Prerequisites for the Nodinite Logging Service
This page describes the prerequisites for installing and running the Nodinite Logging Service. The Logging Service is a Windows Service installed as part of the Core Services package.
Nodinite Log Database Checklist
The Logging Databases sits at the end of the "spider web" and on a single box machine, you may have virtually no administration at all to get everything working. On the other hand, in a locked-down distributed environment spanning multiple servers with network load balancing, firewalls, network zones (WLAN's), domains, DNS, group policies, anti-virus/anti malware, SQL Server clusters, SQL Server Always On, ... you may end up spending a lot of hours to get every piece of the puzzle in place.
Rest assure, Nodinite is built on Microsoft standard products and these form the very foundation for most enterprise business applications of today. We are working hard on cloud-enabling Nodinite as the required services mature one piece at a time to make sure you get a future proof solution for your business.
| Verified | Topic |
|---|---|
| MSDTC | |
| Windows rights | |
| Trusted for delegation | |
| Database rights | |
| Firewall |
Use the checklist above to verify that you have performed all the steps required to get Nodinite flying (most probably already managed when you performed similar tasks for the Configuration Database).
Microsoft Distributed Transaction Coordinator (DTC)
The Nodinite Logging Service make use of the Windows Service Microsoft Distributed Transaction Coordinator (DTC) that is responsible for coordinating transactions that span multiple resource managers. We have written a dedicated tutorial for Nodinite with our best practices for how to install and configure the DTC Windows Service.
Important
You must configure the DTC as documented, otherwise, Nodinite will not be operational.
What Windows rights does the Logging Service require?
The Logging Service is a Windows Service and requires privileges as described in the 'Windows Service Account' page.
- This service should always be running.
- This service should not be clustered, contact our support if you need technical assistance
- The Logging Service may have to be restarted when changing some of the System Parameters or Log Agent Configuration settings.
Trusted for delegation
This topic is detailed in the Trusted for delegation user guide.
What SQL Rights does the Logging Service require?
For security and performance reasons; the Logging Service accesses the databases using the Windows Service Account configured.
The Logging Service, must have the following SQL rights assigned:
Instance specific settings
For all SQL Instance(s), where Configuration Database and Log Databases are located, you must add the account and grant the service account the rights detailed next.
Account
The service account used for the Logging Service, must be defined on each SQL server node with the Nodinite Configuration Datbases and Log Databases.
- Shrink Rights - Nodinite can perform the shrink command on old Log* Databases (NOT the current online database) which requires membership in the sysadmin fixed server role and/or the db_owner fixed database role. This flag is controlled by the 'DatabaseMaintenance' System Parameter. For more information about shrink, read this
Important
db_ddladmin is required for the service account to have proper rights to read statistics. Without this permission, performance may be degraded, especially true for remote servers (linked servers). Read more here. Contact our support if you have any questions about this matter.
Account rights
- public - Right to logon to SQL instances with the Nodinite Configuration Datbases and Log Databases
- dbcreator - Right to create new Log Databases
- diskadmin - Right to create database files for the new Log Databases
- securityadmin - Right to assign new rights on the newly created Log Databases
Database specific settings
Apply settings on each and every SQL instance where Nodinite databases are hosted.
Info
You must repeat the security settings on all nodes if you are using SQL Server High Availabilty.
Master
The grants depend on the type of SQL Server instance:
| >= SQL Server 2016 | < SQL Server 2016 |
|---|---|
| db_owner | db_datareader |
Grant VIEW SERVER STATE rights.
GRANT VIEW SERVER STATE TO [Domain\user]
Replace [Domain\user] with the Windows account being used for the Logging Service.
If applicable, repeat the grant on all nodes part of an AOAG environment.
MSDB
- db_datareader
- db_datawriter
- db_ddladmin
- Grant Execute rights on all existing and future stored procedures:
GRANT EXECUTE TO [Domain\user]
GRANT EXECUTE ON SCHEMA::dbo TO [Domain\user]
Replace [Domain\user] with the Windows account being used for the Logging Service.
If applicable, repeat the grant on all nodes part of an AOAG environment.
Nodinite databases
-
- db_ddladmin or db_owner
Grant Execute rights on all existing and future Nodinite stored procedures:
GRANT EXECUTE TO [Domain\user]
Replace [Domain\user] with the Windows account being used for the Logging Service.
- NodiniteLog* (can be multiple)
- db_ddladmin or db_owner/sysadmin when DatabaseMaintenance is enabled.
Important
If you are reading this, you are probably also interested in the following System Parameters:
- LogAccessRoles - Access rights to assign.
- LogServiceUsers - Service Accounts to assign access rights on when creating new Log Databases.
What Firewall settings are required for the Logging Service
The Logging Service requires both inbound and outbound ports to be opened. Since Nodinite is highly configurable, the actual ports in use may differ from what's being exampled here.
You must ensure that TCP ports used are allowed by your firewalls, depending on location of the SQL database the actual ports used may differ. The following Windows Services are involved:
| Port | Name | Inbound | Outbound | TCP | UDP | Comment |
|---|---|---|---|---|---|---|
| 53 | DNS | The Agent needs to know where your other servers/services are (can sometimes optionally be solved with user-defined entries in the hosts file in each Windows server instance), review the following 'Microsoft' user guide |
||||
| 88 | Kerberos | Review 'Microsoft Kerberos' user guide | ||||
| 135 | DTC/RPC | This port is shared between many Windows Services | ||||
| 1433/... | SQL Server instance ports (multiple) | Depends on policies and settings on target environment. Please review the How to configure RPC dynamic port allocation to work with firewalls user guide |
1. TCP Ports between Logging Service and Web API
Nodinite shows the state of the Logging Service for Users within the Nodinite Web Client. The Web Client asks the Web API which in turns queries the Logging Service.
2. TCP Ports between Logging Service and SQL Server
You must ensure that TCP ports used are allowed by your firewalls, depending on location of the SQL database the actual ports used may differ. The following Windows Services are involved:
- RPC Ports, kerberos 88 TCP
- SQL Server ports, usually 1433, depends on your actual configuration
- DTC - Facilitates transactional support
- DNS - Windows needs to know where your servers are (can of course also be solved using hosts)
- 53 both TCP/UDP
Frequently asked questions
Additional solutions to common problems and the Nodinite Logging Service FAQ exist in the Troubleshooting user guide.
Next Step
Install Nodinite
System Parameters
Search Fields