Docker Containers Are not Working

[Nadderley]

I just downloaded the latest Repo from Github ([https://github.com/TheHive-Project/TheHiveDocs][1]). I used the docker option for install.

1. I am not find application.conf at /etc/thehive/application.conf. Per the instructions application.conf is at /etc/thehive/application.conf.

Just notice that the Installation Guide at TheHive-Project/TheHiveDocs on GIT list elasticsearch 5.6.0 while the repo docker-compose yml file has 6.8.0. Then I found this (https://github.com/TheHive-Project/TheHiveDocs/blob/master/FAQ.md#do-you-support-elasticsearch-6x-or-later):

Do you support Elasticsearch 6.x or later? No. Support for Elasticsearch 6.x or later is not currently planned as we are considering moving away from Elasticsearch in a future major release.

Is anyone running the current docker repo? I spent last 24 hours trying to get this work. Instead of listing all the errors I'm seeing I would like to start here; trying to figure out if the repo does work.

SPECS:

Current repo settings on ubuntu 18.04

elasticsearch:6.8.0 image: thehiveproject/cortex:3.0.0-RC4 image: thehiveproject/thehive:3.4.0-RC2

Also mentioned here #1203

[Trolldemorted]

If you don't mind #1202, you can use this docker-compose.yml:

version: "2"
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.8.0
    environment:
      - http.host=0.0.0.0
      - transport.host=0.0.0.0
      - xpack.security.enabled=false
      - cluster.name=hive
      - script.allowed_types=inline
      - thread_pool.index.queue_size=100000
      - thread_pool.search.queue_size=100000
      - thread_pool.bulk.queue_size=100000
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
  thehive:
    image: thehiveproject/thehive:3.4.0
    ports:
      - "0.0.0.0:9000:9000"

However I cannot say what impact the failed migration might have.

[jstewart101]

I noticed that there has been mention of moving off of elasticsearch in a future major release. Is that still the plan? Elasticsearch 5.6.x reached EOL last year in March.

[saadkadhi]

@jstewart101 with the release of TheHive 3.4.0 & Cortex 3.0.0, we added support for ES 6. We are currently working on TheHive 4.0, which will be the first version to introduce support for graph databases. If everything goes according to our plans, we should be able to release TheHive 4.0-RC1 by the end of February. We also plan to provide a smooth migration path from ES to graph databases with TheHive 4.

[Nadderley]

Now I'm getting AUTH_ERROR for cortex

[Nadderley]

The following error is after updating the database (initial setup):

[error] o.e.c.Authenticated - Authentication failure:
thehive_1 | session: AuthenticationError User session not found
thehive_1 | pki: AuthenticationError Certificate authentication is not configured
thehive_1 | key: AuthenticationError Authentication header not found
thehive_1 | init: AuthenticationError Use of initial user is forbidden because users exist in database
thehive_1 | [info] o.e.ErrorHandler - GET /api/list/ui_settings returned 401
thehive_1 | org.elastic4play.AuthenticationError: Authentication failure

[peasead]

If you don't mind #1202, you can use this docker-compose.yml:

version: "2"
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.8.0
    environment:
      - http.host=0.0.0.0
      - transport.host=0.0.0.0
      - xpack.security.enabled=false
      - cluster.name=hive
      - script.allowed_types=inline
      - thread_pool.index.queue_size=100000
      - thread_pool.search.queue_size=100000
      - thread_pool.bulk.queue_size=100000
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
  thehive:
    image: thehiveproject/thehive:3.4.0
    ports:
      - "0.0.0.0:9000:9000"

However I cannot say what impact the failed migration might have.

This worked for me (finally after 2 days of searching through similar issues). That said, I have the same problem as @Nadderley in that I cannot find /etc/thehive/application.conf.

[nadouani]

Now I'm getting AUTH_ERROR for cortex

This means the API key that you have specified in TheHive configuration when declaring the Cortex instance is wrong: The AUTH_ERROR here means: TheHive is not authenticated to call Cortex.

[nadouani]

TheHiveDocs ES6 question has been updated on the FAQ:
https://github.com/TheHive-Project/TheHiveDocs/blob/master/FAQ.md#do-you-support-elasticsearch-6x-or-later

[peasead]

This worked for me (finally after 2 days of searching through similar issues). That said, I have the same problem as @Nadderley in that I cannot find /etc/thehive/application.conf.

I think I figured it out. /etc/thehive/application.conf isn't present in the container at all, I needed to mount it. I think I was anticipating that it would be there and the Cortex section would be blank or commented out or something. I used the application.conf here as a template and mounted it into TheHive and it looks like the systems are connected.

