Prerequisites for the Nodinite Logging Service
Prepare your environment for a successful Nodinite Logging Service deployment. This page provides a comprehensive checklist, technical requirements, and best practices to ensure a secure, high-performing, and future-proof installation.
What you'll find on this page:
✅ Complete checklist for all technical prerequisites
✅ SQL, Windows, and firewall rights explained
✅ Best practices for distributed and secure environments
✅ Troubleshooting tips and links to further resources
This page describes the prerequisites for installing and running the Nodinite Logging Service. The Logging Service is a Windows Service installed as part of the Core Services package.
Nodinite Log Database Checklist
The Logging Databases sit at the end of the "spider web." On a single box machine, you may have virtually no administration at all to get everything working. In a locked-down distributed environment spanning multiple servers with network load balancing, firewalls, network zones (WLANs), domains, DNS, group policies, anti-virus/anti-malware, SQL Server clusters, SQL Server Always On, ... you may spend many hours getting every piece of the puzzle in place.
Rest assured, Nodinite is built on Microsoft standard products—the foundation for most enterprise business applications today. We are working hard on cloud-enabling Nodinite as the required services mature, ensuring a future-proof solution for your business.
| Verified | Topic |
|---|---|
| MSDTC | |
| Windows rights | |
| Trusted for delegation | |
| Database rights | |
| Firewall |
Use the checklist above to verify that you have performed all the steps required to get Nodinite flying (most probably already managed when you performed similar tasks for the Configuration Database).
Microsoft Distributed Transaction Coordinator (DTC)
The Nodinite Logging Service makes use of the Windows Service Microsoft Distributed Transaction Coordinator (DTC), which coordinates transactions that span multiple resource managers. We have written a dedicated tutorial for Nodinite with our best practices for how to install and configure the DTC Windows Service.
Important
You must configure the DTC as documented, otherwise, Nodinite will not be operational.
What Windows rights does the Logging Service require?
The Nodinite Logging Service is a Windows Service (not an IIS application) that runs under a configured service account. The v7 PowerShell installation scripts automatically configure the service during installation.
Service Account Requirements
- The service account must have
Logon as a Servicerights - see How to set Logon as a Service right - The service account must have appropriate SQL Server rights (see next section)
- This service should always be running
- This service should not be clustered - contact support if you need technical assistance
- The Logging Service may need to be restarted when changing System Parameters or Log Agent configuration settings
Kerberos Configuration
For distributed environments where the Logging Service accesses remote SQL Server instances (e.g., BizTalk databases via linked servers), Kerberos delegation must be configured. See the Trusted for delegation guide for step-by-step instructions.
Trusted for delegation - Complete guide to Kerberos configuration for distributed environments
What SQL Rights does the Logging Service require?
For security and performance reasons, the Logging Service accesses the databases using the Windows Service Account configured.
Diagram: The Logging Service communicates with the Configuration and Log Databases on SQL Server, supporting linked server scenarios.
The Logging Service, must have the following SQL rights assigned:
Instance specific settings
For all SQL Instance(s) where Configuration Database and Log Databases are located, you must add the account and grant the service account the rights detailed next.
Account
The service account used for the Logging Service, must be defined on each SQL server node with the Nodinite Configuration Databases and Log Databases.
- Shrink Rights – Nodinite can perform the shrink command on old Log* Databases (NOT the current online database), which requires membership in the sysadmin fixed server role and/or the db_owner fixed database role. This flag is controlled by the 'DatabaseMaintenance' System Parameter. For more information about shrink, read this
Important
db_ddladmin is required for the service account to have proper rights to read statistics. Without this permission, performance may be degraded, especially for remote servers (linked servers). Read more about linked server query performance considerations. Contact our support if you have any questions about this matter.
Account rights
| Scope | Permission / Role | Description | Microsoft Docs Link |
|---|---|---|---|
| Instance | public | Right to log on to SQL instances hosting the Nodinite Configuration and Log Databases | database-level roles |
| Instance | dbcreator | Allows creating new databases (used to create Log Databases) | dbcreator |
| Instance | diskadmin | Allows creating database files and managing disk for databases | diskadmin |
| Instance | securityadmin | Allows managing server logins and assigning rights on newly created databases | securityadmin |
Database specific settings
Apply settings on each and every SQL instance where Nodinite databases are hosted.
Info
You must repeat the security settings on all nodes if you are using SQL Server High Availability.
MSDB
| Database | Permission | Description | Microsoft Docs Link |
|---|---|---|---|
| MSDB | db_datareader | Grants read access to MSDB tables used for scheduling and jobs | db_datareader |
| MSDB | db_datawriter | Grants write access to MSDB tables used for scheduling and jobs | db_datawriter |
| MSDB | db_ddladmin | Allows running DDL statements in MSDB when maintenance tasks require it | db_ddladmin |
Grant Execute rights on all existing and future stored procedures in MSDB for the account used by the Logging Service:
GRANT EXECUTE TO [Domain\\user]
GRANT EXECUTE ON SCHEMA::dbo TO [Domain\\user]
Replace [Domain\user] with the Windows account being used for the Logging Service.
If applicable, repeat the grant on all nodes part of an AOAG environment.
USE MASTER
GO
GRANT VIEW SERVER STATE TO [DOMAIN\USER]
GRANT ALTER ANY AVAILABILITY GROUP TO [DOMAIN\USER];
GO
Replace [DOMAIN\USER] with the Windows account being used for the Logging Service. The Login must exist.
