How to move Accelerator Enhanced Auditing to a new server

book

Article ID: 100070251

calendar_today

Updated On:

Description

There may be a business need to move Compliance Accelerator (CA) / Veritas Advanced Surveillance (VAS) or Discovery Accelerator (DA) Enhanced Auditing to a new server. Enhanced Auditing consists of two components: Enhanced Auditing and ElasticSearch. The following steps will move both components to a new server.

The log excerpts, information and/or screenshot(s) below were taken from a non-production test lab environment and are used for example purposes only. All PowerShell scripts may be run using PowerShell ISE and may be saved as .ps1 files if needed.

A - Prerequisites

1. Verify the username and password of the user that was specified during the Enhanced Auditing installation on the original Enhanced Auditing server is available. This user can be determined by editing the following URL to list the original Enhanced Auditing server's FQDN and browsing to the edited URL:

https://:9200/_security/user

The user should be listed in the first entry starting with {"elastic":.

If this password is not available, it will need to be reset as below, as the steps to move the existing Enhanced Auditing records require the original ElasticSearch password.

Notes
- The method below will not work to change the elastic user's password if Enhanced Auditing is to be Repaired on the same server. This is due to the original password being stored in the AuditUsersDatabase.sqlite database, which is not updated using the steps below, thus causing the Repair to fail.
- The method below will work to change the elastic user's password if Enhanced Auditing is to be moved to a new server. The new password will need to be specified when installing Enhanced Auditing on the new server and in all subsequent steps, as below.
- The method below will work to change the elastic user's password if Enhanced Auditing is upgraded to a newer version. The password will need to be changed before running the upgrade installer, then the new password will need to be listed when prompted for in the upgrade installer. The installer will then update the new password in the AuditUsersDatabase.sqlite database.

- Determine the name and password of a new user to be used as the ElasticSearch SuperUser. This user should not be a real user and does not need to exist in Active Directory.

- Open an administrative/elevated command prompt (click Start, right-click Command Prompt, and then click Run as administrator) and navigate to the ElasticSearch's \bin folder on the Enhanced Auditing server, typically at \Program Files\Elastic\elasticsearch-X-windows-x86_64\elasticsearch-X\bin\.

- Edit the username and password of the new ElasticSearch SuperUser in the following command and execute the command to create the new Superuser in ElasticSearch:

elasticsearch-users useradd -p -r superuser

For example, if the new local user is elastic2 with password P@ssword01:

elasticsearch-users useradd elastic2 -p P@ssword01 -r superuser

- Confirm the new local user can access the ElasticSearch server by editing and browsing to the following URL, then entering the new local user's credentials when prompted:

https://:9200/_security/user

If successful, the page should list the information for the elastic user, along with other vea_ users.

- Use the new local user's credentials to reset the existing elastic user's password. Edit and execute the following PowerShell script as indicated:

$password = ConvertTo-SecureString "" -AsPlainText -Force # Edit the new local user's password here
$cred = New-Object System.Management.Automation.PSCredential ("", $password) # Edit the new new local user's name here
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$PassPostParams = '{ "password":""}' # Edit the new password for the existing elastic user here
Invoke-WebRequest -Uri https://localhost:9200/_security/user/elastic/_password -Method Post -ContentType "application/json" -Body $PassPostParams -Credential $cred -UseBasicParsing

For example, if the new local user is elastic2 with password P@ssword01 and the new password for the elastic user is P@ssw0rd:

$password = ConvertTo-SecureString "P@ssword01" -AsPlainText -Force # Edit the new local user's password here
$cred = New-Object System.Management.Automation.PSCredential ("elastic2", $password) # Edit the new local user's name here
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$PassPostParams = '{ "password":"P@ssw0rd"}' # Edit the new password for the existing elastic user here
Invoke-WebRequest -Uri https://localhost:9200/_security/user/elastic/_password -Method Post -ContentType "application/json" -Body $PassPostParams -Credential $cred -UseBasicParsing

If the output lists StatusCode 200 with StatusDescription OK, the command completed successfully.

