Prerequisites for the Nodinite Log API
Prepare your environment for a successful Nodinite Log API deployment. This page provides a comprehensive checklist, technical requirements, and best practices to ensure a secure, high-performing, and future-proof installation.
What you'll find on this page:
✅ Complete checklist for all technical prerequisites
✅ IIS, Windows, and firewall rights explained
✅ Best practices for distributed and secure environments
✅ SQL Server and MSDTC configuration guidance
✅ Troubleshooting tips and links to further resources
This page describes the prerequisites for installing and running the Nodinite Log API.
The Log API is a Web Application hosted within IIS. You will install and maintain it as part of the Nodinite Core Services package.
Illustration: Log API architecture and data flow between integration platforms, web server, and SQL databases.
| Verified | Topic |
|---|---|
| IIS | |
| MSDTC | |
| Windows rights | |
| Database rights | |
| Firewall |
Use the checklist above to verify that you have performed all steps required to get Nodinite a flying start.
IIS
The Log API is an IIS-hosted web application requiring specific Windows Features and configuration.
Important
The Default Web Site must exist within IIS, otherwise the installer will fail. There is no supported workaround. The Nodinite Core Services may be installed in other Web Sites (not recommended).
Key IIS Requirements:
- Windows Authentication - Required for integrated security
- .NET Extensibility 4.x / ASP.NET 4.x - Required for .NET Framework 4.8 WCF services
- ISAPI Extensions / ISAPI Filters - Required for ASP.NET runtime
- Content Compression - Dynamic and Static (performance)
- HTTP Redirection - Maintenance scenarios
IIS Windows Features - Complete feature list and installation guide
IIS Authentication settings - Configure Windows Authentication at runtime
Info
Your client browser must support HTML 5, review the Client Browser prerequisites for additional details.
Microsoft Distributed Transaction Coordinator (DTC)
The Log API is involved in SQL Server-related operations and Nodinite uses the Windows Service Microsoft Distributed Transaction Coordinator (DTC) that is responsible for coordinating transactions that span multiple resource managers. We have written a dedicated tutorial for Nodinite with our best practices for how to install and configure the DTC Windows Service.
You must configure the DTC as documented, otherwise, Nodinite will not be operational.
What Windows rights does the Log API require?
The Nodinite Log API runs as an IIS web application with a dedicated App Pool configured with a named service account. Unlike the Web Client and Web API, the Log API uses Anonymous Authentication (not Windows Authentication) because it accepts log events from various systems and applications. The v7 PowerShell installation scripts automatically configure these settings during installation.
Service Account Requirements:
- The App Pool service account must have
Logon as a Servicerights (configured automatically by PowerShell scripts) - If the service account is not a local administrator, it must be a member of the
IIS_IUSRSgroup - The service account must have Read rights on
%windows%\system32\inetsrv\configfolder (for redirection.config access)
Important
If the Windows User account for the Application Pool is not assigned the sysadmin role, then you must make sure the account is added to the list of logins to apply correct user rights for (as new databases are created). This setting is governed by the LogServiceUsers system parameter.
How It Works:
The v7 PowerShell installation scripts create a dedicated IIS App Pool for the Log API. This App Pool runs with a named Windows service account identity, and all calls to SQL Server are performed as this identity. This ensures secure, authenticated database access while allowing external systems to send log events without Windows credentials.
IIS Authentication settings - Complete guide to Log API authentication configuration
Tip
Troubleshooting permissions: If you encounter "Cannot read configuration file due to insufficient permissions" errors, ensure the App Pool account has Read rights on
%windows%\system32\inetsrv\config. See the IISConfigurationFile troubleshooting guide.
What SQL Rights does the Log API require?
For performance reasons, the Log API accesses the databases directly using the Windows Service Account configured for the Log API and must have the following SQL rights assigned:
Master
Grant VIEW SERVER STATE rights.
GRANT VIEW SERVER STATE TO [Domain\user]
Replace [Domain\user] with the Windows account being used for the Log API
If applicable, repeat the grant on all nodes part of an AOAG environment.
