dell emc search · above elasticsearch. elasticsearch cluster ports nginx tcp/ https 9300– 9400...

Dell EMC SearchVersion 19.2

Security Configuration GuideRev 01

November 2019

Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property

of their respective owners. Published in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 Dell EMC Search Security Configuration Guide

Preface 5

Communication Security 9Port usage......................................................................................................... 10Network encryption ..........................................................................................12Cryptographic modules......................................................................................12Login, session, and password protection........................................................... 12Firewall rules......................................................................................................13NFS share..........................................................................................................13Elasticsearch REST API.....................................................................................13Data security..................................................................................................... 13

Access control 15Default accounts............................................................................................... 16Search application settings................................................................................16Avamar action service settings.......................................................................... 17NetWorker action service settings.....................................................................17Common Index Service settings........................................................................ 18Configure LDAP and AD users........................................................................... 18Maintaining the Search OpenLDAP server........................................................ 20Authentication configuration.............................................................................20About roles........................................................................................................ 21

System Administrator role.................................................................... 21Application Administrator role.............................................................. 22Full Access Search (Global) role.......................................................... 24Index specific search roles................................................................... 25

Managing roles..................................................................................................29Assign roles to users or groups............................................................ 29Remove users or groups.......................................................................30Edit role assignments............................................................................31

Log files.............................................................................................................31Copy log files (WinSCP)...................................................................... 33Copy log files (PuTTy) ........................................................................ 33

Managing logs...................................................................................................34Managing logs for API-based services..................................................34Managing logs for Worker and Action services.....................................36Managing logs for Elasticsearch...........................................................38Managing logs for Nginx...................................................................... 40Manage logs for the Puppet agent........................................................41

Chapter 1

Chapter 2

CONTENTS

Dell EMC Search Security Configuration Guide 3

Contents


Preface

As part of an effort to improve product lines, periodic revisions of software and hardware arereleased. Therefore, all versions of the software or hardware currently in use might not supportsome functions that are described in this document. The product release notes provide the mostup-to-date information on product features.

If a product does not function correctly or does not function as described in this document,contact a technical support professional.

Note: This document was accurate at publication time. To ensure that you are using the latestversion of this document, go to the Support website https://www.dell.com/support.

Purpose

This document describes the security features and settings of Dell EMC Search.

Audience

This document is intended for the following administrators who will be involved in managingSearch.

l Search administrator

l Index administrator

Revision history

The following table includes information about the revision history of this publication:

Table 1 Revision history

Revision Date Changes

01 November 15, 2019 GA release of the Search 19.2Security Configuration Guide.

Related documentation

The following publications provide additional information:

l Search Deployment and Administration Guide

l Search Security Configuration Guide

l E-Lab Navigator at https://elabnavigator.emc.com/eln/elnhome

l Search Release Notes

Special notice conventions that are used in this document

The following conventions are used for special notices:

NOTICE Identifies content that warns of potential business or data loss.

Note: Contains information that is incidental, but not essential, to the topic.

Typographical conventions

The following type style conventions are used in this document:


https://www.dell.com/support

https://elabnavigator.emc.com/eln/elnhome

Table 2 Style conventions

Bold Used for interface elements that a user specifically selects or clicks,for example, names of buttons, fields, tab names, and menu paths.Also used for the name of a dialog box, page, pane, screen area withtitle, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, file names, file name extensions, prompts, andsyntax

l Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means orfor the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from theexample.

You can use the following resources to find more information about this product, obtain support,and provide feedback.

Where to find product documentation

l https://www.dell.com/support

l https://community.emc.com

Where to get support

The Support website https://www.dell.com/support provides access to product licensing,documentation, advisories, downloads, and how-to and troubleshooting information. Theinformation can enable you to resolve a product issue before you contact Support.

To access a product-specific page:

1. Go to https://www.dell.com/support.

2. In the search box, type a product name, and then from the list that appears, select theproduct.

Knowledgebase

The Knowledgebase contains applicable solutions that you can search for either by solutionnumber (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:


2. On the Support tab, click Knowledge Base.

Preface



https://community.emc.com




3. In the search box, type either the solution number or keywords. Optionally, you can limit thesearch to specific products by typing a product name in the search box, and then selecting theproduct from the list that appears.

Live chat

To participate in a live interactive chat with a support agent:


2. On the Support tab, click Contact Support.

3. On the Contact Information page, click the relevant support, and then proceed.

Service requests

To obtain in-depth help from Licensing, submit a service request. To submit a service request:


2. On the Support tab, click Service Requests.

Note: To create a service request, you must have a valid support agreement. For details abouteither an account or obtaining a valid support agreement, contact a sales representative. Toget the details of a service request, in the Service Request Number field, type the servicerequest number, and then click the right arrow.