2. Verify the genelastic1 certificate on the original Enhanced Auditing server is present. This can be found in the ElasticSearch installation folder under \Program Files\Elastic\certs. This may be required for running the PowerShell commands below if any authentication errors are seen.

B - Create a Snapshot on the original Enhanced Auditing/ElasticSearch server

3. Edit the elasticsearch.yml file to allow Snapshot Repositories to be created:

3.1. Use File Explorer and navigate to the path \Program Files\Elastic\elasticsearch-X-windows-x86_64\elasticsearch-X\config.

3.2. Make a copy of the elasticsearch.yml for safekeeping.

3.3. Open the file elasticsearch.yml using Notepad.

3.4. Edit the path in the following line to a location that will be used to store the ElasticSearch Repository that will be created in the following steps. The location does not need to exist and will be automatically created after the service restart below. This can be a local drive but can also be a network location that can be accessed from the new Enhanced Auditing server. Note the drive letter has a double back slash but all folder(s) after the drive letter have a single back slash. Then add the edited line after the last line in the elasticsearch.yml file.

path.repo: ["\\"]

For example:

path.repo: ["E:\\EA_Repository"]

3.5. Save and close the file.

3.6. Restart the ElasticSsearch Service.

4. Create a Snapshot Repository location:

4.1. Edit the following PowerShell script as follows:

$username: Set this to the ElasticSearch username.
$upassword: Set this to the ElasticSearch username's password.
$serverfqdn: Set this to the FQDN of the original Enhanced Auditing server.
$settings: Set this to a folder in the ElasticSearch Repository as listed in the elasticsearch.yml file above. The folder does not need to exist and will be created when the script below is executed. Note the drive letter has a double back slash but all folder(s) after the drive letter have a single back slash.

4.2. Execute the edited PowerShell script. This will call ElasticSearch's REST API to prepare the Repository location (can be saved as OrigEA_PrepareRepositoryLocation.ps1).

$username = "" # Set this to the ElasticSearch username
$upassword = "" # Set this to the ElasticSearch username's password
$serverfqdn = "" # Set this to the FQDN of the original Enhanced Auditing server
$Body =""
$settings = @{location = "\\\"} # Set this to a folder in the ElasticSearch Repository location as listed in the elasticsearch.yml file
$data = @{
type = "fs"
settings = $settings
readonly = "true"
}
$Body = $data | ConvertTo-Json
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
$Params = @{
Method = "PUT"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository'
Body = $Body
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

Example script:

$username = "elastic" # Set this to the ElasticSearch username
$upassword = "rpsrps" # Set this to the ElasticSearch username's password
$serverfqdn = "CA.evrpslab.com" # Set this to the FQDN of the original Enhanced Auditing server
$Body =""
$settings = @{location = "E:\\EA_Repository\AuditRepository"} # Set this to a folder in the ElasticSearch Repository as listed in the elasticsearch.yml file
$data = @{
type = "fs"
settings = $settings
readonly = "true"
}
$Body = $data | ConvertTo-Json
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
$Params = @{
Method = "PUT"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository'
Body = $Body
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

5. Create a Snapshot in the Repository location:

5.1. Edit the following PowerShell script as follows:

5.2. Execute the edited PowerShell script. This will call ElasticSearch's REST API to create a new Snapshot (can be saved as OrigEA_CreateRepositorySnapshot.ps1).

$username = "" # Set this to the ElasticSearch username
$upassword = "" # Set this to the ElasticSearch username's password
$serverfqdn = "" # Set this to the FQDN of the original Enhanced Auditing server
$securePwd = ConvertTo-SecureString "" -AsPlainText -Force # Set this to the ElasticSearch username's password
$credential = New-Object System.Management.Automation.PSCredential ($username, $securePwd)
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "PUT"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/auditsnapshot'
Headers = $headers
}
Invoke-RestMethod @Params

Example script:

