A powerful, easily deployable network traffic analysis tool suite for network security monitoring
Quick start
Getting Malcolm
For a TL;DR example of downloading, configuring, and running Malcolm in Docker on a Linux platform, see Installation example using Ubuntu 24.04 LTS.
For a more in-depth guide convering installing both Malcolm and a Hedgehog Linux sensor using the Malcolm installer ISO and Hedgehog Linux installer ISO, see End-to-end Malcolm and Hedgehog Linux ISO Installation.
Source code
The files required to build and run Malcolm are available on its GitHub page. Malcolm’s source-code is released under the terms of the Apache License, Version 2.0 (see LICENSE.txt and NOTICE.txt for the terms of its release).
Building Malcolm from scratch
The build.sh script can build Malcolm’s images from scratch. See Building from source for more information.
Initial configuration
The scripts to control Malcolm require Python 3. The install.py script requires the dotenv, requests and ruamel.yaml modules for Python 3, and will make use of the pythondialog module for user interaction (on Linux) if it is available.
You must run auth_setup prior to pulling Malcolm’s images. You should also ensure your system configuration and Malcolm settings are tuned by running ./scripts/install.py and ./scripts/configure (see Malcolm Configuration).
Users may wish to read the documentation on platform-specific host configuration:
Pull Malcolm’s Container images
Malcolm’s images are periodically built and hosted on GitHub. If you already have Docker and Docker Compose, these prebuilt images can be pulled by navigating into the Malcolm directory (containing the docker-compose.yml file) and running docker compose --profile malcolm pull like this:
$ docker compose --profile malcolm pull
Pulling api ... done
Pulling arkime ... done
Pulling dashboards ... done
Pulling dashboards-helper ... done
Pulling file-monitor ... done
Pulling filebeat ... done
Pulling freq ... done
Pulling htadmin ... done
Pulling keycloak ... done
Pulling logstash ... done
Pulling netbox ... done
Pulling nginx-proxy ... done
Pulling opensearch ... done
Pulling pcap-capture ... done
Pulling pcap-monitor ... done
Pulling postgresql ... done
Pulling redis ... done
Pulling suricata ... done
Pulling upload ... done
Pulling zeek ... done
You can then observe the images have been retrieved by running docker images:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ghcr.io/idaholab/malcolm/api 25.03.1 xxxxxxxxxxxx 3 days ago 158MB
ghcr.io/idaholab/malcolm/arkime 25.03.1 xxxxxxxxxxxx 3 days ago 816MB
ghcr.io/idaholab/malcolm/dashboards 25.03.1 xxxxxxxxxxxx 3 days ago 1.02GB
ghcr.io/idaholab/malcolm/dashboards-helper 25.03.1 xxxxxxxxxxxx 3 days ago 184MB
ghcr.io/idaholab/malcolm/file-monitor 25.03.1 xxxxxxxxxxxx 3 days ago 588MB
ghcr.io/idaholab/malcolm/file-upload 25.03.1 xxxxxxxxxxxx 3 days ago 259MB
ghcr.io/idaholab/malcolm/filebeat-oss 25.03.1 xxxxxxxxxxxx 3 days ago 624MB
ghcr.io/idaholab/malcolm/freq 25.03.1 xxxxxxxxxxxx 3 days ago 132MB
ghcr.io/idaholab/malcolm/htadmin 25.03.1 xxxxxxxxxxxx 3 days ago 242MB
ghcr.io/idaholab/malcolm/keycloak 25.03.1 xxxxxxxxxxxx 3 days ago 533MB
ghcr.io/idaholab/malcolm/logstash-oss 25.03.1 xxxxxxxxxxxx 3 days ago 1.35GB
ghcr.io/idaholab/malcolm/netbox 25.03.1 xxxxxxxxxxxx 3 days ago 1.01GB
ghcr.io/idaholab/malcolm/nginx-proxy 25.03.1 xxxxxxxxxxxx 3 days ago 121MB
ghcr.io/idaholab/malcolm/opensearch 25.03.1 xxxxxxxxxxxx 3 days ago 1.17GB
ghcr.io/idaholab/malcolm/pcap-capture 25.03.1 xxxxxxxxxxxx 3 days ago 121MB
ghcr.io/idaholab/malcolm/pcap-monitor 25.03.1 xxxxxxxxxxxx 3 days ago 213MB
ghcr.io/idaholab/malcolm/postgresql 25.03.1 xxxxxxxxxxxx 3 days ago 268MB
ghcr.io/idaholab/malcolm/redis 25.03.1 xxxxxxxxxxxx 3 days ago 34.2MB
ghcr.io/idaholab/malcolm/suricata 25.03.1 xxxxxxxxxxxx 3 days ago 278MB
ghcr.io/idaholab/malcolm/zeek 25.03.1 xxxxxxxxxxxx 3 days ago 1GB
Import from pre-packaged tarballs
Once built, the malcolm_appliance_packager.sh script can be used to create pre-packaged Malcolm tarballs for import on another machine. See Pre-Packaged Installation Files for more information.
Starting and stopping Malcolm
Use the scripts in the scripts/ directory to start and stop Malcolm, view debug logs of a currently running
instance, wipe the database and restore Malcolm to a fresh state, etc.
User interface
A few minutes after starting Malcolm (probably 5 or so for Logstash to be completely loaded, depending on the system), the Malcolm landing page and other services will be available via web browser by navigating to the hostname or IP address of the system.
Docker vs. Podman
Malcolm can run on Podman as a rootless alternative to Docker. When Running Malcolm with Podman, podman compose is used as a wrapper around an external compose provider (such as docker-compose or podman-compose), which in turn uses the Podman back end to run and orchestrate containers. The same Malcolm runtime scripts (e.g., ./scripts/start, ./scripts/stop, etc.) are used whether using Docker or Podman.
As it is a somewhat more advanced procedure, installation and configuration of Podman is not covered in this documentation. Please see the Podman documentation.
It should be noted that if rootless Podman is used, Malcolm itself cannot perform traffic capture on local network interfaces, although it can accept network traffic metadata forwarded from a a network sensor appliance.