Description
Starting with Compliance Accelerator (CA) 14.1.1 and Discovery Accelerator (DA) 14.4.0, a new feature named Enhanced Auditing has been introduced. When the Enhanced Auditing feature is configured and enabled for a Customer, the audit records for that Customer are sent to the audit server whenever certain operations and modifications are made to modules as selected in the Audit Settings tab in the Audit Server URL, typically https://<DA server name>:81 for DA and https://<CA server name>:81 (VAS) for CA. Changes to these modules made in the Accelerator Client (and CA VAS) are logged. The Audit Viewer tab in the Audit Server URL lets you search and export audit records for various modules and operations at the Application, Case/Department and Folder levels.
Installing and configuring Enhanced Auditing is detailed in the Installation Guide under Installing and configuring the Enhanced Auditing feature. The following is a cheat sheet that outlines the steps and sequence of steps involved. Note these steps and sequence are intended as a general guide only and may change from version to version. Please see the Enterprise Vault Product Documentation under Related Articles below for the latest steps.
1. Prerequisites:
1.1. Install the required minimum version of the .NET Core Hosting Bundle as specified in the Installation Guide (because of varying environmental restrictions, it is recommended to install using administrative rights by right-clicking the installer and using the 'Run as Administrator' option):
1.1.1. .NET Core Hosting Bundle 2.2.8
Main page: https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-aspnetcore-6.0.1-windows-hosting-bundle-installer
Direct link: https://download.visualstudio.microsoft.com/download/pr/ba001109-03c6-45ef-832c-c4dbfdb36e00/e3413f9e47e13f1e4b1b9cf2998bc613/dotnet-hosting-2.2.8-win.exe
1.1.2. .NET Core Hosting Bundle 5.0.4
Main page: https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-aspnetcore-5.0.4-windows-hosting-bundle-installer
Direct link: https://download.visualstudio.microsoft.com/download/pr/2281cc70-3851-4dec-b418-4f5be60d8f2e/0163e524e63c2bb07d9da642ca1468d5/dotnet-hosting-5.0.4-win.exe.
1.1.3. .NET Core Hosting Bundle 6.0.1
Main page: https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-aspnetcore-6.0.1-windows-hosting-bundle-installer
Direct link: https://download.visualstudio.microsoft.com/download/pr/b69fc347-c3c8-49bc-b452-dc89a1efdf7b/ebac64c8271dab3b9b1e87c72ef47374/dotnet-hosting-6.0.1-win.exe
1.1.4. .NET Core Hosting Bundle 6.0.12
Main page: https://dotnet.microsoft.com/en-us/download/dotnet/6.0
Direct link: https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-aspnetcore-6.0.12-windows-hosting-bundle-installer
1.2. Install NodeJS (depending on the environmental restrictions, it may be required to install using administrative rights by running the msi from an administrative (elevated) command prompt or shift-right-clicking the installer, using the Run as a different user option and providing the administrator's credentials):
1.2.1. NodeJS v14.17.3 or greater
Main page: https://nodejs.org/en/blog/release/v14.17.3/
Direct link: https://nodejs.org/dist/v14.17.3/node-v14.17.3-x64.msi
1.3. Install the IIS Security IP and Domain Restrictions feature using the Roles and Features option of the Server Manager application.
It is a good idea to verify all the Web Server (IIS) prerequisites, as below:
- Roles:
-- Web Server | Common HTTP Features: Default Document, Directory Browsing, HTTP Errors, Static Content, HTTP Redirection.
-- Web Server | Health and Diagnostics: HTTP Logging, Logging Tools, Request Monitor, Tracing.
-- Web Server | Performance: Static Content Compression.
-- Web Server | Security: Request Filtering, Basic Authentication, IP and Domain Restrictions, URL Authorization, Windows Authentication.
-- Web Server | Application Development: .NET Extensibility 3.X, .NET Extensibility 4.X, ASP, ASP.NET 3.X, ASP.NET 4.X, CGI, ISAPI Extensions, ISAPI Filters.
-- Management Tools | IIS Management Console: all.
-- Management Tools | IIS 6 Management Compatibility: all.
