search security configuration guide › ... › products › data-protection › docu9404… ·...

Dell EMC SearchVersion 19.1

Security Configuration Guide302-005-799

REV 01

Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.

Published May 2019

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.

Published in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 Dell EMC Search 19.1 Security Configuration Guide

Preface 5

Communication Security 9Port usage.................................................................................................. 10Network encryption ................................................................................... 12Cryptographic modules............................................................................... 12Login, session, and password protection..................................................... 12Firewall rules............................................................................................... 13NFS share................................................................................................... 13Elasticsearch REST API.............................................................................. 13Data security...............................................................................................13

Access control 15Default accounts......................................................................................... 16Search application settings......................................................................... 16Avamar action service settings....................................................................17NetWorker action service settings.............................................................. 17Common Index Service settings.................................................................. 18Configure LDAP and AD users.....................................................................18Maintaining the Search OpenLDAP server..................................................20Authentication configuration...................................................................... 20About roles..................................................................................................21

System Administrator role............................................................. 22Application Administrator role........................................................23Full Access Search (Global) role.................................................... 24Index specific search roles.............................................................25

Managing roles........................................................................................... 29Assign roles to users or groups...................................................... 29Remove users or groups................................................................ 30Edit role assignments..................................................................... 31

Log files......................................................................................................32Copy log files (WinSCP)................................................................ 33Copy log files (PuTTy) ..................................................................34

Managing logs............................................................................................ 34Managing logs for API-based services........................................... 34Managing logs for Worker and Action services.............................. 37Managing logs for Elasticsearch.................................................... 39Managing logs for Nginx................................................................ 40Manage logs for the Puppet agent................................................. 41

Chapter 1

Chapter 2

CONTENTS

Dell EMC Search 19.1 Security Configuration Guide 3

CONTENTS


Preface

As part of an effort to improve product lines, periodic revisions of software andhardware are released. Therefore, all versions of the software or hardware currently inuse might not support some functions that are described in this document. Theproduct release notes provide the most up-to-date information on product features.

If a product does not function correctly or does not function as described in thisdocument, contact a technical support professional.

Note

This document was accurate at publication time. To ensure that you are using thelatest version of this document, go to the Support website https://www.dell.com/support.

PurposeThis document describes the security features and settings of Dell EMC Search.

AudienceThis document is intended for the following administrators who will be involved inmanaging Search.

l Search administrator

l Index administrator

Revision historyThe following table includes information about the revision history of this publication:

Table 1 Revision history

Revision Date Changes

01 May 20, 2019 GA release of the Search 19.1Security Configuration Guide.

Related documentationThe following publications provide additional information:

l Search Deployment and Administration Guide

l Search Security Configuration Guide

l E-Lab Navigator at https://elabnavigator.emc.com/eln/elnhome

l Search Release Notes

Special notice conventions that are used in this documentThe following conventions are used for special notices:

NOTICE

Identifies content that warns of potential business or data loss.

Preface 5

https://www.dell.com/support


https://elabnavigator.emc.com/eln/elnhome

Note

Contains information that is incidental, but not essential, to the topic.

Typographical conventionsThe following type style conventions are used in this document:

Table 2 Style conventions

Bold Used for interface elements that a user specifically selects or clicks,for example, names of buttons, fields, tab names, and menu paths.Also used for the name of a dialog box, page, pane, screen area withtitle, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, file names, file name extensions, prompts, andsyntax

l Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means orfor the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from theexample.

You can use the following resources to find more information about this product,obtain support, and provide feedback.

Where to find product documentation

l https://www.dell.com/support

l https://community.emc.com

Where to get supportThe Support website https://www.dell.com/support provides access to productlicensing, documentation, advisories, downloads, and how-to and troubleshootinginformation. The information can enable you to resolve a product issue before youcontact Support.

To access a product-specific page:

1. Go to https://www.dell.com/support.

2. In the search box, type a product name, and then from the list that appears, selectthe product.

KnowledgebaseThe Knowledgebase contains applicable solutions that you can search for either bysolution number (for example, KB000xxxxxx) or by keyword.

Preface



https://community.emc.com



To search the Knowledgebase:


2. On the Support tab, click Knowledge Base.

3. In the search box, type either the solution number or keywords. Optionally, youcan limit the search to specific products by typing a product name in the searchbox, and then selecting the product from the list that appears.

Live chatTo participate in a live interactive chat with a support agent:


2. On the Support tab, click Contact Support.

3. On the Contact Information page, click the relevant support, and then proceed.

Service requestsTo obtain in-depth help from Licensing, submit a service request. To submit a servicerequest:


2. On the Support tab, click Service Requests.

Note

To create a service request, you must have a valid support agreement. For detailsabout either an account or obtaining a valid support agreement, contact a salesrepresentative. To get the details of a service request, in the Service RequestNumber field, type the service request number, and then click the right arrow.