To review an open service request:


2. On the Support tab, click Service Requests.

3. On the Service Requests page, under Manage Your Service Requests, click View All DellService Requests.

Online communities

For peer contacts, conversations, and content on product support and solutions, go to theCommunity Network https://community.emc.com. Interactively engage with customers, partners,and certified professionals online.

How to provide feedback

Feedback helps to improve the accuracy, organization, and overall quality of publications. You cansend feedback to [email protected].

Preface





https://community.emc.com

mailto:[email protected]

Preface


CHAPTER 1

Communication Security

Communication security settings establish secure communication channels between productcomponents and external systems or components. This chapter contains the following topics:

l Port usage............................................................................................................................. 10l Network encryption .............................................................................................................. 12l Cryptographic modules.......................................................................................................... 12l Login, session, and password protection................................................................................ 12l Firewall rules.......................................................................................................................... 13l NFS share.............................................................................................................................. 13l Elasticsearch REST API......................................................................................................... 13l Data security..........................................................................................................................13


Port usageThe ports that are listed in the following table are the Search default ports for the variouscomponents that all use the TCP/HTTPS protocol. Some of these ports can be changed. Variousconfiguration files must be manually edited.

The following table lists the required ports for Search.

Table 3 Default ports

Component Service Protocol Port Description

CommonIndexing Service

NGINX TCP/HTTPS

442 Secure access to Elasticsearch.

Search andAdmin UIs andAPIs

NGINX TCP/HTTPS

443 Admin web application.

Search web application.

Admin REST API.

Search REST API.

CommonIndexing Service

NGINX TCP/HTTPS

445 CIS REST API. The Common IndexingService (CIS) provides a secure layerabove Elasticsearch.

Elasticsearchcluster ports

NGINX TCP/HTTPS

9300–9400

Ports for communicating withElasticsearch (Index data nodes).Elasticsearch cluster ports are onlyopened internally, and are not forexternal access.

Puppet Puppet TCP 8140,61613

Puppet master, agent, and console.Puppet ports must be open betweenSearch nodes to allow forcommunication during an automaticupgrade.

Avamar Client AvamarClient

TCP 28000-29000,30000-31000

Ports for Avamar client communicatingwith Avamar server. Each client requirestwo ports from each port range.

NetWorkerClient

NetWorkerClient

TCP 7937-8100

Ports for NetWorker clientcommunicating with Networker server.

OpenLDAP slapd TCP 389 Ports for the Search nodecommunicating with OpenLDAP, andsync between OpenLDAP, are onlyopened internally.

SSH sshd TCP 22 Client connects to server through ssh.

NFS nfs TCP 111,2049

Ports for communicating with NFS areonly opened internally.

The following figure displays port data flow and access. Inbound ports that are allowed include:

l 443 (mandatory)



l 442

l 445

l 8140

l 61613

l 9300–9400

l 28000-29000

l 30000-31000

l 7937-8100

l 389

l 22

l 111

l 2049

Figure 1 Port data flow and access

The following figure displays communications between Search nodes.

Note: Ports are still open.

Figure 2 Communications between Search nodes



Network encryptionThe following table outlines the encryption strategies that are employed.

Table 4 Encryption strategies

Communication Encryption type

Web browser and Search web server (Admin/Search web applications)

TLS 1.2 with server authentication

Web browser and CIS web server (if goingdirectly to CIS/Elasticsearch)

TLS 1.2 with mutual authentication

Search web server and CIS web server TLS 1.2 with mutual authentication

Search web server and Search Action serviceAPIs (Avamar/NetWorker)

TLS 1.2 with mutual authentication

Note: For Avamar, SSL between Search and the Avamar Web Service is used with keystore tostore the certificate for web service authentication. For NetWorker, backup and archive dataon UNIX and Windows hosts are encrypted with the aes Application Specific Module (ASM).The aes ASM provides 256-bit data encryption. Backup data is encrypted based on a user-defined pass phrase. If no pass phrase is specified, data is encrypted with the default passphrase.

Cryptographic modulesThe following is a list of cryptographic modules that are used by Search:

l HS256 for signing JWT

l RSA1_5 2048 bit algorithms for encrypting the web tokens

l AES_256_GCM for lockbox encryption

l SHA256 2048 bit algorithms for NGINX SSL certificates

Disable the following ciphersuites:

l Null and low security ciphersuites

l Insecure algorithms: MD5, RC4, SHA1, and DES

l Little-used ciphers: kECDH, EXP, PSK, SRP, CAMELLIA, SEED, and DSS

Login, session, and password protectionThe local system accounts allow users to log in to the virtual machine and access Elasticsearchdirectly by using port http://localhost:9200. This port is not accessible remotely. Local systemaccess allows unrestricted access to Elasticsearch. Therefore, it is important that local systemaccess is restricted.