-- Management Tools | IIS Management Scripts and Tools: all.
-- Management Tools | Management Service: all.
- Features:
-- .NET Framework 3.X Features: all, including HTTP Activation and Non-HTTP Activation.
-- .NET Framework 4.X Features: .NET Framework 4.X, ASP.NET 4.X, WCF Services HTTP Activation, WCF Services Named Pipe Activation, WCF Services TCP Activation, WCF Services TCP Port Sharing.
-- IIS Hostable Web Core.
1.4. Verify CA VAS or the DA web UI (14.4 and higher) are accessible via Chrome or Firefox. Access the web UI at https://<Accelerator server name>:81.
If the port is not known, can run the PowerShell command Get-IISSite on the Accelerator server and review the entry for SupervisionWeb (CA VAS) or AuditingWeb (DA).
Here is an example from CA VAS:
Name ID State Physical Path Bindings
---- -- ----- ------------- --------
Default Web Site 1 Started %SystemDrive%\inetpub\wwwroot http *:80:
net.msmq localhost
msmq.formatname localhost
net.tcp 808:*
net.pipe *
https *:443: sslFlags=None
SupervisionApi 2 Started E:\Program Files http *:82:
(x86)\Enterprise Vault
Business
Accelerator\SupervisionApi
SupervisionWeb 3 Started E:\Program Files https *:81: sslFlags=None
(x86)\Enterprise Vault
Business
Accelerator\SupervisionWeb
IRApiEndpoint 4 Started E:\Program Files https *:449: sslFlags=None
(x86)\Enterprise Vault
Business Accelerator\Veritas
Intelligent
Review\IR.APIEndPoint
Here is an example from DA:
Name ID State Physical Path Bindings
---- -- ----- ------------- --------
Default Web Site 1 Started %SystemDrive%\inetpub\wwwroot http *:80:
net.tcp 808:*
net.msmq localhost
msmq.formatname localhost
net.pipe *
AuditingApi 2 Started E:\Program Files http *:82:
(x86)\Enterprise Vault
Business
Accelerator\AuditingApi
AuditingWeb 3 Started E:\Program Files https *:81: sslFlags=None
(x86)\Enterprise Vault
Business
Accelerator\AuditingWeb
In these examples, https *:81 indicates the server name can be used in place of the *.
If the Web/API components are not listed, continue to step 1.5. If the Web/API components are listed, continue to step 2.
1.5. If the base version of the Accelerator software is installed, e.g. 14.5.0 or 15.2.0, then the Enhanced Auditing Accelerator components can be installed by modifying the existing Accelerator Server installation. However, if a Release Update is installed, then it will be required to uninstall/reinstall the Accelerator Server software. Please follow the steps in 1.5.1 if only the base version is installed, or 1.5.2 if the base version plus a Release Update is installed.
1.5.1. Base Version
1.5.1.0. Prerequisites.
1.5.1.0.1. Verify the installation media is available on the Accelerator server.
1.5.1.1. To prevent any Storage Tagging issues, stop all EV Archiving Tasks and the Storage services on all EV Archiving servers. The EV Archiving Tasks and Storage services must remain stopped until instructed to start below. Stop the Enterprise Vault Accelerator Manager Service (EVAMS) and wait at least 10-15 minutes to allow all background processing to complete.
1.5.1.2. Open Add Or Remove Programs (appwiz.cpl). Select the Accelerator Server installation, then click on Change or Modify.
1.5.1.3. Click through and complete the installation, providing the requested information as prompted:
1.5.1.3.1. Settings | Modify, repair, or remove installation: Select the Modify option.
1.5.1.3.2. Settings | Custom Setup: Click the top Accelerator Server level, then select Entire feature will be installed on local hard drive.
1.5.1.3.3. Settings | Enhanced Auditing Configuration (DA)/Surveillance Configuration (CA/VAS/Surveillance): This page should not need to be edited and should list the Server Alias as the Accelerator Server hostname, the Website Port as 81 and the Internal Port as 82. Note the Server Alias and Website Port.
