Logo

A powerful, easily deployable network traffic analysis tool suite

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

OpenSearch Dashboards

OpenSearch Dashboards is an open-source fork of Kibana, which is no longer open-source software.

Adding new visualizations and dashboards

Visualizations and dashboards can be easily created in OpenSearch Dashboards using its drag-and-drop WYSIWIG tools. Assuming you’ve created a new dashboard you wish to package with Malcolm, the dashboard and its visualization components can be exported using the following steps:

  1. Identify the ID of the dashboard (found in the URL: e.g., for /dashboards/app/dashboards#/view/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx the ID would be xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
  2. Export the dashboard with that ID and save it in the ./dashboards./dashboards/ directory with the following command: 
     export DASHID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx && \
   docker-compose exec dashboards curl -XGET \
   "http://localhost:5601/dashboards/api/opensearch-dashboards/dashboards/export?dashboard=$DASHID" > \
   ./dashboards/dashboards/$DASHID.json
  3. It’s preferrable for Malcolm to dynamically create the arkime_sessions3-* index template rather than including it in imported dashboards, so edit the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json that was generated, and carefully locate and remove the section with the id of arkime_sessions3-* and the type of index-pattern (including the comma preceding it): 
         ,
     {
       "id": "arkime_sessions3-*",
       "type": "index-pattern",
       "namespaces": [
         "default"
       ],
       "updated_at": "2021-12-13T18:21:42.973Z",
       "version": "Wzk3MSwxXQ==",
       …
       "references": [],
       "migrationVersion": {
         "index-pattern": "7.6.0"
       }
     }
  4. Include the new dashboard either by using a bind mount for the ./dashboards./dashboards/ directory or by rebuilding the dashboards-helper Docker image. Dashboards are imported the first time Malcolm starts up.

OpenSearch Dashboards plugins

The dashboards.Dockerfile installs the OpenSearch Dashboards plugins used by Malcolm (search for opensearch-dashboards-plugin install in that file). Additional Dashboards plugins could be installed by modifying this Dockerfile and rebuilding the dashboards Docker image.

Third-party or community plugisn developed for Kibana will not install into OpenSearch dashboards without source code modification. Depending on the plugin, this could range from very smiple to very complex. As an illustrative example, the changes that were required to port the Sankey diagram visualization plugin from Kibana to OpenSearch Dashboards compatibility can be viewed on GitHub.