Nodinite Databases
| Database | Permission | Description | Microsoft Docs Link |
|---|---|---|---|
| Configuration Database | db_datareader | Grants read access to all tables and views | db_datareader |
| Configuration Database | db_datawriter | Grants write access to all tables and views | db_datawriter |
| Configuration Database | db_ddladmin | Allows running DDL statements (e.g., create/alter/drop objects) | db_ddladmin |
| Configuration Database | sysadmin/db_owner | Required for certain administrative tasks (e.g., shrinking databases) | sysadmin, db_owner |
| NodiniteLog_* | db_datareader | Grants read access to all tables and views | db_datareader |
| NodiniteLog_* | db_datawriter | Grants write access to all tables and views | db_datawriter |
| NodiniteLog_* | db_ddladmin | Allows running DDL statements (e.g., create/alter/drop objects) | db_ddladmin |
| NodiniteLog_* | sysadmin/db_owner | Required for certain administrative tasks (e.g., shrinking databases) | sysadmin, db_owner |
This table lists the minimum SQL Server permissions required for the Nodinite Log API's Configuration Database and Log Databases. Ensure these grants are set for uninterrupted operation, maintenance, and automation.
Grant Execute rights on all existing and future stored procedures for the account used by the Log API:
GRANT EXECUTE TO [Domain\\user]
Replace [Domain\user] with the Windows account being used for the Log API.
Important
db_ddladmin is required for the service account to have proper rights to read statistics. Without this permission, performance may be degraded, especially true for remote servers (linked servers). Read more here. Contact our support if you have any questions about this.
Tip
Review the following system parameters: LogServiceUsers and LogAccessRoles
What Firewall settings are required for the Log API
The Log API requires both inbound and outbound ports to be opened.
The Log API accepts log events from external systems (integration platforms, custom applications, message brokers) that send events over HTTP/HTTPS without Windows authentication.
Three servers commonly participate in Log API deployments:
| Server | Role |
|---|---|
| Web Server | Hosts the Log API (IIS) |
| SQL Server | Hosts Configuration and Log Databases (queried via service account) |
| Domain Controller | Provides Kerberos authentication and LDAP/DNS services |
Plan firewall rules for communication between these servers (Web Server ↔ SQL Server, Web Server ↔ Domain Controller, SQL Server ↔ Domain Controller). External systems send log events to the Log API over HTTP/HTTPS.
Note
Nodinite v7 Port Configuration: HTTP/HTTPS ports are configured during installation in the Nodinite Portal. The v7 PowerShell installation scripts automatically configure IIS bindings based on your Portal settings.
Required Firewall Ports
- TCP Ports for REST - Inbound communication from integration platforms
- TCP Ports between Log API and SQL Server - Configuration and Log Databases
1. TCP Ports for REST
| Port | Name | Inbound | Outbound | TCP | UDP | Comment |
|---|---|---|---|---|---|---|
| 80 | HTTP | default for HTTP | ||||
| 443 | HTTPS | default for HTTPS, review the Hardening guide |
Custom ports (1-65535): Depends on IIS bindings configured in the Nodinite Portal during installation.
Important
If you intend to host Nodinite on non-default ports, contact support for guidance at support@nodinite.com.
Diagram: External systems send log events to the Log API over HTTP/HTTPS.
2. TCP Ports between Log API and SQL Server
For performance reasons, the Log API accesses the databases directly using the Windows Service Account configured.
The Log API communicates with SQL Server using Windows authentication, Kerberos, and distributed transactions (MSDTC). For comprehensive SQL Server firewall configuration, including:
- DNS resolution (port 53)
- Kerberos authentication (port 88)
- MSDTC/RPC (port 135 and dynamic ports)
- SQL Server instances (port 1433 and custom ports)
- Linked Servers configuration
- Azure SQL Managed Instance connectivity
- Always On Availability Groups (AOAG) requirements
See the comprehensive SQL Server Firewall Configuration guide.
Frequently asked questions
Additional solutions to common problems and the Nodinite Log API FAQ exist in the Troubleshooting user guide.
Can I secure the Log API?
Yes, the Log API fully supports SSL certificates. Add your certificate to IIS and configure the Log API to allow only HTTPS using the steps outlined in the Hardening user guide.
Next Step
Install Nodinite
IIS Windows Features
MSDTC
Related Topics
Core Services Package
Configuration Database
Log Databases
Hardening
LogServiceUsers
LogAccessRoles
IIS Authentication settings
SQL Server Firewall