How to uninstall and reinstall Enhanced Auditing on the same server

Description

There may be a need to uninstall and reinstall Enhanced Auditing on a Compliance Accelerator (CA) / Veritas Advanced Surveillance (VAS) or Discovery Accelerator (DA) server if there was an issue or error with the initial installation. Enhanced Auditing consists of two components: Enhanced Auditing and ElasticSearch. The following steps will uninstall and reinstall both components.

Important Note: The steps below presume the ElasticSearch index information will NOT be retained. In other words, any existing Auditing information will no longer be available. If Enhanced Auditing was never fully configured or used, this should not be a concern.

The log excerpts, information and/or screenshot(s) below were taken from a non-production test lab environment and are used for example purposes only.

A - Prerequisites

1. Verify the username and password of the user that was specified during the Enhanced Auditing installation on the original Enhanced Auditing server is available. This user can be determined by editing the following URL to list the original Enhanced Auditing server's FQDN and browsing to the edited URL:

https://<Enhanced_Auditing_server_FQDN>:9200/_security/user

The user should be listed in the first entry starting with {"elastic":.

2. If Enhanced Auditing was configured in one or more Customers, disable it as follows:

2.1. Connect to the Customer with the Client and navigate to Configuration | Settings | Auditing.

2.2. Clear the Audit Server URL entry and disable the Enable Auditing option | Save the changes and acknowledge any prompts to restart Remoting and Customer's Background Tasks.

2.3. Repeat to disable Enhanced Auditing for each Customer where Enhanced Auditing was configured.

2.4. From the Services management console:

2.4.1. Stop the Enterprise Vault Accelerator Manager Service.

2.4.2. Restart the IIS Admin Service.

2.4.3. Start the Enterprise Vault Accelerator Manager Service.

2.5. Restart the Customer's Background Tasks:

2.5.1. Open the EVBAAdmin administration website.

2.5.2. Expand the Accelerator server | Right-click the Accelerator Customer | Properties | De-select Enable Customer's tasks | OK. Click on the Customer and monitor the Current Status pane until Customers tasks shows Stopped.

2.5.3. Right-click the Accelerator Customer | Properties | Select Enable Customer's tasks | OK. Click on the Customer and monitor the Current Status pane until Customers tasks shows Running.

2.5.4. Repeat to restart the Customer's Background Tasks for each Customer where Enhanced Auditing was configured.

B - Uninstall Enhanced Auditing/ElasticSearch from the Enhanced Auditing server

3. Uninstall Enhanced Auditing and ElasticSearch:

3.1. Open Add/Remove Programs on the Enhanced Auditing server, or go to Start | Run | appwiz.cpl.

3.2. Select the Enhanced Auditing installation and then click Uninstall. Follow the prompts through completion.

3.3. Open IIS Manager and verify the AuditingServer website and AuditingServer Application Pool have been removed. If not, right-click the website and remove it, then right-click the Application Pool and remove it.

3.4. Open an administrative/elevated command prompt: click Start, right-click Command Prompt, and then click Run as administrator. Navigate to the ElasticSearch's \bin folder, typically at <drive:>\Program Files\Elastic\elasticsearch-X-windows-x86_64\elasticsearch-X\bin. Then execute the following command: elasticsearch-service.bat remove

3.5. Delete or rename any Enhanced Auditing installation folders (typically <drive:>\Program Files\Veritas Enhanced Auditing), ElasticSearch installation folders (typically <drive:>\Program Files\Elastic), AuditHoldingFolder folders (typically <drive:>\AuditHoldingFolder).

3.6. Open the Registry editor (regedit.exe) while logged on with an account that has local administrator privileges. Rename or delete the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\VEA. Can also rename or delete the Key HKEY_LOCAL_MACHINE\SOFTWARE\Veritas if the only entry in the Key is the VEA Key.

