Enable Trace Logging for Troubleshooting

If you need additional log information to identify the root cause of an issue, you can enable trace logging in TheHive.

Not for production servers

Enabling trace logging has a significant impact on performance. Don't enable it on production servers.

Maintenance window required

This procedure involves changing configuration files and restarting services. Schedule a maintenance window to prevent service disruption.

Docker deployment

Docker containers write logs to both stdout and application.log by default. To use custom logging settings, mount your logback configuration file to logback.xml.

Step 1: Stop TheHive service

Stop TheHive service.

Service commands

Stop and restart commands depend on your installation method and the specific service. Refer to the official documentation for the appropriate commands.

• Package installation: Depending on your distribution and the service, use systemctl or service. See the systemctl documentation and the service documentation for details.
• Docker Compose deployment: Refer to the official Docker Compose documentation.
• Kubernetes deployment: Refer to the kubectl scale documentation or the kubectl rollout restart documentation.

Step 2: Back up the application.log file

Move your existing application.log file to a backup location. This ensures the new log file created on restart contains only trace logs from your current session.

mv /var/log/thehive/application.log /var/log/thehive/application.log.bak

Step 3: Enable trace logging

Log levels reference

For a full description of available log levels and general log configuration, see Update Log Configuration.

1. Open the logback.xml file using a text editor and locate the following line:

   <logger name="org.thp" level="INFO"/>
   

2. Replace it with:

   <logger name="org.thp" level="TRACE"/>
   

3. Save the file.

Step 4: Restart TheHive service

Restart TheHive service.

TheHive creates a new /var/log/thehive/application.log file with extensive logging information.

Step 5: Reproduce the issue and save the log

Wait for the issue to occur or for the application to stop, then copy the log file to a safe location:

cp /var/log/thehive/application.log /root

Step 6: Revert trace logging

After collecting the logs, revert your log configuration:

1. Stop TheHive service.

2. Edit logback.xml and restore the original line:

   <logger name="org.thp" level="INFO"/>
   

3. Restart TheHive service.

(Optional) Step 7: Report the issue

If the logs reveal an issue you want to report:

• Gold or Platinum license: open a ticket with the StrangeBee Support team
• Community license: open an issue on the TheHive-feedback GitHub repository

In both cases, include the following information:

• Context: your instance type (single node/cluster, backend type, index engine), operating system, RAM, and CPU count per server and node
• Symptoms: the actions you took, how the issue occurred, and what happened
• Log file: attach your log file with trace information

Next steps

• Update Log Configuration
• Optimize Performance
• Set Up Monitoring for TheHive with Prometheus and Grafana