If applicable, repeat the grant on all nodes part of an AOAG environment.
Nodinite databases
| Database | Permission | Description | Microsoft Docs Link |
|---|---|---|---|
| Configuration Database | db_ddladmin/db_owner | Allows running DDL statements or full ownership when maintenance is enabled | db_ddladmin, db_owner |
| Configuration Database | sysadmin/db_owner | Required for certain administrative tasks (e.g., shrinking databases) | sysadmin, db_owner |
| NodiniteLog_* | db_ddladmin/db_owner/sysadmin | Allows DDL operations or full ownership when DatabaseMaintenance is enabled | db_ddladmin, db_owner |
Grant Execute rights on all existing and future Nodinite stored procedures for the account used by the Logging Service:
GRANT EXECUTE TO [Domain\\user]
Replace [Domain\user] with the Windows account being used for the Logging Service.
Important
If you are reading this, you are probably also interested in the following System Parameters:
- LogAccessRoles – Access rights to assign.
- LogServiceUsers – Service Accounts to assign access rights on when creating new Log Databases.
What Firewall settings are required for the Logging Service
The Logging Service is a Windows Service that processes and stores log events, communicating with both the Web API and SQL Server. Proper firewall configuration is required for these internal Core Services interactions.
Three servers commonly participate in Logging Service communication:
| Server | Role |
|---|---|
| Application Server | Hosts the Logging Service (Windows Service) |
| Web Server | Hosts the Web API and Web Client (IIS) |
| SQL Server | Hosts the Configuration and Log Databases |
Plan firewall rules for communication between these servers (Application Server ↔ Web Server, Application Server ↔ SQL Server, Web Server ↔ SQL Server).
Required Firewall Ports
Understanding Port Configuration: v6 vs v7
Nodinite v6 (Legacy - Windows Services):
In Nodinite v6, the Logging Service, Monitoring Service, and Web API run as Windows Services communicating over TCP port 8000. This is the legacy architecture.
Nodinite v7 (Current - IIS Web Applications):
In Nodinite v7, these components are IIS Web Applications hosted in IIS. Port numbers are configured during installation in the Nodinite Portal and can be customized per environment:
| Component | Default Port | Configurable |
|---|---|---|
| Web Client | 40000 (or 443 with HTTPS) | ✅ |
| Web API | 40001 | ✅ |
| Log API | 40002 | ✅ |
| Logging Service | 40003 | ✅ |
| Monitoring Service | 40004 | ✅ |
The v7 PowerShell installation scripts automatically configure IIS bindings based on your Portal settings.
Important
Upgrading from v6 to v7: Firewall rules must be updated from port 8000 to the new IIS ports configured in the Portal. The installer does not automatically update firewall rules.
1. Internal Core Services Communication
For Nodinite v7 (IIS Web Applications):
The Logging Service communicates with the Web API using the ports configured in the Nodinite Portal (default: Logging Service port 40003, Web API port 40001):
| Version | Port | Name | Inbound | Outbound | TCP | UDP | Comment |
|---|---|---|---|---|---|---|---|
| v7 | 40001, 40003 | IIS Web Apps | ✅ | ✅ | ✅ | Ports configured in Portal during installation | |
| v6 (Legacy) | 8000 | Windows Services | ✅ | ✅ | ✅ | Legacy Windows Service architecture |
[!INFO] Nodinite v7: Ports are configured in the Nodinite Portal during Environment setup. See Install Nodinite v7 for complete port configuration guidance.
2. SQL Server Communication
The Logging Service communicates with SQL Server using Windows authentication, Kerberos, and distributed transactions. You must ensure that TCP ports used are allowed by your firewalls.
1. TCP Ports between Logging Service and Web API
Nodinite v7 (IIS Web Applications):
The Logging Service communicates with the Web API using IIS ports configured in the Portal. Nodinite shows the state of the Logging Service for Users within the Nodinite Web Client. The Web Client asks the Web API which in turn queries the Logging Service.
Diagram: In Nodinite v7, the Logging Service and Web API communicate using IIS ports configured in the Portal (default: 40003 and 40001), enabling real-time status updates in the Nodinite Web Client.
Nodinite v6 (Legacy - Windows Services):
Diagram: Legacy v6 architecture used Windows Services communicating over port 8000.
2. TCP Ports between Logging Service and SQL Server
The Logging Service communicates with SQL Server using Windows authentication, Kerberos, and distributed transactions (MSDTC). You must ensure that TCP ports used are allowed by your firewalls. For comprehensive SQL Server firewall configuration, including:
- DNS resolution (port 53)
- Kerberos authentication (port 88)
- MSDTC/RPC (port 135 and dynamic ports)
- SQL Server instances (port 1433 and custom ports)
- Linked Servers configuration
- Azure SQL Managed Instance connectivity
- Always On Availability Groups (AOAG) requirements
See the comprehensive SQL Server Firewall Configuration guide.
Diagram: The Logging Service communicates with SQL Server using multiple protocols and ports, supporting secure and distributed environments.
Frequently asked questions
Additional solutions to common problems and the Nodinite Logging Service FAQ exist in the Troubleshooting user guide.
Next Step
Install Logging Service
System Parameters
Search Fields
Related Topics
Configuration Database
Core Services
LogAccessRoles
Log Databases
Logging Service
LogServiceUsers
Message Types
MSDTC
Search Fields
SQL Server Firewall
System Parameters
Troubleshooting
Trusted for delegation
Uninstall Logging Service
Update Logging Service
Users
Web API