$username = "elastic" # Set this to the ElasticSearch username
$upassword = "rpsrps" # Set this to the ElasticSearch username's password
$serverfqdn = "CA.evrpslab.com" # Set this to the FQDN of the original Enhanced Auditing server
$securePwd = ConvertTo-SecureString "rpsrps" -AsPlainText -Force # Set this to the ElasticSearch username's password
$credential = New-Object System.Management.Automation.PSCredential ($username, $securePwd)
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "PUT"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/auditsnapshot'
Headers = $headers
}
Invoke-RestMethod @Params

6. Verify the Snapshot was created in the Repository location:

6.1. Edit the following PowerShell script as follows:

6.2. Execute the edited PowerShell script on the new Enhanced Auditing server (can be saved as OrigEA_VerifyRepositorySnapshot.ps1).

$username = "" # Set this to the ElasticSearch username
$upassword = "" # Set this to the ElasticSearch username's password
$serverfqdn = "" # Set this to the FQDN of the original Enhanced Auditing server
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "GET"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/*'
Headers = $headers
}
Invoke-RestMethod @Params

Example script:

$username = "elastic" # Set this to the ElasticSearch username
$upassword = "rpsrps" # Set this to the ElasticSearch username's password
$serverfqdn = "CA.evrpslab.com" # Set this to the FQDN of the original Enhanced Auditing server
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "GET"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/*'
Headers = $headers
}
Invoke-RestMethod @Params

6.3. The script should return the Snapshot from the original Enhanced Auditing server. Example output:

snapshots --------- {@{snapshot=auditsnapshot; uuid=70aoFbddRnuP_04qztnmCQ; repository=enhancedaudit_repository; version_id=7150099; version=7.15.0; indices=System.Object[]; da...

C - Prepare the new Enhanced Auditing/ElasticSearch server

7. Install Enhanced Auditing on the new Enhanced Auditing server:

7.1. Log in to the new Enhanced Auditing server as the Vault Service Account (VSA) to simplify the process. Verify that the VSA is a Local Administrator.

7.2. Verify the Enhanced Auditing Prerequisites are installed on the new Enhanced Auditing server. Please see the Prerequisites for the Enhanced Auditing feature section in the applicable Accelerator Installation Guide for the specifics. Restart the new Enhanced Auditing server after all prerequisites have been installed, even if there are no prompts to restart.

7.3. Follow the Installing the Enhanced Auditing feature section in the applicable Accelerator Installation Guide for the steps to install Enhanced Auditing.

7.4. When prompted to set the ElasticSearch password, set the same password as used on the original Enhanced Auditing server.

7.5. Note the installation may take an extended amount of time. The progress bar will appear to pause at just over the halfway mark. This is normal.

7.6. When the installation completes, at the Complete screen, make a note of the Audit Server URL. This is in the format https://:448. This will be required in the steps below to reconfigure the Accelerator Enhanced Auditing. Then reboot the new Enhanced Auditing server.

8. Using File Explorer, create a path and folder on the new Enhanced Auditing server for the ElasticSearch Snapshot Repository location, similar to the path and folder that was created on the original Enhanced Auditing server. Note, the path and folder structure does not have to be exactly the same as on the original Enhanced Auditing server. If a network location was used for the Repository location in step 3.4. above, this step can be skipped.

9. Edit the elasticsearch.yml file on the new Enhanced Auditing server to allow Snapshot Repositories to be created:

9.1. Use File Export and navigate to the path \Program Files\Elastic\elasticsearch-X-windows-x86_64\elasticsearch-X\config.

9.2. Make a copy of the elasticsearch.yml for safekeeping.

9.3. Open the file elasticsearch.yml using Notepad.

9.4. Edit the path in the following line to the location created in step 8 above. If a network location was used for the Repository location in step 3.4. above, use the network location. Note the drive letter has a double back slash but all folder(s) after the drive letter have a single back slash. Then add the edited line after the last line in the elasticsearch.yml file.

path.repo: ["\\Path"]

For example:

path.repo: ["E:\\EA_Repository"]

9.5. Save and close the file.

D - Restore the Snapshot from the original Enhanced Auditing/ElasticSearch server to the new Enhanced Auditing/ElasticSearch server

10. Copy the Snapshot Repository from the original Enhanced Auditing server to the new Enhanced Auditing server:

10.1. Copy the Snapshot Repository folders and files from the Snapshot Repository location on the original Enhanced Auditing server to the new Snapshot Repository location created on the new Enhanced Auditing server in step 8 above. If a network location was used for the Repository location in steps 3.4. and 9.4. above, skip this step.