In the event any other wayward Internet souls find this and need help

docker run -d --network thehive --restart unless-stopped --name thehive-elasticsearch -e "http.host=0.0.0.0" -e "transport.host=0.0.0.0" -e "xpack.security.enabled=false" -e "cluster.name=hive" -e "script.allowed_types=inline" -e "thread_pool.index.queue_size=100000" -e "thread_pool.search.queue_size=100000" -e "thread_pool.bulk.queue_size=100000" --ulimit nofile=65536:65536 docker.elastic.co/elasticsearch/elasticsearch:6.8.0

docker run -d --network thehive --restart unless-stopped --name thehive -p 9000:9000 -v $(pwd)/application.conf:/etc/thehive/application.conf thehiveproject/thehive:3.4.0 --es-hostname thehive-elasticsearch

docker run -d --network thehive --restart unless-stopped --name cortex -p 9001:9001 thehiveproject/cortex:3.0.1 --es-hostname thehive-elasticsearch

[Trolldemorted]

@peasead did you manage to get thehive and cortex to set up themselves automatically, or did you create a holy bespoken setup where you created the organizations, keys and restarted the containers to feed the cortex key to thehive?

[peasead]

I had to do it as a post-installation step.

I guess it could be possible if you could automate:

• Migrating the database (this can be done)
• Creating the Cortex administrator
• Create the new organization and "TheHive" user and generate its API key
• Populate that into /etc/thehive/application.conf
• Start TheHive

I assume you could automate the creation of the Cortex admin, organization, and user directly in Elasticsearch or just the Cortex admin and then the Organization and users via the Cortex API, if it has the ability to do that?

[Nadderley]

This worked for me (finally after 2 days of searching through similar issues). That said, I have the same problem as @Nadderley in that I cannot find /etc/thehive/application.conf.

I think I figured it out. /etc/thehive/application.conf isn't present in the container at all, I needed to mount it. I think I was anticipating that it would be there and the Cortex section would be blank or commented out or something. I used the application.conf here as a template and mounted it into TheHive and it looks like the systems are connected.

In the event any other wayward Internet souls find this and need help

docker run -d --network thehive --restart unless-stopped --name thehive-elasticsearch -e "http.host=0.0.0.0" -e "transport.host=0.0.0.0" -e "xpack.security.enabled=false" -e "cluster.name=hive" -e "script.allowed_types=inline" -e "thread_pool.index.queue_size=100000" -e "thread_pool.search.queue_size=100000" -e "thread_pool.bulk.queue_size=100000" --ulimit nofile=65536:65536 docker.elastic.co/elasticsearch/elasticsearch:6.8.0

docker run -d --network thehive --restart unless-stopped --name thehive -p 9000:9000 -v $(pwd)/application.conf:/etc/thehive/application.conf thehiveproject/thehive:3.4.0 --es-hostname thehive-elasticsearch

docker run -d --network thehive --restart unless-stopped --name cortex -p 9001:9001 thehiveproject/cortex:3.0.1 --es-hostname thehive-elasticsearch

@peasead I am using the docker-compose yml file. Here it looks like you are starting the containers indiviually. I will take your settings and try to apply them to the compose yml file and see what happens. It's just frustrating that all these problems exists out of the box.

[Nadderley]

Now I'm getting AUTH_ERROR for cortex

This means the API key that you have specified in TheHive configuration when declaring the Cortex instance is wrong: The AUTH_ERROR here means: TheHive is not authenticated to call Cortex.

@nadouani Why would it be doing this the first time i run 'docker-compose up' after downloading the latest repo? Is it defaulted to generate AUTH_ERROR the very first time you run it?

[peasead]

What is the name of your integration account? I got auth issues when I named the account and/or org “api”.

On Sun, Jan 26, 2020 at 4:15 PM Nadderley ***@***.***> wrote: Now I'm getting AUTH_ERROR for cortex This means the API key that you have specified in TheHive configuration when declaring the Cortex instance is wrong: The AUTH_ERROR here means: TheHive is not authenticated to call Cortex. @nadouani <https://github.com/nadouani> Why would it be doing this the first time i run 'docker-compose up' after downloading the latest repo? Is it defaulted to generate AUTH_ERROR the very first time you run it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1208?email_source=notifications&email_token=ABYY5K4ZJ6RV54XEVVIQHYLQ7YDQPA5CNFSM4KI2WVE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ57JUY#issuecomment-578548947>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYY5K2FATNWNRHLVGILUX3Q7YDQPANCNFSM4KI2WVEQ> .

-- - Andrew D. Pease

[Nadderley]

I got auth issues when I named the account and/or org “api”.

@peasead not sure what you mean by integration account.

[peasead]

The account you created in Cortex. When you stand up Cortex, you migrate the database and create and account. As soon as you log in, create a new organization. Click on that organization and make an account with read, write permissions (this is the integration account I referenced). Click the API button to create the API key, click reveal, copy that API key, put that in application.conf, restart TheHive container.

On Sun, Jan 26, 2020 at 4:21 PM Nadderley ***@***.***> wrote: I got auth issues when I named the account and/or org “api”. @peasead <https://github.com/peasead> not sure what you mean by integration account. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1208?email_source=notifications&email_token=ABYY5K5H3B2PICQ2ZPZYK73Q7YEGVA5CNFSM4KI2WVE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ57NOA#issuecomment-578549432>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYY5K5AN7SRSFQUXYPH44LQ7YEGVANCNFSM4KI2WVEQ> .

