- 8 minutes to read

Prerequisites for the Nodinite Log API

Understanding the Log API Architecture

The Nodinite Log API is a web application that receives log events from integration platforms and writes them to SQL Server databases. Before installing, it's essential to understand how the components work together and what infrastructure you need.

Why these prerequisites matter:

IIS hosting - The Log API runs as a web application in Internet Information Services (IIS), requiring specific Windows features and authentication settings
MSDTC coordination - SQL Server distributed transactions require the Microsoft Distributed Transaction Coordinator (DTC) service to ensure data consistency across databases
Service account security - Unlike the Web Client, the Log API uses Anonymous Authentication to accept logs from external systems, but database access requires a Windows service account with specific SQL permissions
Firewall planning - Log events arrive over HTTP/HTTPS from integration platforms, and the API queries SQL Server using Windows authentication and DTC
High availability support - The Log API supports Always On Availability Groups (AOAG) and linked servers for enterprise deployments

What you'll find on this page:

Complete checklist for all technical prerequisites
IIS Windows features and authentication configuration
MSDTC setup for distributed transactions
Windows service account requirements and SQL Server permissions
Firewall port planning for REST, SQL, Kerberos, and MSDTC
Troubleshooting tips and security hardening guidance

The Log API is a Web Application hosted within IIS. You will install and maintain it as part of the Nodinite Core Services package.

graph LR subgraph "Integration Platform" roLogSink[fal:fa-bolt Integration Flow Application] end subgraph "App Server" roLogSink2[fal:fa-bolt Custom Logging Solution ] end subgraph "Web Server" roLogAPI(fal:fa-cloud-arrow-down LogAPI) end subgraph "SQL Server" roSQL1(fal:fa-database Configuration Database) --- roSQL2(fal:fa-database Active Log Database) roLogSink -->|HTTP/HTTPS| roLogAPI roLogAPI -->|SQL, DTC, DNS, RPC|roSQL1 roLogSink2 -->|HTTP/HTTPS|roLogAPI end

Diagram: Log API architecture showing data flow from integration platforms to web server and SQL databases. Integration systems send log events over HTTP/HTTPS to the Log API, which writes to Configuration and Log databases using SQL, DTC, DNS, and RPC protocols.

Verified	Topic
	IIS
	MSDTC
	Windows rights
	Database rights
	Firewall

Use the checklist above to verify that you have performed all steps required to get Nodinite a flying start.

IIS

The Log API is an IIS-hosted web application requiring specific Windows Features and configuration.

Important
The Default Web Site must exist within IIS, otherwise the installer will fail. There is no supported workaround. The Nodinite Core Services may be installed in other Web Sites (not recommended).

Key IIS Requirements:

Windows Authentication - Required for integrated security
.NET Extensibility 4.x / ASP.NET 4.x - Required for .NET Framework 4.8 WCF services
ISAPI Extensions / ISAPI Filters - Required for ASP.NET runtime
Content Compression - Dynamic and Static (performance)
HTTP Redirection - Maintenance scenarios

IIS Windows Features - Complete feature list and installation guide IIS Authentication settings - Configure Windows Authentication at runtime

Info
Your client browser must support HTML 5, review the Client Browser prerequisites for additional details.

Microsoft Distributed Transaction Coordinator (DTC)

The Log API is involved in SQL Server-related operations and Nodinite uses the Windows Service Microsoft Distributed Transaction Coordinator (DTC) that is responsible for coordinating transactions that span multiple resource managers. We have written a dedicated tutorial for Nodinite with our best practices for how to install and configure the DTC Windows Service.

You must configure the DTC as documented, otherwise, Nodinite will not be operational.

What Windows rights does the Log API require?

The Nodinite Log API runs as an IIS web application with a dedicated App Pool configured with a named service account. Unlike the Web Client and Web API, the Log API uses Anonymous Authentication (not Windows Authentication) because it accepts log events from various systems and applications. The v7 PowerShell installation scripts automatically configure these settings during installation.

Service Account Requirements:

The App Pool service account must have Logon as a Service rights (configured automatically by PowerShell scripts)
If the service account is not a local administrator, it must be a member of the IIS_IUSRS group
The service account must have Read rights on %windows%\system32\inetsrv\config folder (for redirection.config access)

Important
If the Windows User account for the Application Pool is not assigned the sysadmin role, then you must make sure the account is added to the list of logins to apply correct user rights for (as new databases are created). This setting is governed by the LogServiceUsers system parameter.

How It Works

The v7 PowerShell installation scripts create a dedicated IIS App Pool for the Log API. This App Pool runs with a named Windows service account identity, and all calls to SQL Server are performed as this identity. This ensures secure, authenticated database access while allowing external systems to send log events without Windows credentials.

IIS Authentication settings - Complete guide to Log API authentication configuration

Tip
Troubleshooting permissions: If you encounter "Cannot read configuration file due to insufficient permissions" errors, ensure the App Pool account has Read rights on %windows%\system32\inetsrv\config. See the IISConfigurationFile troubleshooting guide.

What SQL Rights does the Log API require?

For performance reasons, the Log API accesses the databases directly using the Windows Service Account configured for the Log API and must have the following SQL rights assigned:

Master

Grant VIEW SERVER STATE rights.