Note: Elasticsearch is accessible remotely through port 442 and requires CIS credentialsbefore login.

The Search login session expires after a 20 minute period of inactivity.



Firewall rulesSearch requires access to the following external (world wide) ports:

l 442:445 (Web/Rest API)

l 28000-29000, 30000-31000 (Avamar Client)

l 7937-8100 (NetWorker client)

l 22 (SSH)

Search requires access to the following internal ports:

l 389 (openLDAP)

l 8140 (Puppet Master and Master node only)

l 61613 (Puppet)

l 9300:9400 (Elasticsearch)

l 111, 2049 (NFS)

To use ports 9300–9400, CIS provides access to IP addresses within a subnet. An example subnetis 128.222.162.

Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate with otherElasticsearch nodes.

NFS shareThe Common Indexing Service (CIS) requires an NFS share to store backup files. You can onlyaccess this share internally, within a subnet.

For details, check the /etc/exports file.

Elasticsearch REST APIYou can use the Elasticsearch REST API to implement custom applications or widgets. However,Dell does not support this API.

For more information, see the Elasticsearch documentation.

Data securitySearch encrypts all in-flight data by using https.

Communication between Elasticsearch nodes is not encrypted.

Communication between Search node and local OpenLDAP is not encrypted.

Communication between Search node and NFS share is not encrypted.



https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html

CHAPTER 2

Access control

Access control settings provide protection of resources against unauthorized access.

This chapter contains the following topics:

l Default accounts....................................................................................................................16l Search application settings.................................................................................................... 16l Avamar action service settings...............................................................................................17l NetWorker action service settings......................................................................................... 17l Common Index Service settings............................................................................................. 18l Configure LDAP and AD users................................................................................................18l Maintaining the Search OpenLDAP server............................................................................ 20l Authentication configuration................................................................................................. 20l About roles.............................................................................................................................21l Managing roles...................................................................................................................... 29l Log files................................................................................................................................. 31l Managing logs....................................................................................................................... 34


Default accountsThe following table lists the default Search accounts.

Table 5 Default account names

Account type Username Description

User account admin l Default system, application, andsearch admin account

l Set at deployment time

Root user root l Root account for the virtualmachine terminal

l Set at deployment time

All other accounts are managed with an LDAP solution, such as Microsoft Active Directory. Anyexternal LDAP accounts are specified by using the Search Administration application.

Search application settingsThe /etc/nginx/nginx.conf file contains definitions for default ports and self-signedcertificates for exposed UIs and REST APIs.

The /etc/nginx/nginx.search.conf file includes settings for the following components:

l Search UI

l Search REST API

l Admin UI

l Admin REST API

By default, in the /etc/nginx/nginx.search.conf file, the following settings are used:

l Port 443

l Self-signed certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/action/search/etc/certs/ca.crtl Key /usr/local/search/etc/cert/server.keyTo make changes to the default port, self-signed certificate, ssl_client_certificate, or key, edit thefollowing file:

/etc/nginx/nginx.search.confAfter changes are made to the file, restart nginx.

Note: If a port is changed, update the firewall settings.

The /etc/nginx/nginx.search.conf file also contains the following configurations:

l SSL protocols (ssl_protocols)

l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)

l Prevent clickjacking configuration (add_header X-Frame-Options)

Access control


Avamar action service settingsWhen actions are triggered, the Search UI calls the Search action service. In the /etc/nginx/nginx.avamar-action.conf file, the Search action service is defined.

By default, in the /etc/nginx/nginx.avamar-action.conf file, the following settings areused:

l Port 450

l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, or ssl_client_certificate,edit the following file:

/etc/nginx/nginx.avamar-action.confAfter changes are made to the file, restart Nginx.


The /etc/nginx/nginx.avamar-action.conf file also contains the following configurations:



NetWorker action service settingsWhen actions are triggered, the Search UI calls the Search action service. In the /etc/nginx/nginx.networker-action.conf file, the Search action service is defined.

By default, in the /etc/nginx/nginx.networker-action.conf file, the following settingsare used:

l Port 449

l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, or ssl_client_certificate,edit the following file:

/etc/nginx/nginx.networker-action.confAfter changes are made to the file, restart nginx.


The /etc/nginx/nginx.networker-action.conf file also contains the followingconfigurations:



Access control


Common Index Service settingsIn the /etc/nginx/nginx.cis.conf file, settings for the Common Index Service (CIS) aredefined.

By default, the /etc/nginx/nginx.cis.conf file uses the following settings:

l Port 445

l Self-signed certificate /usr/local/search/etc/cert/server.crtl Key /usr/local/search/etc/cert/server.key

Note: As an Elasticsearch passthrough, CIS opens a secondary port. The default port changesto 442.

To make changes to the default port, self-signed certificate, or key, edit the following file:

/etc/nginx/nginx.cis.confAfter changes are made to the file, restart nginx.


