Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ElasticSearch DB purge #299

Closed
Raf1ty opened this issue Aug 31, 2017 · 9 comments
Closed

ElasticSearch DB purge #299

Raf1ty opened this issue Aug 31, 2017 · 9 comments
Labels
question

Comments

@Raf1ty
Copy link

Raf1ty commented Aug 31, 2017
edited
Loading

Request Type

Information

Work Environment

Question Answer
OS version (server) RedHat
TheHive version 2.10.2
ES index the_hive_8

Problem Description

Hello,

We need to purge our TheHive ES database because it take too many space on our server due to the high number of file observables.
Do you have an easy way to remove all the file observables data related to cases opened before x days and which has been closed as false positive?

Thank you in advance for your help!
Raphael
@nadouani
Copy link
Contributor

Hi @Raf1ty, I don't really think there is a way to do that except by cooking a script that plays with Thehive APIs and probably Elasticsearch APIs.

@fl0wc0ntr0l
Copy link

Hi @Raf1ty,

If you can install the delete-by-query plugin, you can use this API call to delete all cases older than X days. I had to come up with this due to the case similarity bug described in #280.

curl -XDELETE 'http://localhost:9200/the_hive_10/case/_query?pretty=true' -H 'Content-Type: application/json' -d '
{
"query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "*"
        }
      },
      "filter": {
        "range": {
          "createdAt": {
            "lte": "now-Xd"
          }
        }
      }
    }
  }
}'

@nadouani
Copy link
Contributor

Well, this is a bit dangerous, because there are a lot of relations for a case. This could end up with inconsistent data, if for example, you delete the case but not the task, observables and audit log entries related to it etc...

@fl0wc0ntr0l
Copy link

Yes, it's not the safest thing, but neither is having a bug where I can't preview any alerts due to how many similar cases there are :)

@nadouani
Copy link
Contributor

I agree with that. Issue #280 is blocking in your case.

@Raf1ty
Copy link
Author

Raf1ty commented Aug 31, 2017

Thank you Nadouani, Miles,
In my case, I need to remove the observables related to these old cases, because they are taking most of our ES size.

I will try to implement this functionnality into a script based on ES searches and theHive API.

Thanks,
Best Regards,

@fl0wc0ntr0l
Copy link

This may help - I used a query like this to remove case tasks without a parent; you might be able to do something slightly modified to get observables too, but I've never tried it. The audit log poses a trickier task though; I never had issues stemming from case deletion, but like @nadouani said, this could be dangerous. Always double-check destructive actions :)

curl -XDELETE 'http://localhost:9200/the_hive_9/case_task/_query' -H 'Content-Type: application/json' -d '
{
	"filter": {
		"not": {
			"filter": {
				"has_parent": {
					"query": {
						"match_all": {
							
						}
					},
					"parent_type": "case"
				}
			}
		}
	}
}'

@nadouani
Copy link
Contributor

I'll close this issue, since TheHive doesn't provide this type of purge feature. We can discuss it on https://gitter.im/TheHive-Project/TheHive if needed.

@Tux-Panik
Copy link

@Raf1ty Did you succeed to write a script to make this job?
If yes, may you please share it?

Thanks,
Regards,
Julien

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nadouani @fl0wc0ntr0l @Tux-Panik @Raf1ty