GRANT VIEW SERVER STATE TO [Domain\user]

Replace [Domain\user] with the Windows account being used for the Log API

If applicable, repeat the grant on all nodes part of an AOAG environment.

Nodinite Databases

Database	Permission	Description	Microsoft Docs Link
Configuration Database	db_datareader	Grants read access to all tables and views	db_datareader
Configuration Database	db_datawriter	Grants write access to all tables and views	db_datawriter
Configuration Database	db_ddladmin	Allows running DDL statements (e.g., create/alter/drop objects)	db_ddladmin
Configuration Database	sysadmin/db_owner	Required for certain administrative tasks (e.g., shrinking databases)	sysadmin, db_owner
NodiniteLog_*	db_datareader	Grants read access to all tables and views	db_datareader
NodiniteLog_*	db_datawriter	Grants write access to all tables and views	db_datawriter
NodiniteLog_*	db_ddladmin	Allows running DDL statements (e.g., create/alter/drop objects)	db_ddladmin
NodiniteLog_*	sysadmin/db_owner	Required for certain administrative tasks (e.g., shrinking databases)	sysadmin, db_owner

This table lists the minimum SQL Server permissions required for the Nodinite Log API's Configuration Database and Log Databases. Ensure these grants are set for uninterrupted operation, maintenance, and automation.

Grant Execute rights on all existing and future stored procedures for the account used by the Log API:

GRANT EXECUTE TO [Domain\\user]

Replace [Domain\user] with the Windows account being used for the Log API.

Important
db_ddladmin is required for the service account to have proper rights to read statistics. Without this permission, performance may be degraded, especially true for remote servers (linked servers). Read more in this article about linked server performance. Contact our support if you have any questions about this.

[!TIP] Review the following system parameters: LogServiceUsers and LogAccessRoles

What Firewall settings are required for the Log API

The Log API requires both inbound and outbound ports to be opened.

The Log API accepts log events from external systems (integration platforms, custom applications, message brokers) that send events over HTTP/HTTPS without Windows authentication.

Three servers commonly participate in Log API deployments:

Server	Role
Web Server	Hosts the Log API (IIS)
SQL Server	Hosts Configuration and Log Databases (queried via service account)
Domain Controller	Provides Kerberos authentication and LDAP/DNS services

Plan firewall rules for communication between these servers (Web Server ↔ SQL Server, Web Server ↔ Domain Controller, SQL Server ↔ Domain Controller). External systems send log events to the Log API over HTTP/HTTPS.

Note
Nodinite v7 Port Configuration: HTTP/HTTPS ports are configured during installation in the Nodinite Portal. The v7 PowerShell installation scripts automatically configure IIS bindings based on your Portal settings.

Required Firewall Ports

TCP Ports for REST - Inbound communication from integration platforms
TCP Ports between Log API and SQL Server - Configuration and Log Databases

1. TCP Ports for REST

Port	Name	Inbound	Outbound	TCP	UDP	Comment
80	HTTP					default for HTTP
443	HTTPS					default for HTTPS, review the Hardening guide

Custom ports (1-65535): Depends on IIS bindings configured in the Nodinite Portal during installation.

Important
If you intend to host Nodinite on non-default ports, contact support for guidance at support@nodinite.com.

graph LR subgraph "Integration Platform" roLogSink[fal:fa-bolt Integration Flow Application] end subgraph "Web Server" roLogAPI(fal:fa-cloud-arrow-down Log API) roLogSink -->|80,443| roLogAPI end

Diagram: External systems send log events to the Log API over HTTP/HTTPS on ports 80 and 443.

2. TCP Ports between Log API and SQL Server

For performance reasons, the Log API accesses the databases directly using the Windows Service Account configured.

The Log API communicates with SQL Server using Windows authentication, Kerberos, and distributed transactions (MSDTC). For comprehensive SQL Server firewall configuration, including:

DNS resolution (port 53)
Kerberos authentication (port 88)
MSDTC/RPC (port 135 and dynamic ports)
SQL Server instances (port 1433 and custom ports)
Linked Servers configuration
Azure SQL Managed Instance connectivity
Always On Availability Groups (AOAG) requirements

See the comprehensive SQL Server Firewall Configuration guide.

graph LR subgraph "Web Server" roLogAPI(fal:fa-cloud-arrow-down Log API) end subgraph "SQL Server" roSQL1(fal:fa-database Configuration Database) --- roSQL2(fal:fa-database Active Log Database) roLogAPI -->| SQL, DTC, DNS, RPC |roSQL1 end

Diagram: Log API connects to SQL Server databases using SQL, DTC, DNS, and RPC protocols for distributed transactions and data access.

Frequently asked questions

Additional solutions to common problems and the Nodinite Log API FAQ exist in the Troubleshooting user guide.

Can I secure the Log API?

Yes, the Log API fully supports SSL certificates. Add your certificate to IIS and configure the Log API to allow only HTTPS using the steps outlined in the Hardening user guide.

Next Step

Install Nodinite IIS Windows Features MSDTC

Core Services Package Configuration Database Log Databases Hardening LogServiceUsers LogAccessRoles IIS Authentication settings SQL Server Firewall

Explore Nodinite for 30 days – completely free

See how Nodinite resolves your technical issues, in a

LIVE Demo!