Configure LDAP and AD usersSearch is configured with a built-in OpenLDAP service that includes preconfigured user accountsand groups. The Admin user account is preconfigured to include the system, application, andsearch Admin roles, which provides access to all Search functionality. While this account is usefulfor initial configuration, it is best practice to add one or more external Active Directory (AD) orOpenLDAP servers, and assign users or groups from those servers to Search roles. After you addthe external AD or OpenLDAP servers, you can disable or remove the built-in OpenLDAP server.

About this task

The built-in OpenLDAP service is configured with a password policy to protect from brute-forceattacks, and also enables automatic account unlock to prevent an account lockout attack.

The default Admin user account is not configured with an email address, and therefore cannotreceive email notifications by default.

To configure LDAP and AD users, perform the following actions:

Procedure

1. In the Manage drop-down list, select System.

The System Administration view appears.

2. Click Administration > Options > LDAP Options.

The LDAP Options window appears.

3. To add an LDAP server, click .

The Add LDAP Configuration window appears.

4. In the Name field, type the LDAP configuration name.

5. In the Server Type field, select either of the following authentication types:

l Active Directory

l OpenLDAP

Access control


6. In the LDAP Server field, type either of the following:

l Hostname of the LDAP or AD server

l IP address of the LDAP or AD server

7. In the LDAP port field, type the port number that the external authentication authorityuses.

For LDAP, the default port number is 389.

For SSL, the default number for LDAPS changes to 636 when True is selected.

8. In the Base DN field, type the scope of the users and groups that are considered within theLDAP server.

For example:

DC=example, DC=comThe Base DN determines the structure of the LDAP server where the search filter is applied.This is usually similar to the domain name over which the LDAP server has authority.

9. In the Username field:

a. Type a user account that has full read access to the LDAP or AD directory, in thefollowing format:

[email protected] example, [email protected]

l For Active Directory, ensure that the username is one of the following:

n Common name

n Email address

n Display name

n User principle name (UPN) in the following format:user@domain

n SAM account name in the following format:domain/user

n Distinguished name (DN)

l For OpenLDAP, ensure that the username is one of the following:

n Common name

n Email address

n Entry distinguished name

n User ID (UID)

b. Ensure that the user has read access to the directory.

c. To include email notifications, define the email address for the account.

Note: Only Admin accounts with defined email addresses can receive emailnotifications.

10. In the Password field, type the password of the user account that you specified in theUsername field.

11. In the SSL field, select either of the following options:

Access control


l To connect to an external authentication server using LDAPS, select True.

The default port number automatically changes to 636.

l To ignore secure connection settings, select False.

12. In the Default field, leave the option set to False.

The Default field refers to the Search built-in OpenLDAP server.

13. To test the connection, click Test Connection.

14. Click Save.

Maintaining the Search OpenLDAP serverYou can change the following settings by editing the settings in the /etc/openldap/slapd.conf configuration file:

l Anti-brute force

l Account lockout

l Master-consumer deployment setting

l Database replicate

l Unlock admin account

l Password

Authentication configurationThis section describes user accounts and groups for LDAP.

Users can remotely log in to the Search admin and search web-based interfaces only by usingappropriate accounts that are configured in LDAP. Roles within the software also determine auser's permissions when logged in.

The following table lists accounts and groups for LDAP.

Table 6 LDAP server

Accounts and Groups Description

System Administrator The System Administrator can:

l Assign the System Administrator role to other users and groups

l View the system health

l Configure and view system notifications

l Manage LDAP sources

ApplicationAdministrator

The Application Administrator can:

l Assign the following roles to users and groups:

n Application Administrator

n Full Access Search (Global)

l View the status of jobs on the source server

l Manage search roles for an index including the following:

n Full Access Search (Index)

Access control


Table 6 LDAP server (continued)

Accounts and Groups Description

n Read Only Search (Index)

l Add or edit a source

l Configure and view source notifications

l View the health of the source server

Search Administrator -All access

The Search Administrator - All access can:

l Full content index a search result

l Preview search results

l Download files locally

l Restore files to original or alternate location

Search Administrator -Read only

The Search Administrator - Read only can:

l Perform keyword searches

l Perform filter searches

l View metadata for the search results

l Restore files to the original location

About rolesA role defines the privileges and permissions for users to perform a group of tasks.

When you configure the Search virtual appliance, there are already predefined users fromOpenLDAP.

Note: When you launch the Search virtual appliance within IDPA System Manager, the userhas all admin access and full search access to all indexes. The IDPA single sign-on privilegesoverride the roles that are allocated in Search.

System Administrator roleThe System Administrator can perform the following tasks:

l Assign the System Administrator role to other users and groups

l View the system health

l Configure and view system notifications

l Manage LDAP sources

Assign the System Administrator role

About this task

To assign a System Administrator role, perform the following procedure. Only a SystemAdministrator can add another System Administrator role.

