You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can only migrate to TheHive 4.0.x. After that, an update to TheHive 4.1.x will be possible.
20
-
21
-
Technically, many reasons explain this limitation:
22
-
23
-
- A new database format has been introduced with TheHive 3.4.0,
24
-
- Elasticsearch 6.x came with changes in data structure (mostly related to the definition of document relations)
25
-
26
-
So, if you want to migrate your data from TheHive 3 to TheHive 4.0, you are invited to update your current instance to TheHive 3.4.0+ before.
27
-
28
-
=== "Using TheHive 3.5.x"
29
-
You can only process to the migration to TheHive 4.1.x.
30
-
31
-
32
-
=== "Using older versions"
33
-
You need to update your database at least to TheHive 3.4.0.
34
14
35
15
## How it works
36
16
@@ -42,8 +22,8 @@ In order to migrate the data:
42
22
43
23
- TheHive 4 **must** be installed on the system running the migration tool;
44
24
45
-
- TheHive4 **must** be configured ; in particular **database** and **file storage** ;
46
-
- The service `thehive`**must be stopped** (`service thehive stop`) .
25
+
- TheHive4 **must** be configured ; in particular **database**, **index**, and **file storage** ;
26
+
- The service `thehive`**must be stopped** (`service thehive stop`) on the target server.
47
27
48
28
This tools **must** also have access to Elasticsearch database (http://ES:9200) used by TheHive 3, and the configuration file of TheHive 3.x instance.
49
29
@@ -52,7 +32,7 @@ This tools **must** also have access to Elasticsearch database (http://ES:9200)
52
32
!!! Warning
53
33
In TheHive4, users are identified by their email addresses. Thus, a domain will be appended to usernames in order to migrate users from TheHive 3.
54
34
55
-
TheHive 4.0 comes with a default domain named `thehive.local`. Starting the migration without explicitely specifying a domain name will result in migrating all users with a username formatted like `[email protected]`.
35
+
TheHive 4.x comes with a default domain named `thehive.local`. Starting the migration without explicitely specifying a domain name will result in migrating all users with a username formatted like `[email protected]`.
56
36
57
37
Change the default domain name used to import existing users in the configuration file of TheHive4 (`/etc/thehive/application.conf`) ; add or update the setting named `auth.defaultUserDomain`:
58
38
@@ -67,29 +47,44 @@ This tools **must** also have access to Elasticsearch database (http://ES:9200)
67
47
68
48
Prepare, install and configure your new instance of TheHive 4.x by following [the associated guides](../installation-and-configuration/index.md).
69
49
70
-
Once TheHive4 configuration file (`/etc/thehive/application.conf`) is correctly filled you can run migration tool.
50
+
Once TheHive4 configuration file (`/etc/thehive/application.conf`) is correctly filled the `migrate` command ca be executed.
51
+
52
+
!!! Info
53
+
This recommended to run this program as the user in charge of running TheHive service ( `thehive` if you are installing the application with DEB or RPM package)
54
+
71
55
72
56
The program comes with a large set of options:
73
57
74
58
```
75
59
# /opt/thehive/bin/migrate --help
76
-
TheHive migration tool 4.0.4-1
60
+
TheHive migration tool 4.1.17-1
77
61
Usage: migrate [options]
78
62
79
63
-v, --version
80
64
-h, --help
65
+
-l, --logger-config <file>
66
+
logback configuration file
81
67
-c, --config <file> global configuration file
82
68
-i, --input <file> TheHive3 configuration file
83
69
-o, --output <file> TheHive4 configuration file
84
70
-d, --drop-database Drop TheHive4 database before migration
71
+
-r, --resume Resume migration (or migrate on existing database)
85
72
-m, --main-organisation <organisation>
86
73
-u, --es-uri http://ip1:port,ip2:port
87
74
TheHive3 ElasticSearch URI
88
-
-i, --es-index <index> TheHive3 ElasticSearch index name
75
+
-e, --es-index <index> TheHive3 ElasticSearch index name
76
+
-x, --es-index-version <index>
77
+
TheHive3 ElasticSearch index name version number (default: autodetect)
89
78
-a, --es-keepalive <duration>
90
79
TheHive3 ElasticSearch keepalive
91
80
-p, --es-pagesize <value>
92
81
TheHive3 ElasticSearch page size
82
+
-s, --es-single-type <bool>
83
+
Elasticsearch single type
84
+
-y, --transaction-pagesize <value>
85
+
page size for each transaction
86
+
-t, --thread-count <value>
87
+
number of threads
93
88
--max-case-age <duration>
94
89
migrate only cases whose age is less than <duration>
95
90
--min-case-age <duration>
@@ -133,6 +128,8 @@ Usage: migrate [options]
133
128
migration only audits with this objectType (case, case_artifact, case_task, ...)
134
129
--exclude-audit-objectTypes <value>
135
130
don't migration audits with this objectType (case, case_artifact, case_task, ...)
131
+
--case-number-shift <value>
132
+
transpose case number by adding this value
136
133
Accepted date formats are "yyyyMMdd[HH[mm[ss]]]" and "MMdd"
137
134
The Format for duration is: <length> <unit>.
138
135
Accepted units are:
@@ -170,8 +167,40 @@ with:
170
167
|`--es-index`| specifies the index used in Elasticsearch. |
171
168
172
169
170
+
!!! Example
173
171
174
-
!!! Warning
172
+
=== "TheHive 3.4.x + Elasticsearch 6.x "
173
+
174
+
When migrating, start a new database, create an organisation named `StrangeBee`, add all users in this organisation, and **do not keep** audit trails older than 90d.
175
+
176
+
!!! Warning "Requirements"
177
+
The option `--es-single-type true` is **mandatory** to migrate data from Elasticsearch 6.x
178
+
179
+
```bash
180
+
/opt/thehive/bin/migrate \
181
+
--drop-database \
182
+
--input /etc/thehive/thehive3.conf \
183
+
--output /etc/thehive/application.conf \
184
+
--main-organisation StrangeBee \
185
+
--max-audit-age 90d \
186
+
--es-single-type true
187
+
```
188
+
189
+
=== "TheHive 3.5.x + Elasticsearch 7.x"
190
+
191
+
When migrating, start a new database, create an organisation named `StrangeBee`, add all users in this organisation, and **do not keep** alert trails created before the March, 25th of 2019.
192
+
193
+
```bash
194
+
/opt/thehive/bin/migrate \
195
+
--drop-database \
196
+
--input /etc/thehive/thehive3.conf \
197
+
--output /etc/thehive/application.conf \
198
+
--main-organisation StrangeBee \
199
+
--alert-from-date 20190325
200
+
```
201
+
202
+
203
+
!!! Info
175
204
The migration process can be very long, from several hours to several days, depending on the volume of data to migrate. We **highly** recommand to not start the application during the migration.
176
205
177
206
@@ -188,14 +217,11 @@ GRANT CREATE on ALL KEYSPACES to username;
188
217
189
218
The migration tool generates some logs during the process. By default, every 10 sec. a log is generated with information regarding the situation of the migration:
Numbers of Observables, Cases and others are estimations and not a definite value as computing these number can be very tedious.
197
-
198
-
224
+
Numbers of Observables, Cases and others are estimations and not a definite value as computing these number can be very tedious.
199
225
200
226
!!! Info "Files from MISP imported with TheHive 2.13 and earlier"
201
227
It is important to notice that migrating Cases/Alerts containing MISP event that were imported with TheHive 2.13 (_Sept 2017_) or older, will cause observable files not being imported in TheHive 4.
0 commit comments