By Adrian | August 16, 2020
Well its been a few months since I have written anything on my blog. Its not that I’ve been lazy, well OK its because I’ve been a little lazy and that I have been chasing squirrels and playing around with Home-Assistant and other various pieces since being in lockdown. I have also lacked the motivation to get something down in writing. Anyway, on with what I wanted to write about….TheHive migrations!
Now the TheHive4 has left the initial RC’s behind and is now in a much better position to be used in Production environments, now is a good time to write a guide on performing a data migration from my existing version of TheHive3 based off the migration notes.
I begin this data migration with 2 servers.
- My existing installation of TheHive3 on version 3.4.0-1. There are 60 odd cases of no importance, but treat production data with the attention it deserves.
- A new installation of TheHive4 running the current stable version 4.0.0-1
Its critical to note that you MUST be on TheHive 3.4.0-1 or higher to perform this data migration.
I have installed a clean version of TheHive4 for this and have only logged into it to initialise the database, I have not created any new users or organisations or performed any customisation to the environment at all.
I will be using the Migration guide posted on TheHive Github page. I highly recommend reading and referencing that official guide.
Check Prerequsites
Migration
The migration process is as easy as issuing the following 1 liner command from the v4 instance. This will read the data from the v3 server and migrate a copy over to the v4 instance. If it all fails and goes pear shaped, then at least you can continue on using the v3 instance and try again once you have any issues sorted out.
/opt/thehive/bin/migrate \
--output /etc/thehive/application.conf \
--main-organisation myOrganisation \
--es-uri http://TH3_ELASTICSEARCH_IP:9200
--es-index the_hive_15
This is where I encountered my first error. Connection refused when attempting to access Elasticsearch on original TheHive V3 server.
I was able to correct this issue by modifying /etc/elasticsearch/elasticsearch.conf and updating the network.host entry as follows
network.host: 127.0.0.1,_site_
Reference: Network Interface Values
After correcting the error and retrying, this is the final outcome
Post Checks
While I was performing the migration I came across a couple of errors and warnings, but they were related to objects and cases that I had deleted and I guess had somehow become orphaned or invalid on the old system. The details obviously were still in Elasticsearch. I would recommend grabbing a copy of the /var/log/thehive/application.log file and examine the migration process and seeing what errors if any happened.
After you have performed the data migration, test that you can login to the target v4 environment OK. Use an admin user and check that you can see the new organisation and the users contained therein.
One thing I did notice is that dashboards don’t migrate automatically, but you can use the export/import feature to get them across.
As TheHive4 now requests that an email address is used, any user on TheHive3 that was not configured as such will now be known as user@thehive.local, but should still be able to login without using @thehive.local.
Now would be a good opportunity to create new users that conform to the new email requirement, Enable MFA and use the role based access controls (RBAC) for least privilege access.
As far as other checks go
- Poke at a few cases in the old and new system to see if the content and observables match. Check that tasks have come across.
- Check that any custom fields/case templates have come across
- Check any other custom integrations for alerting are still working
- Check any scripts that interface to TheHive still work as expected
Conclusion
All going well, at this point you should now have TheHive4 stood up and with all your current data ready for you to continue your journey on the new platform.