1.5.1.3.4. (DA) Settings | Ready to Install: Note the Enhanced Auditing URL. This will be in the form https:<Server Alias>:<Website Port>. This is the URL that will be used to access Enhanced Auditing.
(CA/VAS/Surveillance) Complete: Note the Supervision/Surveillance URL. This will be in the form https:<Server Alias>:<Website Port>. This is the URL that will be used to access Enhanced Auditing.
1.5.1.3.5. Reboot as prompted.
1.5.1.4. Start all EV Archiving Tasks and the Storage services on all EV Archiving servers.
1.5.1.5. Test Accelerator Client and web UI functionality.
1.5.2. Release Update
1.5.2.0. Prerequisites.
1.5.2.0.1. If using CA/VAS/Surveillance, verify the CA Configuration database master key is available. This will be needed when reinstalling CA. If this is not available, do NOT proceed.
1.5.2.0.2. Verify the Accelerator license file is available.
1.5.2.0.3. Capture the information on the current Accelerator server per the steps in Step 1 in the How to uninstall and reinstall Compliance Accelerator, EV Binaries and IIS section of Article How to uninstall and reinstall the Accelerators.
1.5.2.0.4. Verify the installation media for both the base version and Release Update are available on the Accelerator server.
1.5.2.1. Uninstall the Accelerator Server software.
1.5.2.1.1. To prevent any Storage Tagging issues, stop all EV Archiving Tasks and the Storage services on all EV Archiving servers. The EV Archiving Tasks and Storage services must remain stopped until instructed to start below. Stop the Enterprise Vault Accelerator Manager Service (EVAMS) and wait at least 10-15 minutes to allow all background processing to complete.
1.5.2.1.2. Uninstall the Accelerator Server software (reboot as prompted). Note - Do NOT uninstall Enhanced Auditing, if installed.
1.5.2.1.3. Open IIS Manager (Start | Windows Administrative Tools | Internet Information Services (IIS) Manager). Remove any Accelerator websites under the Default Web Site, such as EVBAAdmin, any Customer websites, CAReporting/DAReporting. Remove any VAS websites under Sites, such as SupervisionApi and SupervisionWeb. Then remove any CA/DA Application Pools, such as EVAcceleratorAppPool, SupervisionApi, SupervisionWeb. If an AppPool cannot be deleted because there are associated applications (under View Applications), Stop the AppPool first, then delete it.
1.5.2.1.4. If the Accelerator installation folder is still present, rename the Accelerator installation folder to append _OLD. Then reboot the Accelerator server.
1.5.2.2. Reinstall the base version of the Accelerator Server. Click through and complete the installation, providing the requested information as prompted:
1.5.2.2.1. Settings | Choose Setup Type: Select the Custom option.
1.5.2.2.2. Settings | Custom Setup: Click the top Accelerator Server level, then select Entire feature will be installed on local hard drive.
1.5.2.2.3. Settings | Enhanced Auditing Configuration (DA)/Surveillance Configuration (CA/VAS/Surveillance): This page should not need to be edited and should list the Server Alias as the Accelerator Server hostname, the Website Port as 81 and the Internal Port as 82. Note the Server Alias and Website Port.
1.5.2.2.4. (DA) Settings | Ready to Install: Note the Enhanced Auditing URL. This will be in the form https:<Server Alias>:<Website Port>. This is the URL that will be used to access Enhanced Auditing.
(CA/VAS/Surveillance) Complete: Note the Supervision/Surveillance URL. This will be in the form https:<Server Alias>:<Website Port>. This is the URL that will be used to access Enhanced Auditing.
