Logo

A powerful, easily deployable network traffic analysis tool suite

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

OpenSearch Dashboards

OpenSearch Dashboards is an open-source fork of Kibana, which is no longer open-source software.

Adding new visualizations and dashboards

Visualizations and dashboards can be easily created in OpenSearch Dashboards using its drag-and-drop WYSIWIG tools. Assuming users have created a new dashboard to package with Malcolm, the dashboard and its visualization components can be exported using the following steps:

  1. Identify the ID of the dashboard (found in the URL: e.g., for /dashboards/app/dashboards#/view/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx the ID would be xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
  2. Export the dashboard with that ID and save it in the ./dashboards./dashboards/ directory with the following command: 
     export DASHID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx && \
   docker compose exec dashboards curl -XGET \
   "http://localhost:5601/dashboards/api/opensearch-dashboards/dashboards/export?dashboard=$DASHID" > \
   ./dashboards/dashboards/$DASHID.json
  3. It is preferrable for Malcolm to dynamically create the arkime_sessions3-* index template rather than including it in imported dashboards, so edit the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json that was generated, carefully locating and removing the section with the id of arkime_sessions3-* and the type of index-pattern (including the comma preceding it): 
         ,
     {
       "id": "arkime_sessions3-*",
       "type": "index-pattern",
       "namespaces": [
         "default"
       ],
       "updated_at": "2021-12-13T18:21:42.973Z",
       "version": "Wzk3MSwxXQ==",
       …
       "references": [],
       "migrationVersion": {
         "index-pattern": "7.6.0"
       }
     }
  4. In your text editor, perform a global-search and replace, replacing the string arkime_sessions3-* with MALCOLM_NETWORK_INDEX_PATTERN_REPLACER and malcolm_beats_* with MALCOLM_OTHER_INDEX_PATTERN_REPLACER. These replacers are used to allow customizing indexes for logs written to OpenSearch or Elasticsearch.
  5. Include the new dashboard either by using a bind mount for the ./dashboards/dashboards/ directory or by rebuilding the dashboards-helper Docker image. Dashboards are imported the first time Malcolm starts up.

OpenSearch Dashboards plugins

The dashboards.Dockerfile installs the OpenSearch Dashboards plugins used by Malcolm (search for opensearch-dashboards-plugin install in that file). Additional Dashboards plugins could be installed by modifying this Dockerfile and rebuilding the dashboards Docker image.