Cold vs. Hot Backup and Restore#
TheHive supports two backup and restore approaches: cold backups, which require stopping services to ensure data consistency, and hot backups, which allow backups while services remain running.
Definitions#
-
A cold backup involves shutting down TheHive and its architecture components to back up all data. This method ensures that the data is consistent and intact, but requires downtime. This option is available for standalone servers only, not for clusters.
-
A hot backup keeps TheHive running while it takes the backup. This reduces downtime but may not guarantee data integrity across all architecture components. This option is available for both standalone servers and clusters.
-
Both cold restore and hot restore require shutting down TheHive to complete the restoration process.
TheHive infrastructure challenges#
Backup requirement
All three components—Apache Cassandra, Elasticsearch, and file storage—must be backed up to ensure proper recovery.
TheHive is built on an architecture that includes Apache Cassandra as the database, Elasticsearch as the indexing engine, and file storage managed either locally, via a NFS, or using S3-compatible object storage. This architecture requires careful coordination to maintain consistency across the database, index, and file storage during backups. Any mismatch between these components can lead to restoration failures.
Cold vs. hot backup and restore comparison#
| Type | Complexity | TheHive backup state | TheHive restore state | Data integrity | Tools | Supported environment | Use case |
|---|---|---|---|---|---|---|---|
| Cold | Medium | Application stopped | Application stopped | Guaranteed | Usual tools | Standalone servers only | Want to ensure data integrity |
| Hot | High | Application running | Application stopped | Not guaranteed | Service-specific tools | Standalone servers and clusters | Can't afford any downtime |
Available backup and restore procedures#
Testing responsibilities
TheHive doesn't assume responsibility for data loss, downtime, or operational issues resulting from misconfiguration or restoration errors. It's the organization's responsibility to implement and test backup and restore procedures in a controlled environment before applying them in production.
Full backups only
These procedures focus exclusively on methods for creating full backups and don't cover incremental backup strategies.
System admin expertise required
Backup and restore operations for TheHive involve low-level actions on databases, indexes, and file storage. These procedures must be performed by experienced system administrators who fully understand the underlying infrastructure. Incorrect execution may result in data corruption and data loss.
Cold backup and restore procedures#
How cold backup and restore is implemented depends on the infrastructure and orchestration environment in use. This may include physical or virtual servers, containerized deployments using Docker or Kubernetes, or cloud-based instances such as AWS EC2.
For example, with AWS EC2, data, indexes, and files can be stored on dedicated volumes. In such cases, taking daily snapshots of these volumes can be a simple and efficient backup strategy, typically completed within minutes—including the necessary service stop and restart operations.
- Physical servers: Back up / Restore
- Virtual servers: Back up / Restore
- Containerized environments (Docker Compose): Back up / Restore
Hot backup and restore procedures#
The approach to hot backup and restore varies depending on the deployment type, whether TheHive is running on a standalone server or in a clustered environment.