If applicable, repeat the grant on all nodes part of an AOAG environment.

Nodinite Databases

  • Configuration Database
    • db_datareader
    • db_datawriter
    • db_ddladmin
    • Grant Execute rights on all existing and future stored procedures:
GRANT EXECUTE TO [Domain\user]

Replace [Domain\user] with the Windows account being used for the Log API.

  • NodiniteLog* (can be multiple )
    • db_datareader
    • db_datawriter
    • db_ddladmin

Important

db_ddladmin is required for the service account to have proper rights to read statistics. Without this permission, performance may be degraded, especially true for remote servers (linked servers). Read more here. Contact our support if you have any questions about this.

Tip

Review the following system parameters: ImLogServiceUsers and ImLogAccessRoles

What Firewall settings are required for the Log API

The Log API requires both inbound and outbound ports to be opened. Since Nodinite is highly configurable, the actual ports in use may differ from what's being exampled here.

The Log API requires both inbound and outbound ports to be open. Depending on your environment different ports may be used. On a high level the following services must be allowed:

  1. REST - Inbound communication typically HTTP and HTTPS
  2. Configuration Database - ports used to communicate with SQL Server

1. TCP Ports for REST

Port Name Inbound Outbound TCP UDP Comment
80 HTTP default for HTTP
443 HTTPS default for HTTPS, please review the Hardening user guide
  • 1-65535 - It depends on what port you have assigned using 'Edit Bindings' for the Web Site hosting the Nodinite Log API.
    • If you're going to host Nodinite on non default ports, Please contact our support for guidance at support@nodinite.com
graph LR subgraph "Integration Platform" roLogSink[fal:fa-bolt Integration Flow Application] end subgraph "Web Server" roLogAPI(fal:fa-cloud-download LogAPI) roLogSink -->|80,443| roLogAPI end

2. TCP Ports between Log API and SQL Server

For performance reasons the Log API accesses the databases directly using the Windows Service Account configured.
You must ensure that TCP ports used are allowed by your firewalls, depending on location of the SQL database the actual ports used may differ. The following Windows Services are involved:

Port Name Inbound Outbound TCP UDP Comment
53 DNS The Agent needs to know where your other servers/services are (can sometimes optionally be solved with user-defined entries in the hosts file in each Windows server instance), review the following 'Microsoft' user guide
88 Kerberos Review 'Microsoft Kerberos' user guide
135 DTC/RPC This port is shared between many Windows Services
1433/... SQL Server instance ports (multiple) Depends on policies and settings on target environment. Please review the How to configure RPC dynamic port allocation to work with firewalls user guide
graph LR subgraph "Web Server" roLogAPI(fal:fa-cloud-download Log API) end subgraph "SQL Server" roSQL1(fal:fa-database Configuration Database) --- roSQL2(fal:fa-database Active Log Database) roLogAPI -->| SQL, DTC, DNS, RPC |roSQL1 end

Frequently asked questions

Additional solutions to common problems and the Nodinite Log API FAQ exist in the Troubleshooting user guide.

Can I secure the Log API?

Yes, the Log API supports the usage of SSL Certificates. Simply add your certificate to IIS and configure the Log API to only allow HTTPS using the steps outlined in the Hardening user guide


Next Step

Install Nodinite