This guide assumes that you will use Docker.
Starting from version 2.11 (Mellifera), TheHive Docker image doesn't come with ElasticSearch. As TheHive requires it to work, you can:
- use docker-compose
- manually install and configure ElasticSearch.
Docker-compose can start multiple dockers and link them together. It can be installed using the documentation. The following docker-compose.yml file starts ElasticSearch, Cortex and TheHive:
version: "2"
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:5.5.2
environment:
- http.host=0.0.0.0
- transport.host=0.0.0.0
- xpack.security.enabled=false
- cluster.name=hive
- script.inline=true
- thread_pool.index.queue_size=100000
- thread_pool.search.queue_size=100000
- thread_pool.bulk.queue_size=100000
ulimits:
nofile:
soft: 65536
hard: 65536
cortex:
image: certbdf/cortex:latest
ports:
- "0.0.0.0:9001:9000"
thehive:
image: certbdf/thehive:latest
depends_on:
- elasticsearch
- cortex
ports:
- "0.0.0.0:9000:9000"
Put this file in an empty folder and run docker-compose up. TheHive is exposed on 9000/tcp port and Cortex on
9001/tcp. These ports can be changed by modifying the docker-compose file.
You can specify a custom application.conf file by adding the lines, in thehive section:
volumes:
- /path/to/application.conf:/etc/thehive/application.conf
You should define where the data (i.e. the ElasticSearch database) will be stored in your server by adding the lines, in elasticsearch section:
volumes:
- /path/to/data:/usr/share/elasticsearch/data
Running ElasticSearch in production mode requires a minimum vm.max_map_count of 262144. ElasticSearch documentation provides instructions on how to query and change this value.
ElasticSearch can be installed on the same server as TheHive or on a different one. You can then configure TheHive according to the documentation and run TheHive docker as follow:
docker run --volume /path/to/thehive/application.conf:/etc/thehive/application.conf certbdf/thehive:latest --no-config
You can add the --publish docker option to expose TheHive HTTP service.
By default, TheHive docker image adds minimal configuration:
- choose a random secret (play.http.secret.key)
- search ElasticSearch instance (host named
elasticsearch) and add it to configuration - search Cortex instance (host named
cortex) and add it to configuration
This behavior can be disabled by adding --no-config to the docker command line:
docker run certbdf/thehive:latest --no-config or by adding the line command: --no-config in thehive section of
docker-compose file.
The image accepts more options:
- --no-config : do not try to configure TheHive (add secret and elasticsearch)
- --no-config-secret : do not add random secret to configuration
- --no-config-es : do not add elasticsearch hosts to configuration
- --es-hosts : use this string to configure elasticsearch hosts (format: ["host1:9300","host2:9300"])
- --es-hostname : resolve this hostname to find elasticseach instances
- --secret : secret to secure sessions
- --cortex-proto : define protocol to connect to Cortex (default: http)
- --cortex-port : define port to connect to Cortex (default: 9000)
- --cortex-url : add Cortex connection
- --cortex-hostname : resolve this hostname to find Cortex instances
Please remember that you must install and configure ElasticSearch.
Once you have installed and configured ElasticSearch as shown above, the easiest way to start Cortex is the following one:
docker run certbdf/thehive