10.2. Restart the Elasticsearch Service on the new Enhanced Auditing server.

11. Create a Snapshot Repository location on the new Enhanced Auditing server:

11.1. Edit the following PowerShell script as follows:

$username: Set this to the ElasticSearch username that was used on the new Enhanced Auditing server.
$upassword: Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server.
$serverfqdn: Set this to the FQDN of the new Enhanced Auditing server.
$settings: Set this to the Snapshot Repository folder in the ElasticSearch Repository as listed in the elasticsearch.yml file above. Note the drive letter has a double back slash but all folder(s) after the drive letter have a single back slash.

11.2. Execute the edited PowerShell script on the new Enhanced Auditing server. This will call ElasticSearch's REST API to prepare the Repository location (can be saved as NewEA_PrepareRepositoryLocation.ps1).

$username = "" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$serverfqdn = "" # Set this to the FQDN of the new Enhanced Auditing server
$Body =""
$settings = @{location = "\\\"} # Set this to the Snapshot Repository folder in the ElasticSearch Repository as listed in the elasticsearch.yml file
$data = @{
type = "fs"
settings = $settings
readonly = "true"
}
$Body = $data | ConvertTo-Json
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
$Params = @{
Method = "PUT"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository'
Body = $Body
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

Example script:

$username = "elastic" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "rpsrps" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$serverfqdn = "FLEX.evrpslab.com" # Set this to the FQDN of the new Enhanced Auditing server
$Body =""
$settings = @{location = "E:\\EA_Repository\AuditRepository"} # Set this to the Snapshot Repository folder in the ElasticSearch Repository as listed in the elasticsearch.yml file
$data = @{
type = "fs"
settings = $settings
readonly = "true"
}
$Body = $data | ConvertTo-Json
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
$Params = @{
Method = "PUT"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository'
Body = $Body
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

11.3. A successful creation will list the following output:

acknowledged ------------ True

11.4. If the following errors are seen, please wait a few minutes and re-run the PowerShell script. The error indicates the Elasticsearch Service has not fully started.

11.4.1. Error 1:

Invoke-RestMethod : Unable to connect to the remote server At line:22 char:1 + Invoke-RestMethod @Params -ContentType 'application/json' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : System.Net.WebException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

11.4.2. Error 2:

Invoke-RestMethod : {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/_snapshot/enhancedaudit_repository]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/_snapshot/enhancedaudit_repository]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401} At line:22 char:1 + Invoke-RestMethod @Params -ContentType 'application/json' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

12. Verify the new Enhanced Auditing server can see the Snapshot in the ElasticSearch Repository folder:

12.1. Edit the following PowerShell script as follows:

12.2. Execute the edited PowerShell script on the new Enhanced Auditing server (can be saved as NewEA_VerifyRepositorySnapshot.ps1).

$username = "" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$serverfqdn = "" # Set this to the FQDN of the new Enhanced Auditing server
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "GET"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/*'
Headers = $headers
}
Invoke-RestMethod @Params

Example script:

$username = "elastic" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "rpsrps" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$serverfqdn = "FLEX.evrpslab.com" # Set this to the FQDN of the new Enhanced Auditing server
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "GET"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/*'
Headers = $headers
}
Invoke-RestMethod @Params

12.3. It should return the Snapshot from the original Enhanced Auditing server. Compare the uuid value with that obtained in step 6.3 above to verify. Example output:

snapshots --------- {@{snapshot=auditsnapshot; uuid=70aoFbddRnuP_04qztnmCQ; repository=enhancedaudit_repository; version_id=7150099; version=7.15.0; indices=System.Object[]; da...