Procedure

1. In the Manage drop-down list, select System.

The System Administration view appears.

Access control


2. Click Administration > Roles.

The Manage Roles window appears.

3. Click .

The Select User window appears.

4. In the Select User window, perform the following steps:

a. In the Name field, restrict the search to one of the following categories:

l Users or Groups

l Users

l Groups

b. Type the name of the user or group.

c. In the Directory field, specify an authentication provider.

For example, the name of the Active Directory.

d. Click Find.

The list of user or user groups appears.Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.

e. Select a user, group, or click Select all.

f. Click OK.


5. In the Manage Roles window, select System Administrator to assign the role to the useror group that you added.

Example 1 Search for all users

To search for all users that contain Admin:

1. Type Admin.

2. Click Find.

Application Administrator roleThe Application Administrator can manage specific configurations within the Search virtualappliance.

The Application Administrator can perform the following tasks:

l Assign the following roles to users and groups:

n Application Administrator

n Full Access Search (Global)

l View the status of jobs on the source server

l Manage search roles for an index including the following:

Access control


n Full Access Search (Index)

n Read Only Search (Index)

l Add or edit a source

l Configure and view source notifications

l View the health of the source server

Assign the Application Administrator role

About this task

Only an Application Administrator can assign the Application Administrator role.

Procedure

1. In the Manage drop-down list, select one of the following options:

l AvamarThe Avamar Administration view appears.

l NetWorkerThe NetWorker Administration view appears.

2. Select Administration > Roles.


3. To add a user or group, click .




l Users or Groups

l Users

l Groups




d. Click Find.



f. Click OK.


5. In the Manage Roles window, select Application Administrator to assign the role to theuser or group that you added.



Access control


Example 2 Search for all users (continued)

1. Type Admin.

2. Click Find.

Full Access Search (Global) roleThe Full Access Search (Global) role is a global search administrator that overrides any setting onindexes.

Only an Application Administrator can assign the Full Access Search (Global) role.

The Full Access Search (Global) role can perform the following actions:





Assigning the Full Access Search (Global) role

About this task

Only an Application Administrator can assign the Full Access Search (Global) role.

Procedure










l Users or Groups

l Users

l Groups




d. Click Find.

The list of user or user groups appears.

Access control


Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.


f. Click OK.


5. In the Manage Roles window, select Full Access Search (Global) to assign the role to theuser or group that has been added.



1. Type Admin.

2. Click Find.

Index specific search rolesThe following roles can be applied to specific indexes.

Full Access Search (Index)Only an Application Administrator can assign the Full Access Search (Index) role.

The Full Access Search (Index) role can perform the following actions inside a specified index:





The following figure illustrates how to assign the Full Access Search (Index) role.

Access control


Figure 3 Full Access Search (Index) role

Assign the Full Access Search (Index) role

Only an Application Administrator can assign the Full Access Search (Index) role for a specificindex.

Before you begin

Ensure that the user or group has been added as an Active Directory or OpenLDAP source.

Procedure




2. Click Administration > Indexes.

The list of indexes appears.

3. Select the Index that you want to give the user or group access to.

4. To manage search roles, click .

The Manage Search Roles window appears.





l Users or Groups

l Users

l Groups


Access control




d. Click Find.



f. Click OK.


7. In the Manage Roles window, select Full Access Search (Index) to assign the role to theuser or group that has been added.



1. Type Admin.

2. Click Find.

Read Only Search (Index) roleOnly an Application Administrator can assign the Read Only Search (Index) role.

The Read Only Search (Index) role can perform the following actions inside a specific index:

l Perform keyword searches

l Perform filter searches

l View metadata for the search results

l Restore files to the original location

The following figure illustrates how to assign the Read Only Search (Index) role.

Access control


Figure 4 Read Only Search (Index) role

Assign the Read Only Search (Index) role

Only an Application Administrator can assign the Read Only Search (Index) role for a specificindex.

Before you begin

Ensure that the user or group has been added as an Active Directory or OpenLDAP source.

Procedure




2. Click Administration > Indexes.

The list of indexes appears.

3. Select the Index that you want to give the user or group access to.

4. To manage search roles, click .

The Manage Search Roles window appears.





l Users or Groups

l Users

l Groups


Access control




d. Click Find.



a. Type Admin.

b. Click Find.


f. Click OK.


7. To assign the role to a user or group, select Read Only Search (Index).

The Read Only Search (Index) role cannot perform the following actions:

l See inline preview for hits

l View full preview for hits


l Restore files to an alternate location

Managing rolesThis section describes how to add and edit user roles and assign access privileges toadministrators.

