Coding History: User Audit Log service

Coding History uses the User Audit Log service and stores the information in Elasticsearch. You must run the new installer for the User Audit Log service.

Note: Prior to installing the User Audit Log service, ensure that the Elasticsearch cluster and User Audit Log service server are set up and network ports are configured. For more information, see the Nuix Discover 10.17 - Hardware and System Requirements.

Update Elasticsearch

To update Elasticsearch, you must modify the Elasticsearch.yml and the Elasticsearch Service.

Modify the Elasticsearch.yml

If you are using Coding History, all Elasticsearch nodes must be updated to have the following parameters in the Elasticsearch.yml configuration file.

Use the procedure described in the following table to modify the Elasticsearch.yml file.

Setting

Value

Purpose

indices.query.bool.max_clause_count

100000

Performance improvement in Nuix Discover reports.

search.max_buckets 

1000000

Performance improvement in Nuix Discover reports (Elasticsearch 7.x).

path.repo

\\\\servername\\NDarchive\\esBackups

Location of Elasticsearch snapshot used during the Case Decommission process.

xpack.ml.enabled

False

Disables machine learning to improve performance.

Example of updates to the Elasticsearch.yml

indices.query.bool.max_clause_count: 100000

search.max_buckets: 1000000 

path.repo: "\\\\servername\\NDarchive\\esBackups"

xpack.ml.enabled: false


Modify the Elasticsearch Service

You must set the Elasticsearch Windows service on each node or virtual machine running Elasticsearch to run as the Nuix Discover AD Service Account.

P1817#yIS1

Install the User Audit Log service

The User Audit Log service is installed on a single server.

Use the procedure described in the following table to install the User Audit Log.

Note: The following updates have been made to the User Audit Log Service:

The User Audit Log Service is now version 1.4.11.

This version of the service now also supports Elasticsearch version 7.17.x.

The service now supports connecting to a secured Elasticsearch cluster.

The service now dynamically detects the Elasticsearch version and no longer requires the ES_VERSION environment variable setting.

An upgrade to this version of the service is optional. 

Order

Procedure

Steps

1

Install the User Audit Log service

On the User Audit Log service server, open a PowerShell command prompt in Administrator mode.

Copy the zip file Ringtail-User-Audit-Log_<latest.version>.zip to the server

Extract the zip file with your choice of tools, to the target install location. For example, using this PowerShell command:

Expand-Archive C:\Users\Administrator\Downloads\ Ringtail-User-Audit-Log_<latest version>.zip -DestinationPath “C:\Ringtail\Ringtail-User-Audit-Log_<latest version>"

Note: The destination path name cannot have spaces.

In the installer directory, make a copy of sample.config.json and use the copy to create the config.json file.

The sample.config.json is preconfigured with default settings.

{

"ES_HOST": "http://yourhostname:9200",

 

"ES_FS_REPOSITORY_LOCATION": "",

"ES_SSL_CERT": "",

"USER_AUDIT_LOG_SERVICE_PORT": 10003,

"USER_AUDIT_LOG_SSL_CERT": "",

"USER_AUDIT_LOG_SSL_KEY": "",

"USER_AUDIT_LOG_SERVER_TIMEOUT": 600000

}

Next, open the config.json file in Notepad and modify the settings to values that are appropriate for your environment, then save your changes and close the file.

Note: At a minimum you will need to modify the ES_HOST value to point to your Elasticsearch cluster. You may also want to change other settings, depending on your environment.

Below are descriptions of the settings:

ES_HOST: The URL (including HTTP or HTTPS) and port number for your Elasticsearch cluster.

For example:

http://<address>:9200

ES_FS_REPOSITORY_LOCATION: This is the UNC path to the “esBackups” folder in the Archive File Repository used by Case Decommission to temporarily store the Elasticsearch snapshot when archiving a case. This location is referred to as the Elasticsearch Snapshot Repository. The path should be in UNC format and requires the slashes to be escaped. Example: "\\\\servername\\NDarchive\\esBackups"

Note: For more information, see the Update Elasticsearch section.

ES_SSL_CERT: If you are using SSL for secure communications between the Audit Log service and Elasticsearch, enter the absolute path to the Elasticsearch cluster’s CA certificate. The certificate file must be present on the machine before running the install script in the following step. Backslashes must be double escaped in the entered path, for example:

C:\\Ringtail\\Ringtail-User-Audit-Log_<latest version>\\certs\\ca.crt”.

USER_AUDIT_LOG_SERVICE_PORT: The port number that the User Audit Log service listens on.

USER_AUDIT_LOG_SSL_CERT: If you are using SSL for secure communications between the User Audit Log service and Nuix Discover, enter the full path and file name for the SSL certificate file. The certificate file must be present on the machine before running the install script in the following step. Backslashes must be double escaped in the entered path, for example:

“C:\\Ringtail\\Ringtail-User-Audit-Log_<latest version>"\\certs\\server.crt”.

Note: A self-signed certificate is not supported.

USER_AUDIT_LOG_SSL_KEY: If you are using SSL for secure communications between the User Audit Log service and Nuix Discover, enter the full path and file name for the SSL key file. The key file must be present on the machine before running the install script in the following step.

Backslashes must be double escaped in the entered path, for example:

“C:\\Ringtail\\Ringtail-User-Audit-Log_<latest version>"\\certs\\server.key”.

Note: A self-signed certificate is not supported.

USER_AUDIT_LOG_SERVER_TIMEOUT: The timeout in milliseconds.

2

Run the installer

In the installer directory, run the install.ps1 command:

.\install.ps1 -ConfigFile .\config.json -DependenciesInstallPath C:\Ringtail\Dependencies

Parameters:

DependenciesInstallPath: Location to install dependencies. This parameter is required.

ConfigFile: Location of the config.json file. This parameter is required.

Note: The new installer will stop the existing version of the service and then start the new version. The old version can later be removed by deleting the folder named by the previous version.

3

Verify the installation

To verify the installation:

Use the following URL to validate that the service is responding:
http://localhost:10003

Use the following URL to verify the health of the Elasticsearch cluster and that the service can connect to it:
http://localhost:10003/health

Note: We recommend that you monitor the following health check endpoint with your monitoring system: http://hostname:10003/health

Note: We do not recommend putting port 10003/health behind a load balancer. Or, if you are using a load balancer, increase the load balancer delay and timeout, so that you do not spam requests to these service endpoints.