To review an open service request:


2. On the Support tab, click Service Requests.

3. On the Service Requests page, under Manage Your Service Requests, clickView All Dell Service Requests.

Online communitiesFor peer contacts, conversations, and content on product support and solutions, go tothe Community Network https://community.emc.com. Interactively engage withcustomers, partners, and certified professionals online.

How to provide feedbackFeedback helps to improve the accuracy, organization, and overall quality ofpublications. You can send feedback to [email protected].

Preface

7





https://community.emc.com

mailto:[email protected]

Preface


CHAPTER 1

Communication Security

Communication security settings establish secure communication channels betweenproduct components and external systems or components. This chapter contains thefollowing topics:

l Port usage.......................................................................................................... 10l Network encryption ........................................................................................... 12l Cryptographic modules.......................................................................................12l Login, session, and password protection.............................................................12l Firewall rules.......................................................................................................13l NFS share...........................................................................................................13l Elasticsearch REST API...................................................................................... 13l Data security...................................................................................................... 13

Communication Security 9

Port usageThe ports that are listed in the following table are the Search default ports for thevarious components that all use the TCP/HTTPS protocol. Some of these ports canbe changed. Various configuration files must be manually edited.

The following table lists the required ports for Search.

Table 3 Default ports

Component Service Protocol Port Description

CommonIndexing Service

NGINX TCP/HTTPS

442 Secure access to Elasticsearch.

Search andAdmin UIs andAPIs

NGINX TCP/HTTPS

443 Admin web application.

Search web application.

Admin REST API.

Search REST API.

CommonIndexing Service

NGINX TCP/HTTPS

445 CIS REST API. The Common IndexingService (CIS) provides a secure layerabove Elasticsearch.

Elasticsearchcluster ports

NGINX TCP/HTTPS

9300–9400

Ports for communicating withElasticsearch (Index data nodes).Elasticsearch cluster ports are onlyopened internally, and are not forexternal access.

Puppet Puppet TCP 8140,61613

Puppet master, agent, and console.Puppet ports must be open betweenSearch nodes to allow forcommunication during an automaticupgrade.

Avamar Client AvamarClient

TCP 28000-29000,30000-31000

Ports for Avamar client communicatingwith Avamar server. Each client requirestwo ports from each port range.

NetWorkerClient

NetWorkerClient

TCP 7937-8100

Ports for NetWorker clientcommunicating with Networker server.

OpenLDAP slapd TCP 389 Ports for the Search nodecommunicating with OpenLDAP, andsync between OpenLDAP, are onlyopened internally.

SSH sshd TCP 22 Client connects to server through ssh.

NFS nfs TCP 111,2049

Ports for communicating with NFS areonly opened internally.

The following figure displays port data flow and access. Inbound ports that are allowedinclude:



l 443 (mandatory)

l 442

l 445

l 8140

l 61613

l 9300–9400

l 28000-29000

l 30000-31000

l 7937-8100

l 389

l 22

l 111

l 2049

Figure 1 Port data flow and access

The following figure displays communications between Search nodes.

Note

Ports are still open.

Figure 2 Communications between Search nodes


Port usage 11

Network encryptionThe following table outlines the encryption strategies that are employed.

Table 4 Encryption strategies

Communication Encryption type

Web browser and Search web server (Admin/Search web applications)

TLS 1.2 with server authentication

Web browser and CIS web server (if goingdirectly to CIS/Elasticsearch)

TLS 1.2 with mutual authentication

Search web server and CIS web server TLS 1.2 with mutual authentication

Search web server and Search Action serviceAPIs (Avamar/NetWorker)

TLS 1.2 with mutual authentication

Note

For Avamar, SSL between Search and the Avamar Web Service is used with keystoreto store the certificate for web service authentication. For NetWorker, backup andarchive data on UNIX and Windows hosts are encrypted with the aes ApplicationSpecific Module (ASM). The aes ASM provides 256-bit data encryption. Backup datais encrypted based on a user-defined pass phrase. If no pass phrase is specified, datais encrypted with the default pass phrase.

Cryptographic modulesThe following is a list of cryptographic modules that are used by Search:

l HS256 for signing JWT

l RSA1_5 2048 bit algorithms for encrypting the web tokens

l AES_256_GCM for lockbox encryption

l SHA256 2048 bit algorithms for NGINX SSL certificates

Disable the following ciphersuites:

l Null and low security ciphersuites

l Insecure algorithms: MD5, RC4, SHA1, and DES

l Little-used ciphers: kECDH, EXP, PSK, SRP, CAMELLIA, SEED, and DSS

Login, session, and password protectionThe local system accounts allow users to log in to the virtual machine and accessElasticsearch directly by using port http://localhost:9200. This port is not accessible



remotely. Local system access allows unrestricted access to Elasticsearch. Therefore,it is important that local system access is restricted.