13. Restore the Snapshot on the new Enhanced Auditing server:

13.1. Edit the following PowerShell script as follows:

$username: Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword: Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server.
$serverfqdn: Set this to the FQDN of the new Enhanced Auditing server.

13.2. Execute the edited PowerShell script on the new Enhanced Auditing server (can be saved as NewEA_RestoreRepositorySnapshot.ps1).

$username = "" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$serverfqdn = "" # Set this to the FQDN of the new Enhanced Auditing server
$data1 = @{
indices = "*"
include_global_state = "true"
}
$Body1 = $data1 | ConvertTo-Json
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "POST"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/auditsnapshot/_restore'
Body = $Body1
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

Example script:

$username = "elastic" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "rpsrps" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$serverfqdn = "FLEX.evrpslab.com" # Set this to the FQDN of the new Enhanced Auditing server
$data1 = @{
indices = "*"
include_global_state = "true"
}
$Body1 = $data1 | ConvertTo-Json
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "POST"
Uri = 'https://'+ $serverfqdn+':9200/_snapshot/enhancedaudit_repository/auditsnapshot/_restore'
Body = $Body1
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

13.3. A successful restore will list the following output:

accepted -------- True

14. Update the ElasticSearch admin on the new Enhanced Auditing server:

14.1. Determine the original Enhanced Auditing ElasticSearch admin user's username. This user can be determined by editing the following URL to list the Enhanced Auditing server's FQDN and browsing to the edited URL on the original Enhanced Auditing server:

https://:9200/_security/user

If prompted for credentials, enter the ElasticSearch's Elastic user's credentials. The ElasticSearch admin username should be in the format AuditServerConfigureAdminX where X will be an alphanumeric string. For example: AuditServerConfigureAdmin73f7569bc95b42f38d225630eaffb7f6

14.2. Repeat the above step on the new Enhanced Auditing server using the new Enhanced Auditing server's FQDN. If prompted for credentials, enter the ElasticSearch's Elastic user's credentials as entered in step 7 above. Compare the usernames to verify they are the same.

14.3. Edit the following PowerShell script as follows:

$username: Set this to the ElasticSearch username that was used on the new Enhanced Auditing server.
$upassword: Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server.
$auditusername: Set this to the ElasticSearch admin's username in the format AuditServerConfigureAdminX where X will be an alphanumeric string.
$serverfqdn: Set this to the FQDN of the new Enhanced Auditing server.

14.4. Execute the edited PowerShell script on the new Enhanced Auditing server (can be saved as NewEA_RemoveOldESAdmin.ps1).

$username = "" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$auditusername = "" # Set this to the ElasticSearch admin's username in the format AuditServerConfigureAdminX where X will be an alphanumeric string
$serverfqdn = "" # Set this to the FQDN of the new Enhanced Auditing server
$data2 = @{
indices = "*"
include_global_state = "true"
}
$Body2 = $data2 | ConvertTo-Json
echo "This is the body ---- $Body2 --------"
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "DELETE"
Uri = 'https://'+ $serverfqdn+':9200/_security/user/' + $auditusername
# Body = $Body2
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

Example script:

$username = "elastic" # Set this to the ElasticSearch username that was used on the new Enhanced Auditing server
$upassword = "rpsrps" # Set this to the ElasticSearch username's password that was used on the new Enhanced Auditing server
$auditusername = "AuditServerConfigureAdmin73f7569bc95b42f38d225630eaffb7f6" # Set this to the ElasticSearch admin's username in the format AuditServerConfigureAdminX where X will be an alphanumeric string
$serverfqdn = "FLEX.evrpslab.com" # Set this to the FQDN of the new Enhanced Auditing server
$data2 = @{
indices = "*"
include_global_state = "true"
}
$Body2 = $data2 | ConvertTo-Json
echo "This is the body ---- $Body2 --------"
$auth = $username + ':' + $upassword
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)
$authorizationInfo = [System.Convert]::ToBase64String($Encoded)
$headers = @{"Authorization"="Basic $($authorizationInfo)"}
# Send a GET request including Basic authentication.
$Params = @{
Method = "DELETE"
Uri = 'https://'+ $serverfqdn+':9200/_security/user/' + $auditusername
# Body = $Body2
Headers = $headers
}
Invoke-RestMethod @Params -ContentType 'application/json'

