TheHive Project

Last Modification

Project Information

TheHive Project describes itself as a "Scalable, Open Source Security Incident Response Solutions designed for SOCs & CERTs to collaborate, elaborate, analyze and get their job done." I'm not exactly positive about where I first heard about the project, however, I'm pretty sure it was from a Chris Sanders blog post. I'm finally getting around to looking into the project as an alternative to using Jira for tracking security events.

Installation:

OVA/VMWare Image

A virtual machine image used to be my default method for testing projects like this out, however, I much prefer docker images these days. If you still prefer VMWare or Virtual Box you can use the image provided by TheHive team. Note: Last time I looked at the VM image it was several versions out of date.

Docker Compose

What's better then a docker image? A docker-compose.yml file...and TheHive team has one ready for you. I made two modifications to the file, adding a volume for the elasticsearch data, and pointing to my own application.conf file.

volumes:
    - /path/to/application.conf:/etc/thehive/application.conf
volumes:
    - /path/to/data:/usr/share/elasticsearch/data

I did, however, run into two issues when I executed the docker-compose up command.

Error #1

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: Failed to create node environment

This error was due to the permissions of the volume I created for elasticsearch. A simple chown fixed the error.

Error #2

[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

I fixed this error by following the installation documentation and running the following command:

sysctl -w vm.max_map_count=262144