1.5.2.2.5. Reboot as prompted.
1.5.2.2.6. Do NOT connect to EVBAAdmin.
1.5.2.3. Reinstall the Accelerator Server Release Update version that was previously installed:
1.5.2.3.1. Select the Install Surveillance option when prompted for CA/VAS/Surveillance.
1.5.2.3.2. Reboot as prompted.
1.5.2.4. Connect to the existing Configuration database.
1.5.2.4.1. Connect to http://localhost/EVBAAdmin.
If the Configuration Database Details page is not displayed and an upgrade page is listed displaying The ... Configuration Database needs to be updated to version ... . Click 'Update' to start. , this is usually due to installing the base version and then immediately installing a release update. This is not a cause for concern and is expected behaviour. To remedy this, search for all .config files with the following line: <add key="State" value="Upgraded" />. The number of files will vary from version to version. Here is an example list at the time of writing:
AcceleratorManager.exe.config
AcceleratorManagerConsole.exe.config
AcceleratorService.exe.config
AcceleratorService64.exe.config
ADSynchroniser.exe.config
ImportExport.exe.config
Edit the <add key="State" value="Upgraded" /> line in each of these .config files to change the word Upgraded to Uninstalled, as follows: <add key="State" value="Uninstalled" />. Restart the EVAMS and then connect to the EVBAAdmin website.
1.5.2.4.2. Select the Use Existing Database option.
1.5.2.4.3. Enter the remaining information to point to the existing Accelerator Configuration database. If installing CA/VAS/Surveillance and if the database master key section is present, enter the database master key. Then browse to the license file.
1.5.2.4.4. Restart the Enterprise Vault Accelerator Manager Service (and Enterprise Vault IR Classifier Service, Enterprise Vault IR Model Builder Service and IIS for CA/VAS/Surveillance).
1.5.2.4.5. At this point, the EVBAAdmin website should show the previously existing Accelerator Customers. Right-click each Customer and click on the Check Virtual Directory option to create the required IIS virtual directories.
1.5.2.5. Start all EV Archiving Tasks and the Storage services on all EV Archiving servers.
1.5.2.6. Test Accelerator Client and web UI functionality.
2. Enhanced Auditing Prerequisites:
2.1. See the Prerequisites for the Enhanced Auditing feature section in the Installing and configuring the Enhanced Auditing feature Chapter/Appendix in the Installation Guide for the version-specific prerequisites.
The guidance is to install Enhanced Auditing on a server that is not the Accelerator server. This is to allow the Enhanced Auditing server to be segregated from the active Accelerator servers. Enhanced Auditing can be installed on an active Accelerator server as long as the server's hardware can accommodate both products and as long as it is understood there may be a performance difference when compared to installing Enhanced Auditing on a non-Accelerator server. Here is a short list:
2.1.1. See the Hardware Requirements section for the minimum specifications. Note these are minimum specifications only. It is recommended to have more than the minimum specifications for optimum performance.
2.1.2. .NET 4.7.2.
2.1.3. .NET 5.0 Runtime.
2.1.4. IIS 8.5 or later with the same prerequisite as listed above. Of note is the Web Server | Security: IP and Domain Restrictions requirement.
2.1.5. ASP.NET Core Runtime. This is the same as the .NET Core Hosting Bundle above.
2.1.6. Microsoft Visual C++ 2013 Redistributable (x86) or Microsoft Visual C++ 2015-2019 Redistributable (x86).
2.1.7. PowerShell 4.0 or later version.
2.1.8. The user performing the installation must be a domain user and must have Local Administrator rights on the Enhanced Auditing server.
2.1.9. Copy the Enhanced Auditing installation folder from the installation media to the server where Enhanced Auditing will be installed.
2.2. Follow the steps in the Installing the Enhanced Auditing feature section of the Installation Guide. The Auditing Server installation can take an extended amount of time - this is normal. On the final installer screen, make a note of the Audit Server URL.
3. Enable Auditing on the Accelerator server.
3.1. This requires the user to be Assigned to an Application Role with the Modify System Configuration and View System Configuration Permissions.
3.2. If Auditing is installed on another server that is not the Accelerator server, install the AuditAppCert.pfx certificate from the Auditing server on the Accelerator server (skip this step if Auditing is installed on the Accelerator server):
3.2.1. Open IIS Manager on the Auditing server and open the Server Certificates option from the Features View.
3.2.2. Export the AuditAppCert.pfx (provide an export location and password).
3.2.3. Copy the AuditAppCert.pfx certificate to the Accelerator server.
3.2.4. Right-click the AuditAppCert.pfx certificate on the Accelerator Server Install PFX | Import to Local Machine | Select the option to Mark this key as exportable | Place all certificates in the following store | Trusted Root Certification Authorities | Complete the import.