14.5. A successful update will list the following output:

found ----- True

15. Run the Enhanced Auditing installer in Repair mode:

15.1. Open Add/Remove Programs, or go to Start | Run | appwiz.cpl. Do NOT right-click on the Enhanced Auditing installer (.msi) and select the Repair option.

15.2. Select the Enhanced Auditing installation and then click Change.

15.2.1. Welcome window: Click Next.

15.2.2. Modify, Repair or Remove Installation: Click Repair.

15.2.3. Auditing Service Account Login: Enter the credentials and click Next.

15.2.4. Enter the ElasticSearch password and click Next.

15.2.5: Repair Veritas Enhanced Auditing: Click Repair.

15.2.6. Click Finish when done and reboot the new Enhanced Auditing server.

15.3. Verify a new Enhanced Auditing ElasticSearch admin user was created on the new Enhanced Auditing server. Edit the following URL to list the Enhanced Auditing server's FQDN and browse to the edited URL on the new Enhanced Auditing server:

https://:9200/_security/user

If prompted for credentials, enter the ElasticSearch's Elastic user's credentials as entered in step 7 above. The ElasticSearch admin username should be in the format AuditServerConfigureAdminX where X will be an alphanumeric string and should be different from the previous admin username. For example: AuditServerConfigureAdmind665e783d1404e74a78cf9f067c7a52b.

E - Point the Accelerator server to the new Enhanced Auditing server

16. Export the new Auditing server's certificate:

16.1. On the new Auditing server, go to Start | Run | C:\Windows\System32\mmc.exe.

16.3. Expand Certificates (Local Computer) | Trusted Root Certification Authorities | Certificates.

16.4. Find the certificate named VeritasAuditServer or AuditServer. Right-click the certificate | All Tasks | Export:

16.4.1. Click Next at the welcome window.

16.4.2. Export Private Key: Select the option to export the private key, then click Next.

16.4.3. File Format Export: Select the option to Export all extended properties. Do NOT select the option to Delete the primary key if the export is successful, then click Next.

16.4.4. Security: Select the Password option and specify a password (it does not have to be the same as the ElasticSearch password). Click the Encryption drop-down and select AES256-SHA256, then click Next.

16.4.5. File to Export: Browse to a location and specify the filename as listed for the certificate name. Can use the same name as the current certificate (VeritasAuditServer or AuditServer).
Specify the Save as type as Personal Information Exchange (*.pfx). Then click Save and Next.

16.4.6. Review the information and click Finish. Then click OK at the The export was successful prompt.

17. Install the new Auditing server's certificate on the Accelerator server:

17.1. Copy the exported certificate from the new Enhanced Auditing server to a location on the Accelerator server:

17.2. On the Accelerator server, go to Start | Run | C:\Windows\System32\mmc.exe.

17.4. Expand Certificates (Local Computer) | Trusted Root Certification Authorities | Certificates.

17.5. Right-click Certificates | All Tasks | Import:

17.5.1. Click Next at the welcome window.

17.5.2. File to Import: Browse to the location on the Accelerator server to where the new Enhanced Auditing server's exported certificate was copied. Change the type drop-down to Personal Information Exchange (*.pfx, *.p12) or to All Files (*.*). Select the certificate, then click Open and Next.

17.5.3. Private Key Protection: Enter the password that was added in step 16.4.4 above, then click Next.

17.5.4. Certificate Store: Select the option to Place all certificates in the following store, select the Trusted Root Certification Authorities, then click Next.

