diff --git a/TheHive4/Administration/Backup_Restore.md b/TheHive4/Administration/Backup_Restore.md index 523c666..eaf6fd7 100644 --- a/TheHive4/Administration/Backup_Restore.md +++ b/TheHive4/Administration/Backup_Restore.md @@ -11,7 +11,7 @@ - Before taking snapshots ``` -nodetool cleanup cycling +nodetool cleanup thehive ``` - Take a snapshot @@ -24,4 +24,28 @@ nodetool -h localhost -p 7199 snapshot thehive nodetool -h localhost -p 7199 clearsnapshot -t ``` +- Restore snapshot +The default folder structure under thehive keyspace looks as follows: +``` +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 edgestore-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 edgestore_lock_-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 graphindex-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 graphindex_lock_-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 janusgraph_ids-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 system_properties-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 system_properties_lock_-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 systemlog-UUID +drwxr-xr-x 4 cassandra cassandra 4096 Mar 16 01:57 txlog-UUID +``` + +``` +cp /var/lib/cassandra/data/thehive//snapshots/ /var/lib/cassandra/data/thehive// # Copy all snapshot files into the individual folders; copy the directory as-is into the table_name-UUID folder. +nodetool -h localhost -p 7199 refresh -- thehive txlog +nodetool -h localhost -p 7199 refresh -- thehive systemlog +nodetool -h localhost -p 7199 refresh -- thehive system_properties +nodetool -h localhost -p 7199 refresh -- thehive edgestore +nodetool -h localhost -p 7199 refresh -- thehive graphindex +chown -R cassandra.root /var/lib/cassandra/ # Depending on where/how the backups are copied, chown helps fix any permissioning issues +``` + diff --git a/TheHive4/Administration/Migration.md b/TheHive4/Administration/Migration.md index 0a8add3..5b72cd8 100644 --- a/TheHive4/Administration/Migration.md +++ b/TheHive4/Administration/Migration.md @@ -25,12 +25,45 @@ The default domain used to import existing users in, is configured in TheHive4 c auth.defaultUserDomain: "mydomain.com" ``` +In addition, update the authentication information as well. For instance, if a key is being used the authentication configuration block would be as follows: +```yaml +auth { + providers: [ +// {name: session} # required ! +// {name: basic, realm: thehive} +// {name: local} + {name: "bearer ***APIKEY***"} + ] +# The format of logins must be valid email address format. If the provided login doesn't contain `@` the following +# domain is automatically appended + defaultUserDomain: "example.com" +} +``` + This domain will be appended to user accounts from TheHive 3.4.x. +Prior to running the `migrate` tool, connectivity can be tested by using +```bash +$curl http://ELASTICSEARCH_IP_ADDRESS:9200 +{ + "name" : "R2-U361", + "cluster_name" : "elasticsearch", + "cluster_uuid" : "***UUID***", + "version" : { + "number" : "5.6.16", + "build_hash" : "3a740d1", + "build_date" : "2019-03-13T15:33:36.565Z", + "build_snapshot" : false, + "lucene_version" : "6.6.1" + }, + "tagline" : "You Know, for Search" +} +``` + Once TheHive4 configuration file (`/etc/thehive/application.conf`) is correctly filled you can run migration tool: ```bash -/opt/thehive/bin/migration \ +/opt/thehive/bin/migrate \ --output /etc/thehive/application.conf \ --main-organisation myOrganisation \ --es-uri http://ELASTICSEARCH_IP_ADDRESS:9200 @@ -38,11 +71,11 @@ Once TheHive4 configuration file (`/etc/thehive/application.conf`) is correctly The *Organisation* named *myOrganisation* is created by the migration tool and Users, Cases and Alerts from TheHive3 are created under that organisation. -More parameters are available, run `/opt/thehive/bin/migration --help` for a summary. +More parameters are available, run `/opt/thehive/bin/migrate --help` for a summary. --- ⚠️ **Note** The migration process can be very long, from several hours to several days, depending on the volume of data to migrate. TheHive4 can be started and used during migration. More recent data are migrated first. ---- \ No newline at end of file +--- diff --git a/TheHive4/Installation/Install_deb.md b/TheHive4/Installation/Install_deb.md index 1b67742..92da04d 100644 --- a/TheHive4/Installation/Install_deb.md +++ b/TheHive4/Installation/Install_deb.md @@ -68,7 +68,7 @@ By default, data is stored in `/var/lib/cassandra`. ### Configuration -Start by changing the `cluster_name` with `thp`. Run the command `sqlsh`: +Start by changing the `cluster_name` with `thp`. Run the command `cqlsh`: ```bash UPDATE system.local SET cluster_name = 'thp' where key='local'; @@ -168,7 +168,7 @@ ln -s hadoop-3.1.3 hadoop - Create a user and update permissions ```bash -useradd hadoop +useradd -m -s /bin/bash hadoop chown hadoop:root -R /opt/hadoop* ``` diff --git a/api/README.md b/api/README.md index d8949b1..b96474a 100644 --- a/api/README.md +++ b/api/README.md @@ -12,3 +12,6 @@ TheHive exposes REST APIs through JSON over HTTP. - [Log](log.md) - [User](user.md) - [Connectors](connectors) + +Caveats: +- Not all information is output using the API. In order to get information about more cases/alerts, please use *?range=a-b* in the URL (e.g. curl -XGET -H 'Authorization: Bearer KEY' -H 'Content-Type: application/json' http://domain:9000/api/case?range=0-200), where a and b specify the range.