Note

Elasticsearch is accessible remotely through port 442 and requires CIS credentialsbefore login.

The Search login session expires after a 20 minute period of inactivity.

Firewall rulesSearch requires access to the following external (world wide) ports:

l 442:445 (Web/Rest API)

l 28000-29000, 30000-31000 (Avamar Client)

l 7937-8100 (NetWorker client)

l 22 (SSH)

Search requires access to the following internal ports:

l 389 (openLDAP)

l 8140 (Puppet Master and Master node only)

l 61613 (Puppet)

l 9300:9400 (Elasticsearch)

l 111, 2049 (NFS)

To use ports 9300–9400, CIS provides access to IP addresses within a subnet. Anexample subnet is 128.222.162.

Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate withother Elasticsearch nodes.

NFS shareThe Common Indexing Service (CIS) requires an NFS share to store backup files. Youcan only access this share internally, within a subnet.

For details, check the /etc/exports file.

Elasticsearch REST APIYou can use the Elasticsearch REST API to implement custom applications or widgets.However, Dell does not support this API.

For more information, see the Elasticsearch documentation.

Data securitySearch encrypts all in-flight data by using https.

Communication between Elasticsearch nodes is not encrypted.

Communication between Search node and local OpenLDAP is not encrypted.

Communication between Search node and NFS share is not encrypted.


Firewall rules 13

https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html

CHAPTER 2

Access control

Access control settings provide protection of resources against unauthorized access.

This chapter contains the following topics:

l Default accounts.................................................................................................16l Search application settings.................................................................................16l Avamar action service settings........................................................................... 17l NetWorker action service settings......................................................................17l Common Index Service settings..........................................................................18l Configure LDAP and AD users............................................................................ 18l Maintaining the Search OpenLDAP server......................................................... 20l Authentication configuration..............................................................................20l About roles......................................................................................................... 21l Managing roles...................................................................................................29l Log files............................................................................................................. 32l Managing logs.................................................................................................... 34

Access control 15

Default accountsThe following table lists the default Search accounts.

Table 5 Default account names

Account type Username Description

User account admin l Default system, application, andsearch admin account

l Set at deployment time

Root user root l Root account for the virtualmachine terminal

l Set at deployment time

All other accounts are managed with an LDAP solution, such as Microsoft ActiveDirectory. Any external LDAP accounts are specified by using the SearchAdministration application.

Search application settingsThe /etc/nginx/nginx.conf file contains definitions for default ports and self-signed certificates for exposed UIs and REST APIs.

The /etc/nginx/nginx.search.conf file includes settings for the followingcomponents:

l Search UI

l Search REST API

l Admin UI

l Admin REST API

By default, in the /etc/nginx/nginx.search.conf file, the following settings areused:

l Port 443

l Self-signed certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/action/search/etc/certs/

ca.crtl Key /usr/local/search/etc/cert/server.keyTo make changes to the default port, self-signed certificate, ssl_client_certificate, orkey, edit the following file:

/etc/nginx/nginx.search.confAfter changes are made to the file, restart nginx.

Note

If a port is changed, update the firewall settings.

Access control


The /etc/nginx/nginx.search.conf file also contains the followingconfigurations:

l SSL protocols (ssl_protocols)

l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)

l Prevent clickjacking configuration (add_header X-Frame-Options)

Avamar action service settingsWhen actions are triggered, the Search UI calls the Search action service. Inthe /etc/nginx/nginx.avamar-action.conf file, the Search action service isdefined.

By default, in the /etc/nginx/nginx.avamar-action.conf file, the followingsettings are used:

l Port 450

l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, orssl_client_certificate, edit the following file:

/etc/nginx/nginx.avamar-action.confAfter changes are made to the file, restart Nginx.

Note


The /etc/nginx/nginx.avamar-action.conf file also contains the followingconfigurations:



NetWorker action service settingsWhen actions are triggered, the Search UI calls the Search action service. Inthe /etc/nginx/nginx.networker-action.conf file, the Search action serviceis defined.

By default, in the /etc/nginx/nginx.networker-action.conf file, thefollowing settings are used:

l Port 449

l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, orssl_client_certificate, edit the following file:

/etc/nginx/nginx.networker-action.conf

Access control

Avamar action service settings 17

After changes are made to the file, restart nginx.

Note


The /etc/nginx/nginx.networker-action.conf file also contains thefollowing configurations:



Common Index Service settingsIn the /etc/nginx/nginx.cis.conf file, settings for the Common Index Service(CIS) are defined.

By default, the /etc/nginx/nginx.cis.conf file uses the following settings:

l Port 445

l Self-signed certificate /usr/local/search/etc/cert/server.crtl Key /usr/local/search/etc/cert/server.key

Note

As an Elasticsearch passthrough, CIS opens a secondary port. The default portchanges to 442.

To make changes to the default port, self-signed certificate, or key, edit the followingfile:

/etc/nginx/nginx.cis.confAfter changes are made to the file, restart nginx.

Note


Configure LDAP and AD usersSearch is configured with a built-in OpenLDAP service that includes preconfigureduser accounts and groups. The Admin user account is preconfigured to include thesystem, application, and search Admin roles, which provides access to all Searchfunctionality. While this account is useful for initial configuration, it is best practice toadd one or more external Active Directory (AD) or OpenLDAP servers, and assignusers or groups from those servers to Search roles. After you add the external AD orOpenLDAP servers, you can disable or remove the built-in OpenLDAP server.

The built-in OpenLDAP service is configured with a password policy to protect frombrute-force attacks, and also enables automatic account unlock to prevent an accountlockout attack.

The default Admin user account is not configured with an email address, and thereforecannot receive email notifications by default.

To configure LDAP and AD users, perform the following actions:

Access control


Procedure

1. In the Manage drop-down list, select System.

The System Administration view appears.

2. Click Administration > Options > LDAP Options.

The LDAP Options window appears.

3. To add an LDAP server, click .

The Add LDAP Configuration window appears.

4. In the Name field, type the LDAP configuration name.

5. In the Server Type field, select either of the following authentication types:

l Active Directory

l OpenLDAP

6. In the LDAP Server field, type either of the following:

l Hostname of the LDAP or AD server

l IP address of the LDAP or AD server

7. In the LDAP port field, type the port number that the external authenticationauthority uses.

For LDAP, the default port number is 389.

For SSL, the default number for LDAPS changes to 636 when True is selected.

8. In the Base DN field, type the scope of the users and groups that areconsidered within the LDAP server.

For example:

DC=example, DC=comThe Base DN determines the structure of the LDAP server where the searchfilter is applied. This is usually similar to the domain name over which the LDAPserver has authority.

9. In the Username field:

a. Type a user account that has full read access to the LDAP or AD directory, inthe following format:

[email protected] example, [email protected]

l For Active Directory, ensure that the username is one of the following:

n Common name

n Email address

n Display name

n User principle name (UPN) in the following format:user@domain

n SAM account name in the following format:domain/user

n Distinguished name (DN)

Access control

Configure LDAP and AD users 19

l For OpenLDAP, ensure that the username is one of the following:

n Common name

n Email address

n Entry distinguished name

b. Ensure that the user has read access to the directory.

c. To include email notifications, define the email address for the account.

Note

Only Admin accounts with defined email addresses can receive emailnotifications.

10. In the Password field, type the password of the user account that you specifiedin the Username field.

11. In the SSL field, select either of the following options:

l To connect to an external authentication server using LDAPS, select True.

The default port number automatically changes to 636.

l To ignore secure connection settings, select False.

12. In the Default field, leave the option set to False.

The Default field refers to the Search built-in OpenLDAP server.

13. To test the connection, click Test Connection.

14. Click Save.

Maintaining the Search OpenLDAP serverYou can change the following settings by editing the settings in the /etc/openldap/slapd.conf configuration file:

l Anti-brute force

l Account lockout

l Master-consumer deployment setting

l Database replicate

l Unlock admin account

l Password

Authentication configurationThis section describes user accounts and groups for LDAP.

Users can remotely log in to the Search admin and search web-based interfaces onlyby using appropriate accounts that are configured in LDAP. Roles within the softwarealso determine a user's permissions when logged in.

The following table lists accounts and groups for LDAP.

Access control


Table 6 LDAP server

Accounts andGroups

Description

System Administrator The System Administrator can:

l Assign the System Administrator role to other users and groups

l View the system health

l Configure and view system notifications

l Manage LDAP sources

ApplicationAdministrator

The Application Administrator can:

l Assign the following roles to users and groups:

n Application Administrator

n Full Access Search (Global)

l View the status of jobs on the source server

l Manage search roles for an index including the following:

n Full Access Search (Index)

n Read Only Search (Index)

l Add or edit a source

l Configure and view source notifications

l View the health of the source server

Search Administrator -All access

The Search Administrator - All access can:

l Full content index a search result

l Preview search results

l Download files locally

l Restore files to original or alternate location

Search Administrator -Read only

The Search Administrator - Read only can:

l Perform keyword searches

l Perform filter searches

l View metadata for the search results

l Restore files to the original location

About rolesA role defines the privileges and permissions for users to perform a group of tasks.

When you configure the Search virtual appliance, there are already predefined usersfrom OpenLDAP.

Access control

About roles 21

Note

When you launch the Search virtual appliance within IDPA System Manager, the userhas all admin access and full search access to all indexes. The IDPA single sign-onprivileges override the roles that are allocated in Search.

System Administrator roleThe System Administrator can perform the following tasks:

l Assign the System Administrator role to other users and groups

l View the system health

l Configure and view system notifications

l Manage LDAP sources

Assign the System Administrator role

To assign a System Administrator role, perform the following procedure. Only aSystem Administrator can add another System Administrator role.

Procedure

1. In the Manage drop-down list, select System.

The System Administration view appears.

2. Click Administration > Roles.

The Manage Roles window appears.

3. Click .

The Select User window appears.

4. In the Select User window, perform the following steps:

a. In the Name field, restrict the search to one of the following categories:

l Users or Groups

l Users

l Groups

b. Type the name of the user or group.

c. In the Directory field, specify an authentication provider.

For example, the name of the Active Directory.

d. Click Find.

The list of user or user groups appears.

Note

If you click Find before specifying a substring, the entire directory isreturned. This action might slow performance.

e. Select a user, group, or click Select all.

f. Click OK.


Access control


5. In the Manage Roles window, select System Administrator to assign the roleto the user or group that you added.

Example 1 Search for all users

To search for all users that contain Admin:

1. Type Admin.

2. Click Find.

Application Administrator roleThe Application Administrator can manage specific configurations within the Searchvirtual appliance.

The Application Administrator can perform the following tasks:

l Assign the following roles to users and groups:

n Application Administrator

n Full Access Search (Global)

l View the status of jobs on the source server

l Manage search roles for an index including the following:

n Full Access Search (Index)

n Read Only Search (Index)

l Add or edit a source

l Configure and view source notifications

l View the health of the source server

Assign the Application Administrator role

Only an Application Administrator can assign the Application Administrator role.

Procedure

1. In the Manage drop-down list, select one of the following options:

l AvamarThe Avamar Administration view appears.

l NetWorkerThe NetWorker Administration view appears.

2. Select Administration > Roles.


3. To add a user or group, click .




l Users or Groups

Access control

Application Administrator role 23

l Users

l Groups




d. Click Find.


Note



f. Click OK.


5. In the Manage Roles window, select Application Administrator to assign therole to the user or group that you added.



1. Type Admin.

2. Click Find.

Full Access Search (Global) roleThe Full Access Search (Global) role is a global search administrator that overridesany setting on indexes.

Only an Application Administrator can assign the Full Access Search (Global) role.

The Full Access Search (Global) role can perform the following actions:





Assigning the Full Access Search (Global) role

Only an Application Administrator can assign the Full Access Search (Global) role.

Procedure



Access control









l Users or Groups

l Users

l Groups




d. Click Find.


Note



f. Click OK.


5. In the Manage Roles window, select Full Access Search (Global) to assign therole to the user or group that has been added.



1. Type Admin.

2. Click Find.

Index specific search rolesThe following roles can be applied to specific indexes.

Full Access Search (Index)Only an Application Administrator can assign the Full Access Search (Index) role.

The Full Access Search (Index) role can perform the following actions inside aspecified index:

Access control

Index specific search roles 25





The following figure illustrates how to assign the Full Access Search (Index) role.

Figure 3 Full Access Search (Index) role

Assign the Full Access Search (Index) role

Only an Application Administrator can assign the Full Access Search (Index) role for aspecific index.

Before you begin

Ensure that the user or group has been added as an Active Directory or OpenLDAPsource.

Procedure




2. Click Administration > Indexes.

The list of indexes appears.

3. Select the Index that you want to give the user or group access to.

4. To manage search roles, click .

The Manage Search Roles window appears.




Access control



l Users or Groups

l Users

l Groups




d. Click Find.


Note



f. Click OK.


7. In the Manage Roles window, select Full Access Search (Index) to assign therole to the user or group that has been added.



1. Type Admin.

2. Click Find.

Read Only Search (Index) roleOnly an Application Administrator can assign the Read Only Search (Index) role.

The Read Only Search (Index) role can perform the following actions inside a specificindex:

l Perform keyword searches

l Perform filter searches

l View metadata for the search results

l Restore files to the original location

The following figure illustrates how to assign the Read Only Search (Index) role.

Access control

Index specific search roles 27

Figure 4 Read Only Search (Index) role

Assign the Read Only Search (Index) role

Only an Application Administrator can assign the Read Only Search (Index) role for aspecific index.

Before you begin

Ensure that the user or group has been added as an Active Directory or OpenLDAPsource.

Procedure




2. Click Administration > Indexes.

The list of indexes appears.

3. Select the Index that you want to give the user or group access to.

4. To manage search roles, click .

The Manage Search Roles window appears.





l Users or Groups

l Users

l Groups

Access control





d. Click Find.


Note



a. Type Admin.

b. Click Find.


f. Click OK.


7. To assign the role to a user or group, select Read Only Search (Index).

The Read Only Search (Index) role cannot perform the following actions:

l See inline preview for hits

l View full preview for hits


l Restore files to an alternate location

Managing rolesThis section describes how to add and edit user roles and assign access privileges toadministrators.

Assign roles to users or groupsWith the System Administrator or Application Administrator role, you can assign rolesto users or groups.

Procedure




l SystemThe System Administration view appears.



Access control

Managing roles 29





l Users or Groups

l Users

l Groups




d. Click Find.


Note



a. Type Admin.

b. Click Find.


f. Click OK.


5. To assign a role to a user or group, click one or more of the following options:

l Application Administrator

l Search Administrator

Remove users or groupsWith the System Administrator or Application Administrator role, you can removeusers or groups.

Procedure





Access control




3. Click the name of the user or group you want to delete.

4. Click .

5. To remove the user or group, in the Confirm window, click Confirm.

Results

The users or groups are no longer listed.

Edit role assignmentsWith the System Administrator or Application Administrator role, you can assign oredit roles.

Procedure







3. Choose the user or group whose role you want to edit.

4. Click one or more of the following options:

l Application Administrator

l Full Access Search (Global)

The following figure displays the Manage Roles window.

Figure 5 Manage Roles window

Access control

Edit role assignments 31

Log filesAll logs files are stored on disk 3, the separated disk. The /usr/local/search/logis mapped to the /mnt/search/log. The logs are filed to a dedicated disk so theycannot fill the system disk.

The default log directory, /usr/local/search/log, contains the following logs.

Table 7 Log files

Logs Description

search-adminapi-nodename

Main log file for the Admin REST API

search-adminapi-stderr-nodename

List of API calls made into the Admin REST API

search-adminapi-stdout-nodename

Details about the debugging output for the Admin REST API

search-api-nodename Main log file for the Search REST API

search-api-stderr-nodename

List of API calls made into the Search REST API

search-api-stdout-nodename

Details about the debugging output for Search REST API

search-avamar-action-nodename

Main log file for the Avamar action service REST API

search-avamar-action-stderr-nodename

A succinct list of API calls made into the Avamar action serviceREST API

search-avamar-action-stdout-nodename

Details about the debugging output for the Avamar action serviceREST API

search-avamar-worker-nodename

Main log file for the Avamar Java worker service

search-avamar-worker-stdout-nodename

Details about the Avamar Java worker service settings

search-networker-action-nodename

Main log file for the NetWorker action service REST API

search-networker-action-stderr-nodename

A succinct list of API calls made into the NetWorker actionservice REST API

search-networker-action-stdout-nodename

Details about the debugging output for the NetWorker actionservice REST API

search-networker-worker-nodename

Main log file for the NetWorker Java worker service

search-networker-worker-stdout-nodename

Details about the NetWorker Java worker service settings

search-worker-nodename Main log file for the Search platform Java worker service

Access control


Table 7 Log files (continued)

Logs Description

search-worker-stdout-nodename

Details about the Search platform Java worker service settings

Subdirectories contain the logs for the following services.

Table 8 Services and logs

Logs Description

Elasticsearch Index engine logs

CIS Common Index Service logs

Nginx Web server logs

Puppet Puppet master and agent logs

Use a secure FTP client, such as WinSCP or PuTTy (psftp), to copy log files from theSearch nodes to a Windows computer.

Note

The WinSCP tool provides a GUI, and retains the settings, including both local andremote directory locations.

Copy log files (WinSCP)Before you begin

Install WinSCP by downloading WinSCP from winscp.net.

Procedure

1. From the WinSCP wizard, select Stored sessions, and click New.

2. Add a session by completing the following fields:

l Hostname

l Port number (default is 22)

l Root username

l Password

3. Click Directories and complete the following fields:

l In the Remote directory field, type cd/usr/local/search/logl In the Local directory field, type local directory

4. To save the session:

a. Click Save.

b. Click Login.

5. Drag the logs from the Remote Directory section of the window to the LocalDirectory section of the window.

Access control

Copy log files (WinSCP) 33

Copy log files (PuTTy)Use a secure FTP client, such as PuTTy (psftp) to copy log files from the Searchnodes to a Microsoft Windows computer.

Before you begin

Download and install PuTTy from winscp.net.

Procedure

1. Log in with the Search Root user credentials that are created duringdeployment.

2. Change to the log directory:

cd/usr/local/search/log3. To download the log files, run the mget* command.

4. If required, unzip the log files.

Older versions of the logs are compressed based on size or date.

Managing logsAll log files are stored on disk 3, the separated disk. The logs are located in /usr/local/search/log. The logs are filed to a dedicated disk so they cannot fill thesystem disk.

The default log directory, /usr/local/search/log, is mapped to the /mnt/search/log.Follow the procedures in this section to learn how to manage the following logproperties:

l Log file location

l Log level

l Log size

l Log count

Managing logs for API-based servicesTo troubleshoot and diagnose problems, you can manage the log files of the followingservices and components:

l Admin API

l Search Admin API

l Common Indexing Service (CIS) Core

l CIS Scheduler

Log file location

The following table provides a summary of the log files available for the Admin/SearchREST API.

Access control


Table 9 Admin/Search REST API log files

Module Configuration file Log file location Default loglevel

AdminAPI

/usr/local/search/etc/system.conf

{log_path}/search-adminapi-{host_name}.log

ERROR

{log_path}/search-adminapi-stdout-{host_name}.log

{log_path}/search-adminapi-stderr-{host_name}.log

SearchAPI

/usr/local/search/etc/system.conf

{log_path}/search-api-{host_name}.log

ERROR

{log_path}/search-api-stdout-{host_name}.log

{log_path}/search-api-stderr-{host_name}.log

Manage the log levelThe system.conf file provides the ability to modify the log level for the Admin/Search REST API.

To modify the log level, complete the following steps:

Procedure

1. Open the system.conf file with a text editor.

2. In the system.conf file, locate the following section:

"log": { "comments": "log.level VERBOSE = 0, INFO = 1, WARNING = 2, ERROR = 3", "admin_api": "/usr/local/search/log/search-adminapi-stevenzincdev.log", "search_api": "/usr/local/search/log/search-api-stevenzincdev.log", "level": 3 }

3. Change the log level by editing the level attribute:

Specify one of the following log levels:

l 0l 1l 2l 3

4. Restart the corresponding services.

Access control

Managing logs for API-based services 35

Manage log size and log countThe logrotate utility manages the size of log files, and determines the number ofarchived log files to maintain.

Note

Cronjob runs on schedule on a daily basis to rotate API log files.

The following table outlines the logrotate configuration files for the Admin/SearchREST API, CIS core service, and CIS scheduler service.

Table 10 Configuration files

Service Configuration file

Admin API /etc/logrotate.d/search-adminapi.lr

Search API /etc/logrotate.d/search-api.lr

CIS core service /etc/logrotate.d/search-cis-core.lr

CIS scheduler service /etc/logrotate.d/search-cis-schedule.lr

Procedure

1. Open the corresponding logrotate configuration file.

2. In the logrotate configuration file, locate the following section:

/usr/local/search/log/search-adminapi*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress lastaction pid=/var/run/search/search-adminapi.pid test -s $pid && kill -USR1 "$(cat $pid)" endscript}

3. Change the log size and the number of log files to maintain, by editing therotate and size parameters.

where:

l rotate defines the number of archived log files that the Search softwaremaintains. The default value is 5.

l size defines the maximum size of the log file. The default value is 100M.

Access control


Managing logs for Worker and Action servicesTo troubleshoot and diagnose problems, you can manage the log files for the followingservices and components:

l Avamar Action service

l Avamar Worker service

l NetWorker Action service

l NetWorker Worker service

l Search Worker service

Log file location

The following table provides a summary of the log files available for the actionservices, worker services, and system worker service.

Table 11 Worker Services log files

Module Configuration file Log file location

Search-Worker /usr/local/search/etc/log4j2-search-worker.xml

{log_path}/search-worker.log

Avamar-Worker /usr/local/search/etc/log4j2-search-avamar-worker.xml

{log_path}/search-avamar-worker-{host_name}.log

Networker-Worker /usr/local/search/etc/log4j2-search-networker-worker.xml

{log_path}/search-networker-worker-{host_name}.log

Avamar-Action-Service /usr/local/search/etc/log4j2-search-avamar-action.xml

{log_path}/search-avamar-action-{host_name}.log

Networker-Action-Service

/usr/local/search/etc/log4j2-search-networker-action.xml

{log_path}/search-networker-action-{host_name}.log

Manage the log levelThe log4j file provides the ability to modify the log level for the action services,worker services, and system worker service.


Procedure

1. Open the corresponding log4j configuration file.

2. In the log4j configuration file, perform the following tasks:

l To modify the log level for the Search Avamar Action service or the SearchNetWorker Action service, locate the following section:<Logger name="com.emc.zinc" level="error" additivity="false"> <AppenderRef ref="Routing"/> </Logger>

Access control

Managing logs for Worker and Action services 37

l To modify the log level for the Search Avamar Worker service, SearchNetWorker Worker service, or Search Worker service, locate the followingsection:<Root level="info"> <AppenderRef ref="Routing" /></Root>

3. Change the log level by editing the level attribute.


l tracel debugl infol warnl error


Manage log size and log countThe log4j file manages the size of log files, and determines the number of archivedlog files to maintain for the action services, worker services, and system workerservice.

The following table lists the log4j configuration files.