Assign roles to users or groupsAbout this task

With the System Administrator or Application Administrator role, you can assign roles to users orgroups.

Procedure




l SystemThe System Administration view appears.





Access control




l Users or Groups

l Users

l Groups




d. Click Find.



a. Type Admin.

b. Click Find.


f. Click OK.


5. To assign a role to a user or group, click one or more of the following options:

l Application Administrator

l Search Administrator

Remove users or groupsWith the System Administrator or Application Administrator role, you can remove users or groups.

Procedure







3. Click the name of the user or group you want to delete.

4. Click .

5. To remove the user or group, in the Confirm window, click Confirm.

Access control


Results

The users or groups are no longer listed.

Edit role assignmentsWith the System Administrator or Application Administrator role, you can assign or edit roles.

Procedure







3. Choose the user or group whose role you want to edit.

4. Click one or more of the following options:

l Application Administrator

l Full Access Search (Global)

The following figure displays the Manage Roles window.

Figure 5 Manage Roles window

Log filesAll logs files are stored on disk 3, the separated disk. The /usr/local/search/log is mappedto the /mnt/search/log. The logs are filed to a dedicated disk so they cannot fill the systemdisk.

The default log directory, /usr/local/search/log, contains the following logs.

Access control


Table 7 Log files

Logs Description

search-adminapi-nodename

Main log file for the Admin REST API

search-adminapi-stderr-nodename

List of API calls made into the Admin REST API

search-adminapi-stdout-nodename

Details about the debugging output for the Admin REST API

search-api-nodename Main log file for the Search REST API

search-api-stderr-nodename

List of API calls made into the Search REST API

search-api-stdout-nodename

Details about the debugging output for Search REST API

search-avamar-action-nodename

Main log file for the Avamar action service REST API

search-avamar-action-stderr-nodename

A succinct list of API calls made into the Avamar action serviceREST API

search-avamar-action-stdout-nodename

Details about the debugging output for the Avamar action serviceREST API

search-avamar-worker-nodename

Main log file for the Avamar Java worker service

search-avamar-worker-stdout-nodename

Details about the Avamar Java worker service settings

search-networker-action-nodename

Main log file for the NetWorker action service REST API

search-networker-action-stderr-nodename

A succinct list of API calls made into the NetWorker actionservice REST API

search-networker-action-stdout-nodename

Details about the debugging output for the NetWorker actionservice REST API

search-networker-worker-nodename

Main log file for the NetWorker Java worker service

search-networker-worker-stdout-nodename

Details about the NetWorker Java worker service settings

search-worker-nodename Main log file for the Search platform Java worker service

search-worker-stdout-nodename

Details about the Search platform Java worker service settings

Subdirectories contain the logs for the following services.

Table 8 Services and logs

Logs Description

Elasticsearch Index engine logs

Access control


Table 8 Services and logs (continued)

Logs Description

CIS Common Index Service logs

Nginx Web server logs

Puppet Puppet master and agent logs

Use a secure FTP client, such as WinSCP or PuTTy (psftp), to copy log files from the Searchnodes to a Windows computer.

Note: The WinSCP tool provides a GUI, and retains the settings, including both local andremote directory locations.

Copy log files (WinSCP)Before you begin

Install WinSCP by downloading WinSCP from winscp.net.

Procedure

1. From the WinSCP wizard, select Stored sessions, and click New.

2. Add a session by completing the following fields:

l Hostname

l Port number (default is 22)

l Root username

l Password

3. Click Directories and complete the following fields:

l In the Remote directory field, type cd/usr/local/search/logl In the Local directory field, type local directory

4. To save the session:

a. Click Save.

b. Click Login.

5. Drag the logs from the Remote Directory section of the window to the Local Directorysection of the window.

Copy log files (PuTTy)Use a secure FTP client, such as PuTTy (psftp) to copy log files from the Search nodes to aMicrosoft Windows computer.

Before you begin

Download and install PuTTy from winscp.net.

Procedure

1. Log in with the Search Root user credentials that are created during deployment.

2. Change to the log directory:

cd/usr/local/search/log

Access control


3. To download the log files, run the mget* command.

4. If required, unzip the log files.

Older versions of the logs are compressed based on size or date.

Managing logsAll log files are stored on disk 3, the separated disk. The logs are located in /usr/local/search/log. The logs are filed to a dedicated disk so they cannot fill the system disk.

The default log directory, /usr/local/search/log, is mapped to the /mnt/search/log.Follow the procedures in this section to learn how to manage the following log properties:

l Log file location

l Log level

l Log size

l Log count

Managing logs for API-based servicesTo troubleshoot and diagnose problems, you can manage the log files of the following services andcomponents:

l Admin API

l Search Admin API

l Common Indexing Service (CIS) Core

l CIS Scheduler

Log file location

The following table provides a summary of the log files available for the Admin/Search REST API.