17.5.5. Review the information and click Finish. Then click OK at the The import was successful prompt.

18. Update Auditing on the Accelerator server to point to the new Enhanced Auditing server:

18.1. Connect to the Accelerator Customer.

18.2. Go to Configuration | Settings | Auditing.

18.3. Edit the Audit Server URL to point to the Audit Server URL as provided in step 7.6 above. This is in the format https://:448.

18.4. Save the change and acknowledge the prompt:

The following must be restarted for the configuration change to take effect: Remoting Customer Background Tasks

18.5. Repeat steps 18.1 through 18.4 for all Accelerator Customers on the Accelerator server where Enhanced Auditing is configured.

18.6. Stop the Enterprise Vault Accelerator Manager Service (EVAMS).

18.7. Restart the IIS Admin Service.

18.8. Start the EVAMS.

18.9. Restart the Customer's Background Task (CBT) for each Accelerator Customer where Enhanced Auditing was configured in EVBAAdmin (http://localhost/evbaadmin) on the Accelerator server. If the CBTs are not restarted, the Configuration | Audit Settings page may display a blue banner with: The audit feature is not configured yet. Audit-specific settings will be available after the feature is configured. For each Customer where Enhanced Auditing was configured:

18.9.1. Right-click the Accelerator Customer | Properties | De-select Enable Customer's tasks | click OK.

18.9.2. Click on the Customer and monitor the Current Status pane until Customers tasks shows Stopped.

18.9.3. Then right-click the Accelerator Customer | Properties | Select Enable Customer's tasks | click OK.

18.9.4. Click on the Customer and monitor the Current Status pane until Customers tasks shows Running.

19. Login to the Auditing Web UI at https://:81 and verify the previous Auditing records are available.

F - Uninstall Enhanced Auditing/ElasticSearch from the original Enhanced Auditing server if needed

20. If needed, Enhanced Auditing and ElasticSearch can be removed from the original Enhanced Auditing server via these steps:

20.1. Open Add/Remove Programs on the original Enhanced Auditing server , or go to Start | Run | appwiz.cpl.

20.2. Select the Enhanced Auditing installation and then click Uninstall. Follow the prompts through completion.

20.3. Open IIS Manager on the original Enhanced Auditing server and verify the AuditingServer website and AuditingServer Application Pool have been removed. If not, right-click the website and remove it, then right-click the Application Pool and remove it.

20.4. Open an administrative/elevated command prompt on the original Enhanced Auditing server: click Start, right-click Command Prompt, and then click Run as administrator. Navigate to the ElasticSearch's \bin folder, typically at \Program Files\Elastic\elasticsearch-X-windows-x86_64\elasticsearch-X\bin. Then execute the following command: elasticsearch-service.bat remove

20.5. On the original Enhanced Auditing server, delete or rename any Enhanced Auditing installation folders (typically \Program Files\Veritas Enhanced Auditing), ElasticSearch installation folders (typically \Program Files\Elastic), AuditHoldingFolder folders (typically \AuditHoldingFolder).

20.6. Open the Registry editor (regedit.exe) on the original Enhanced Auditing server while logged on with an account that has local administrator privileges. Rename or delete the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\VEA. Can also rename or delete the Key HKEY_LOCAL_MACHINE\SOFTWARE\Veritas if the only entry in the Key is the VEA Key.

20.7. Remove the certificates:

20.7.1. On the original Enhanced Auditing server, go to Start | Run | %windir%\system32\mmc.exe.

20.7.3. Expand Certificates (Local Computer) | Trusted Root Certification Authorities | Certificates.

20.7.4. Remove the genelastic1, Elastic Certificate Tool Autogenerated CA and VeritasAuditServer certificates from Trusted Root Certification Authorities/Certificates.

20.7.5. On the original Enhanced Auditing server, go to Start | Run | %windir%\system32\inetsrv\InetMgr.exe.

20.7.6. Click on the server, then double-click on Server Certificates in the Features View.

20.7.7. Select and Remove the AuditAppCert.pfx certificate.

20.8. Reboot the original Enhanced Auditing server.

Issue/Introduction

How to move Accelerator Enhanced Auditing to a new server

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"