4. Remove the certificates:

4.1. Go to Start | Run | %windir%\system32\mmc.exe.

4.2. Go to File | Add/Remove Snap-in | Certificates | Add | Computer Account | Next | Finish | OK.

4.3. Expand Certificates (Local Computer) | Trusted Root Certification Authorities | Certificates.

4.4. Remove the genelastic1, Elastic Certificate Tool Autogenerated CA and VeritasAuditServer<servername> certificates from Trusted Root Certification Authorities/Certificates and from Personal/Certificates.

4.5. Go to Start | Run | %windir%\system32\inetsrv\InetMgr.exe.

4.6. Click on the server, then double-click on Server Certificates in the Features View.

4.7. Select and Remove the AuditAppCert.pfx certificate.

5. Reboot the server.

C - Clear the tables of any existing Enhanced Auditing information if present

6. If Enhanced Auditing was previously configured, clear the configuration information from the Customer database as follows:

6.1. Connect to SQL Server Management Studio (SSMS) using an account with rights to run queries against the databases.

6.2. Execute the following query against the applicable Customer database:

DELETE FROM tblTenantAuditServerConfiguration;
DELETE FROM tblAuditServerConfiguration;

6.3. Repeat the query execution against each Customer database where Enhanced Auditing was configured.

D - Reinstall Enhanced Auditing

7. Reinstall Enhanced Auditing on the server:

7.1. Log in to the server as the Vault Service Account (VSA) to simplify the process. Verify that the VSA is a Local Administrator.

7.2. Verify the Enhanced Auditing Prerequisites are installed on the Enhanced Auditing server. Please see the Prerequisites for the Enhanced Auditing feature section in the applicable Accelerator Installation Guide for the specifics. Restart the new Enhanced Auditing server after all prerequisites have been installed, even if there are no prompts to restart.

7.3. Follow the Installing the Enhanced Auditing feature section in the applicable Accelerator Installation Guide for the steps to install Enhanced Auditing and configure Enhanced Auditing.

7.3.1. When prompted to set the ElasticSearch password, can set the same password as used on the original Enhanced Auditing server or can provide a new one. If providing a new one, be sure to note the new password for safekeeping.

7.3.2. Note the installation may take an extended amount of time. The progress bar will appear to pause at just over the halfway mark. This is normal.

7.3.3. When the installation completes, at the Complete screen, make a note of the Audit Server URL. This is in the format https://<Enhanced_Auditing_server_hostname>:448. This will be required in the steps below to reconfigure the Accelerator Enhanced Auditing. Then reboot the new Enhanced Auditing server.

8. Configure the Accelerator Customer:

8.1. Connect to the Accelerator Customer.

8.2. Go to Configuration | Settings | Auditing.

8.3. Edit the Audit Server URL to point to the Audit Server URL as provided in step 7.3.3 above. This is in the format https://<New_Enhanced_Auditing_server_hostname>:448.

8.4. Save the change and acknowledge the prompt:

The following must be restarted for the configuration change to take effect:
Remoting
Customer Background Tasks

8.5. Repeat steps 8.1 through 8.4 for all Accelerator Customers on the Accelerator server where Enhanced Auditing is configured.

8.6. Stop the Enterprise Vault Accelerator Manager Service (EVAMS).

8.7. Restart the IIS Admin Service.

8.8. Start the EVAMS.

8.9. Restart the Customer's Background Task (CBT) for each Accelerator Customer where Enhanced Auditing was configured in EVBAAdmin (http://localhost/evbaadmin) on the Accelerator server. If the CBTs are not restarted, the Configuration | Audit Settings page may display a blue banner with: The audit feature is not configured yet. Audit-specific settings will be available after the feature is configured. For each Customer where Enhanced Auditing was configured:

8.9.1. Right-click the Accelerator Customer | Properties | De-select Enable Customer's tasks | click OK.

8.9.2. Click on the Customer and monitor the Current Status pane until Customers tasks shows Stopped.

8.9.3. Then right-click the Accelerator Customer | Properties | Select Enable Customer's tasks | click OK.

8.9.4. Click on the Customer and monitor the Current Status pane until Customers tasks shows Running.