Table 9 Admin/Search REST API log files

Module Configuration file Log file location Default loglevel

AdminAPI

/usr/local/search/etc/system.conf

{log_path}/search-adminapi-{host_name}.log

ERROR

{log_path}/search-adminapi-stdout-{host_name}.log

{log_path}/search-adminapi-stderr-{host_name}.log

SearchAPI

/usr/local/search/etc/system.conf

{log_path}/search-api-{host_name}.log

ERROR

{log_path}/search-api-stdout-{host_name}.log

Access control


Table 9 Admin/Search REST API log files (continued)

Module Configuration file Log file location Default loglevel

{log_path}/search-api-stderr-{host_name}.log

Manage the log levelThe system.conf file provides the ability to modify the log level for the Admin/Search RESTAPI.

About this task

To modify the log level, complete the following steps:

Procedure

1. Open the system.conf file with a text editor.

2. In the system.conf file, locate the following section:

"log": { "comments": "log.level VERBOSE = 0, INFO = 1, WARNING = 2, ERROR = 3", "admin_api": "/usr/local/search/log/search-adminapi-stevenzincdev.log", "search_api": "/usr/local/search/log/search-api-stevenzincdev.log", "level": 3 }

3. Change the log level by editing the level attribute:

Specify one of the following log levels:

l 0l 1l 2l 3

4. Restart the corresponding services.

Manage log size and log countThe logrotate utility manages the size of log files, and determines the number of archived logfiles to maintain.

About this task

Note: Cronjob runs on schedule on a daily basis to rotate API log files.

The following table outlines the logrotate configuration files for the Admin/Search REST API,CIS core service, and CIS scheduler service.

Table 10 Configuration files

Service Configuration file

Admin API /etc/logrotate.d/search-adminapi.lr

Access control


Table 10 Configuration files (continued)


Search API /etc/logrotate.d/search-api.lr

CIS core service /etc/logrotate.d/search-cis-core.lr

CIS scheduler service /etc/logrotate.d/search-cis-schedule.lr

Procedure

1. Open the corresponding logrotate configuration file.

2. In the logrotate configuration file, locate the following section:

/usr/local/search/log/search-adminapi*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress lastaction pid=/var/run/search/search-adminapi.pid test -s $pid && kill -USR1 "$(cat $pid)" endscript}

3. Change the log size and the number of log files to maintain, by editing the rotate andsize parameters.

where:

l rotate defines the number of archived log files that the Search software maintains. Thedefault value is 5.

l size defines the maximum size of the log file. The default value is 100M.

Managing logs for Worker and Action servicesTo troubleshoot and diagnose problems, you can manage the log files for the following servicesand components:

l Avamar Action service

l Avamar Worker service

l NetWorker Action service

l NetWorker Worker service

l Search Worker service

Log file location

The following table provides a summary of the log files available for the action services, workerservices, and system worker service.

Access control


Table 11 Worker Services log files

Module Configuration file Log file location

Search-Worker /usr/local/search/etc/log4j2-search-worker.xml

{log_path}/search-worker.log

Avamar-Worker /usr/local/search/etc/log4j2-search-avamar-worker.xml

{log_path}/search-avamar-worker-{host_name}.log

Networker-Worker /usr/local/search/etc/log4j2-search-networker-worker.xml

{log_path}/search-networker-worker-{host_name}.log

Avamar-Action-Service /usr/local/search/etc/log4j2-search-avamar-action.xml

{log_path}/search-avamar-action-{host_name}.log

Networker-Action-Service

/usr/local/search/etc/log4j2-search-networker-action.xml

{log_path}/search-networker-action-{host_name}.log

Manage the log levelThe log4j file provides the ability to modify the log level for the action services, worker services,and system worker service.

About this task


Procedure

1. Open the corresponding log4j configuration file.

2. In the log4j configuration file, perform the following tasks:

l To modify the log level for the Search Avamar Action service or the Search NetWorkerAction service, locate the following section:<Logger name="com.emc.zinc" level="error" additivity="false"> <AppenderRef ref="Routing"/> </Logger>

l To modify the log level for the Search Avamar Worker service, Search NetWorkerWorker service, or Search Worker service, locate the following section:<Root level="info"> <AppenderRef ref="Routing" /></Root>

3. Change the log level by editing the level attribute.


l tracel debugl infol warnl error

Access control


Manage log size and log countThe log4j file manages the size of log files, and determines the number of archived log files tomaintain for the action services, worker services, and system worker service.

About this task

The following table lists the log4j configuration files.