Table 12 Configuration files

Service Configuration file

Avamar action service log4j2-search-avamar-action.xml

Avamar worker service log4j2-search-avamar-worker.xml

NetWorker action service log4j2-search-networker-action.xml

NetWorker worker service log4j2-search-networker-worker.xml

System worker service log4j2-search-worker.xml

Procedure


2. In the log4j configuration file, locate the following section:

<Policies>   <SizeBasedTriggeringPolicy size="100 MB"/> </Policies> <DefaultRolloverStrategy max="5"/> </RollingFile>

3. Change the log size and the number of log files to maintain, by editing theSizeBasedTriggeringPolicy size and DefaultRolloverStrategymax attributes.

where:

Access control

l SizeBasedTriggeringPolicy size defines the maximum size of thelog file. The default value is 100 MB.

l DefaultRolloverStrategy max defines the number of archived logfiles that the Search software maintains. The default value is 5.

Managing logs for ElasticsearchTo troubleshoot and diagnose problems, you can manage the log files for theElasticsearch service.

About the Elasticsearch logsThe Elasticsearch log files are located in /usr/local/search/log/elasticsearch. The default logging level is ERROR.

Elasticsearch uses log4j to manage the log file level, size, and count. Theconfiguration file for log4j is located at /etc/elasticsearch/log4j2.properties.

Manage the log levelThe log4j file provides the ability to modify the log level for Elasticsearch.


Procedure


2. In the log4j configuration file, locate the following section:

rootLogger.level = error

3. Change the log level by editing the rootLogger.level attribute.


l tracel debugl infol warnl error


Manage log size and log countThe log4j utility manages the size of log files, and determines the number ofarchived log files to maintain for the Elasticsearch service.

Procedure

1. Open the log4j configuration file.

2. In the log4j configuration file, locate the sections that correspond to thefollowing logs:

l rollingl deprecation_rolling

Access control

Managing logs for Elasticsearch 39

l index_search_slowlog_rollingl index_indexing_slowlog_rolling

To adjust the size and number of retained logs, locate and modify the followingparameters for the log you want to manage:

Table 13 Elasticsearch log parameters

Parameter name Description Default value

appender.rolling.policies.size.size The maximum allowed log sizebefore rotation. Specify the value inKB, MB, or GB.

100 MB

appender.deprecation_rolling.policies.size.size

appender.rolling.strategy.max The maximum number of rotated logfiles to retain.

5

appender.deprecation_rolling.strategy.max

appender.index_search_slowlog_rolling.policies.time.interval

The duration of the logging period,in days.

1

appender.index_indexing_slowlog_rolling.policies.time.interval

Managing logs for NginxTo troubleshoot and diagnose problems, you can manage the log files for Nginx.

Configuration file locationThe following table provides a summary of the configuration files available for Nginx.All the Nginx configuration files are located in /etc/nginx.

Table 14 Nginx log files

Module Configuration file

Avamar action service nginx.avamar-action.conf

CIS nginx.cis.conf

Nginx nginx.conf

NetWorker action service nginx.networker-action.conf

Search service nginx.search.conf

Modifying the log levelThe Nginx logging options are highly configurable. The Nginx documentation providesmore information.

Manage log size and log count

The logrotate utility manages the size of log files, and determines the number ofarchived log files to maintain. The Nginx logrotate configuration file is locatedat /etc/logrotate.d/nginx.lr.

Access control


https://docs.nginx.com/nginx/admin-guide/monitoring/logging/

Procedure

1. Open the Nginx logrotate configuration file.


/usr/local/search/log/nginx/nginx*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok lastaction pid=/var/run/nginx.pid test -s $pid && kill -USR1 "$(cat $pid)" endscript


where:

l rotate defines the number of archived log files that Nginx maintains. Thedefault value is 5.


Manage logs for the Puppet agentTo troubleshoot and diagnose problems, you can manage the log files for the Puppetagent.

Manage the log levelThe upgrade.conf file provides the ability to modify the log level for the Puppetagent.

The Puppet agent log files are located in /etc/puppet/log/puppet_agent.log.The default logging level is WARN.

The configuration file for the Puppet agent log is located at /etc/puppet/upgrade.conf.

Procedure

1. Open the corresponding configuration file.

2. In the upgrade.conf configuration file, locate the following section:

loglevel="WARN"

3. Change the log level by editing the loglevel attribute.


l DEBUGl INFOl WARNl ERROR

Access control

Manage logs for the Puppet agent 41


Manage log size and log count

The logrotate utility manages the size of log files, and determines the number ofarchived log files to maintain. The Puppet agent logrotate configuration file islocated at /etc/logrotate.d/puppet.lr.

Procedure

1. Open the Puppet agent logrotate configuration file.


/usr/local/search/log/puppet/puppet_*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok}


where:

l rotate defines the number of archived log files that Nginx maintains. Thedefault value is 5.


Access control


search security configuration guide › ... › products › data-protection › docu9404… ·...

Documents