3.3. Open the Client | Configuration | Settings | Auditing.
3.4. Enable Auditing: enable.
3.5. Audit Server URL: set to the Audit Server URL as listed on the final Auditing installation screen. This is typically https://<Server name>:448.
Can run the PowerShell command Get-IISSite to confirm, as above.
3.6. Acknowledge any prompts to restart Remoting, Background Tasks or the service. When enabling Auditing under Configuration Settings and acknowledging the prompt to restart services, rebooting the Accelerator server does not accomplish the same thing. It is required to stop the Enterprise Vault Accelerator Manager Service (EVAMS), run IISRESET, then start the EVAMS before configuring Auditing. Restart as follows:
3.6.1. Stop the EVAMS.
3.6.2. Restart IIS via the command prompt command IISRESET.
3.6.3. Start the EVAMS.
3.6.4. Restart the Customer's Background Task (CBT) for the Customer where Auditing was enabled in EVBAAdmin (http://localhost/evbaadmin) on the Accelerator server. If the CBTs are not restarted, the Configuration | Audit Settings page may display a blue banner with: The audit feature is not configured yet. Audit-specific settings will be available after the feature is configured.
3.6.4.1. Expand the Accelerator server.
3.6.4.2. Right-click the Accelerator Customer | Properties | De-select Enable Customer's tasks | click OK.
3.6.4.3. Click on the Customer and monitor the Current Status pane until Customers tasks shows Stopped.
3.6.4.4. Then right-click the Accelerator Customer | Properties | Select Enable Customer's tasks | click OK.
3.6.4.5. Click on the Customer and monitor the Current Status pane until Customers tasks shows Running.
4. Enable the Audit Settings in the Auditing website for DA at https://<DA server name>:81 or in VAS for CA at https://<CA server name>:81 under Configuration | Audit Settings. This requires the user to be Assigned to an Application Role with the Modify Audit Settings, Modify System Configuration, View Audit Information, View Audit Settings and View System Configuration Permissions.
5. Once captured and logged, Audit events may then be reviewed and exported in the Audit Viewer. This requires the user to be Assigned to an Application Role with the View Audit Information Permission (to see Audit events relating to the Application) and/or to a Case/Department Role with the View Audit Information Permission (to see Audit events relating to the Case/Department).
Notes
1. Audit Logs
Installation logs: C:\Users\<user account>\Appdata\Local\Temp\. Installation logs also located at \Program Files\Veritas Enhanced Auditing\InstallUtil\Installation.zip in the InstallLog file (open with any text editor). May also be found in \Program Files\Veritas Enhanced Auditing\Install\ in the InstallLog file (open with any text editor).
Auditing logs: \Program Files\Veritas Enhanced Auditing\Logs\AuditServer.X.log
ElasticSearch logs: \Program Files\Elastic\elasticsearch-X-windows-x86_64\elasticsearch-X\logs
2. Managing Accelerator Server Access
While installing the Enhanced Auditing feature, a comma-separated list of IP addresses of the servers from which the Audit Server will be accessed is provided. These are the IP addresses for each protocol (IPv4 and IPv6) that are enabled on the Accelerator server. These IP addresses get listed under Allowed Sites in IIS Manager. If an IP address of the Accelerator server is changed, it will need to be updated in IIS Manager on the Audit Server so that the Audit Server can be accessed. To update the allowed IP addresses to access the Audit Server:
- On the Audit Server, open the IIS Manager.
- Expand Sites, and then click the Auditing Server site.
- In the right pane, double-click IP Address and Domain Restrictions.
- On the IP Address and Domain Restrictions screen, right-click the entry containing the old address for the Accelerator server, and then click Remove.
- Under Actions, click Add Allow Entry.
- On the Add Allow Restriction Rule dialog, add the new IP address in the Specific IP address field, and then click OK.
Note that a specific IP address can be added or a range can be added. For a range, specify the starting IP and subnet mask (https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831785(v=ws.11)).
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.