Table 12 Configuration files


Avamar action service log4j2-search-avamar-action.xml

Avamar worker service log4j2-search-avamar-worker.xml

NetWorker action service log4j2-search-networker-action.xml

NetWorker worker service log4j2-search-networker-worker.xml

System worker service log4j2-search-worker.xml

Procedure


2. In the log4j configuration file, locate the following section:

<Policies>   <SizeBasedTriggeringPolicy size="100 MB"/> </Policies> <DefaultRolloverStrategy max="5"/> </RollingFile>

3. Change the log size and the number of log files to maintain, by editing theSizeBasedTriggeringPolicy size and DefaultRolloverStrategy maxattributes.

where:

l SizeBasedTriggeringPolicy size defines the maximum size of the log file. Thedefault value is 100 MB.

l DefaultRolloverStrategy max defines the number of archived log files that theSearch software maintains. The default value is 5.

Managing logs for ElasticsearchTo troubleshoot and diagnose problems, you can manage the log files for the Elasticsearch service.

About the Elasticsearch logsThe Elasticsearch log files are located in /usr/local/search/log/elasticsearch. Thedefault logging level is ERROR.

Elasticsearch uses log4j to manage the log file level, size, and count. The configuration file forlog4j is located at /etc/elasticsearch/log4j2.properties.

Access control

Manage the log levelThe log4j file provides the ability to modify the log level for Elasticsearch.

About this task


Procedure


2. In the log4j configuration file, locate the following section:

rootLogger.level = error

3. Change the log level by editing the rootLogger.level attribute.


l tracel debugl infol warnl error


Manage log size and log countThe log4j utility manages the size of log files, and determines the number of archived log files tomaintain for the Elasticsearch service.

Procedure

1. Open the log4j configuration file.

2. In the log4j configuration file, locate the sections that correspond to the following logs:

l rollingl deprecation_rollingl index_search_slowlog_rollingl index_indexing_slowlog_rolling

To adjust the size and number of retained logs, locate and modify the following parametersfor the log you want to manage:

Table 13 Elasticsearch log parameters

Parameter name Description Default value

appender.rolling.policies.size.size The maximum allowed log sizebefore rotation. Specify the value inKB, MB, or GB.

100 MB

appender.deprecation_rolling.policies.size.size

appender.rolling.strategy.max The maximum number of rotated logfiles to retain.

5

appender.deprecation_rolling.strategy.max

Access control


Table 13 Elasticsearch log parameters (continued)

Parameter name Description Default value

appender.index_search_slowlog_rolling.policies.time.interval

The duration of the logging period,in days.

1

appender.index_indexing_slowlog_rolling.policies.time.interval

Managing logs for NginxTo troubleshoot and diagnose problems, you can manage the log files for Nginx.

Configuration file locationThe following table provides a summary of the configuration files available for Nginx. All theNginx configuration files are located in /etc/nginx.

Table 14 Nginx log files

Module Configuration file

Avamar action service nginx.avamar-action.conf

CIS nginx.cis.conf

Nginx nginx.conf

NetWorker action service nginx.networker-action.conf

Search service nginx.search.conf

Modifying the log level

The Nginx logging options are highly configurable. The Nginx documentation provides moreinformation.

Manage log size and log count

About this task

The logrotate utility manages the size of log files, and determines the number of archived logfiles to maintain. The Nginx logrotate configuration file is located at /etc/logrotate.d/nginx.lr.

Procedure

1. Open the Nginx logrotate configuration file.


/usr/local/search/log/nginx/nginx*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok lastaction pid=/var/run/nginx.pid

Access control


https://docs.nginx.com/nginx/admin-guide/monitoring/logging/

test -s $pid && kill -USR1 "$(cat $pid)" endscript


where:

l rotate defines the number of archived log files that Nginx maintains. The default valueis 5.


Manage logs for the Puppet agentTo troubleshoot and diagnose problems, you can manage the log files for the Puppet agent.

Manage the log levelThe upgrade.conf file provides the ability to modify the log level for the Puppet agent.

About this task

The Puppet agent log files are located in /etc/puppet/log/puppet_agent.log. The defaultlogging level is WARN.

The configuration file for the Puppet agent log is located at /etc/puppet/upgrade.conf.

Procedure

1. Open the corresponding configuration file.

2. In the upgrade.conf configuration file, locate the following section:

loglevel="WARN"

3. Change the log level by editing the loglevel attribute.


l DEBUGl INFOl WARNl ERROR


Manage log size and log count

About this task

The logrotate utility manages the size of log files, and determines the number of archived logfiles to maintain. The Puppet agent logrotate configuration file is located at /etc/logrotate.d/puppet.lr.

Procedure

1. Open the Puppet agent logrotate configuration file.


/usr/local/search/log/puppet/puppet_*.log { su root root

Access control


rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok}


where:

l rotate defines the number of archived log files that Nginx maintains. The default valueis 5.


Access control


dell emc search · above elasticsearch. elasticsearch cluster ports nginx tcp/ https 9300– 9400...

Documents