-- - Andrew D. Pease

[Nadderley]

@peasead are you access the application.conf file from inside the container or a volume?

[peasead]

I used this application.conf file and I mounted it with the -v syntax with Docker. I modified the conf file on my host and then restarted TheHive container. I never directly accessed the container to modify configuration files.

So if you download that application.conf file and run the below commands from the same directory that the file is in, create the new organization and user in Cortex, update the API key in the conf file, and restart TheHive container (docker restart thehive) - you should be able to get the green ring around the Cortex icon.

docker network create thehive
docker run -d --network thehive --restart unles-stopped --name thehive-elasticsearch -e "http.host=0.0.0.0" -e "transport.host=0.0.0.0" -e "xpack.security.enabled=false" -e "cluster.name=hive" -e "script.allowed_types=inline" -e "thread_pool.index.queue_size=100000" -e "thread_pool.search.queue_size=100000" -e "thread_pool.bulk.queue_size=100000" --ulimit nofile=65536:65536 docker.elastic.co/elasticsearch/elasticsearch:6.8.0
docker run -d --network thehive --restart unles-stopped --name thehive -p 9000:9000 -v $(pwd)/application.conf:/etc/thehive/application.conf thehiveproject/thehive:3.4.0 --es-hostname thehive-elasticsearch
docker run -d --network thehive --restart unles-stopped --name cortex -p 9001:9001 thehiveproject/cortex:3.0.1 --es-hostname thehive-elasticsearch

[To-om]

I think this issue is no longer relevant

[hermanmaleiane]

Hi Team,
I found the same issue on thehive4 containers. /etc/thehive/application.conf is not present there.
Templates donwloade from
https://github.com/TheHive-Project/Docker-Templates

[itchybunion6235]

I also find issue after running docker and registering for the first time in thehive. When logging in there is Authentication failure message.

This is my compose file:
version: "2"
services:
elasticsearch:
image: elasticsearch:6.8.8
environment:
- http.host=0.0.0.0
- discovery.type=single-node
- xpack.security.enabled=false
ports:
- "0.0.0.0:9200:9200"
ulimits:
nofile:
soft: 65536
hard: 65536
cortex:
image: thehiveproject/cortex:latest
depends_on:
- elasticsearch
ports:
- "0.0.0.0:9001:9001"
thehive:
image: thehiveproject/thehive:latest
depends_on:
- elasticsearch
- cortex
ports:
- "0.0.0.0:9000:9000"
command: --cortex-port 9001

[pjuhas]

I also find issue after running docker and registering for the first time in thehive. When logging in there is Authentication failure message.

This is my compose file:
version: "2"
services:
elasticsearch:
image: elasticsearch:6.8.8
environment:

• http.host=0.0.0.0
• discovery.type=single-node
• xpack.security.enabled=false
  ports:
• "0.0.0.0:9200:9200"
  ulimits:
  nofile:
  soft: 65536
  hard: 65536
  cortex:
  image: thehiveproject/cortex:latest
  depends_on:
• elasticsearch
  ports:
• "0.0.0.0:9001:9001"
  thehive:
  image: thehiveproject/thehive:latest
  depends_on:
• elasticsearch
• cortex
  ports:
• "0.0.0.0:9000:9000"
  command: --cortex-port 9001

You are using unsupported Elasticsearch database. Version 3.5.x supports only Elasticsearch 7.x.

[hermanmaleiane]

Hi Guys!!
I have managed to overcome this issue.
This is simple. You just need to check you volumes declaration. If you don’t have just put there on your composer or docker run.
You can easily simulate for test copy the application file to the specific container and you will see it working.

[itchybunion6235]

I also find issue after running docker and registering for the first time in thehive. When logging in there is Authentication failure message.
This is my compose file:
version: "2"
services:
elasticsearch:
image: elasticsearch:6.8.8
environment:

• http.host=0.0.0.0
• discovery.type=single-node
• xpack.security.enabled=false
  ports:
• "0.0.0.0:9200:9200"
  ulimits:
  nofile:
  soft: 65536
  hard: 65536
  cortex:
  image: thehiveproject/cortex:latest
  depends_on:
• elasticsearch
  ports:
• "0.0.0.0:9001:9001"
  thehive:
  image: thehiveproject/thehive:latest
  depends_on:
• elasticsearch
• cortex
  ports:
• "0.0.0.0:9000:9000"
  command: --cortex-port 9001

You are using unsupported Elasticsearch database. Version 3.5.x supports only Elasticsearch 7.x.

Thanks, but sorry I am really new to docker and the hive. Can you please show me how would a correct docker compose will look like? Or where is the above mentioned 3.5.x configured?

[pjuhas]

Here is compose file for 3.5.x.

[itchybunion6235]

Here is compose file for 3.5.x.

Oh I got it now I did not know what database you thinks. Thanks :) also thanks for your work I am trying to build automated SOC. The Hive is perfect.