Logo

A powerful, easily deployable network traffic analysis tool suite

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

Quick start

Getting Malcolm

For a TL;DR example of downloading, configuring, and running Malcolm on a Linux platform, see Installation example using Ubuntu 22.04 LTS.

The scripts to control Malcolm require Python 3. The install.py script requires the requests module for Python 3, and will make use of the pythondialog module for user interaction (on Linux) if it is available.

Source code

The files required to build and run Malcolm are available on its GitHub page. Malcolm’s source code is released under the terms of a permissive open source software license (see License.txt for the terms of its release).

Building Malcolm from scratch

The build.sh script can build Malcolm’s Docker images from scratch. See Building from source for more information.

Initial configuration

You must run auth_setup prior to pulling Malcolm’s Docker images. You should also ensure your system configuration and docker-compose.yml settings are tuned by running ./scripts/install.py or ./scripts/install.py --configure (see System configuration and tuning).

Pull Malcolm’s Docker images

Malcolm’s Docker images are periodically built and hosted on Docker Hub. If you already have Docker and Docker Compose, these prebuilt images can be pulled by navigating into the Malcolm directory (containing the docker-compose.yml file) and running docker-compose pull like this:

$ docker-compose pull
Pulling api               ... done
Pulling arkime            ... done
Pulling dashboards        ... done
Pulling dashboards-helper ... done
Pulling file-monitor      ... done
Pulling filebeat          ... done
Pulling freq              ... done
Pulling htadmin           ... done
Pulling logstash          ... done
Pulling name-map-ui       ... done
Pulling netbox            ... done
Pulling netbox-postgresql ... done
Pulling netbox-redis      ... done
Pulling nginx-proxy       ... done
Pulling opensearch        ... done
Pulling pcap-capture      ... done
Pulling pcap-monitor      ... done
Pulling suricata          ... done
Pulling upload            ... done
Pulling zeek              ... done

You can then observe that the images have been retrieved by running docker images:

$ docker images
REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
malcolmnetsec/api                                              23.03.0           xxxxxxxxxxxx   3 days ago   158MB
malcolmnetsec/arkime                                           23.03.0           xxxxxxxxxxxx   3 days ago   816MB
malcolmnetsec/dashboards                                       23.03.0           xxxxxxxxxxxx   3 days ago   1.02GB
malcolmnetsec/dashboards-helper                                23.03.0           xxxxxxxxxxxx   3 days ago   184MB
malcolmnetsec/file-monitor                                     23.03.0           xxxxxxxxxxxx   3 days ago   588MB
malcolmnetsec/file-upload                                      23.03.0           xxxxxxxxxxxx   3 days ago   259MB
malcolmnetsec/filebeat-oss                                     23.03.0           xxxxxxxxxxxx   3 days ago   624MB
malcolmnetsec/freq                                             23.03.0           xxxxxxxxxxxx   3 days ago   132MB
malcolmnetsec/htadmin                                          23.03.0           xxxxxxxxxxxx   3 days ago   242MB
malcolmnetsec/logstash-oss                                     23.03.0           xxxxxxxxxxxx   3 days ago   1.35GB
malcolmnetsec/name-map-ui                                      23.03.0           xxxxxxxxxxxx   3 days ago   143MB
malcolmnetsec/netbox                                           23.03.0           xxxxxxxxxxxx   3 days ago   1.01GB
malcolmnetsec/nginx-proxy                                      23.03.0           xxxxxxxxxxxx   3 days ago   121MB
malcolmnetsec/opensearch                                       23.03.0           xxxxxxxxxxxx   3 days ago   1.17GB
malcolmnetsec/pcap-capture                                     23.03.0           xxxxxxxxxxxx   3 days ago   121MB
malcolmnetsec/pcap-monitor                                     23.03.0           xxxxxxxxxxxx   3 days ago   213MB
malcolmnetsec/postgresql                                       23.03.0           xxxxxxxxxxxx   3 days ago   268MB
malcolmnetsec/redis                                            23.03.0           xxxxxxxxxxxx   3 days ago   34.2MB
malcolmnetsec/suricata                                         23.03.0           xxxxxxxxxxxx   3 days ago   278MB
malcolmnetsec/zeek                                             23.03.0           xxxxxxxxxxxx   3 days ago   1GB

Import from pre-packaged tarballs

Once built, the malcolm_appliance_packager.sh script can be used to create pre-packaged Malcolm tarballs for import on another machine. See Pre-Packaged Installation Files for more information.

Starting and stopping Malcolm

Use the scripts in the scripts/ directory to start and stop Malcolm, view debug logs of a currently running instance, wipe the database and restore Malcolm to a fresh state, etc.

User interface

A few minutes after starting Malcolm (probably 5 to 10 minutes for Logstash to be completely up, depending on the system), the following services will be accessible: