A powerful, easily deployable network traffic analysis tool suite
Docker compose is used to coordinate running the Docker containers. To start Malcolm, navigate to the directory containing docker-compose.yml
and run:
$ ./scripts/start
This will create the containers’ virtual network and instantiate them, then leave them running in the background. The Malcolm containers may take several minutes to start up completely. To follow the debug output for an already-running Malcolm instance, run:
$ ./scripts/logs
You can also use docker stats
to monitor the resource utilization of running containers.
You can run ./scripts/stop
to stop the Docker containers and remove their virtual network. Alternatively, ./scripts/restart
will restart an instance of Malcolm. Because the data on disk is stored on the host in Docker volumes, performing these operations will not result in loss of data.
Malcolm can be configured to automatically restart when the Docker system daemon restarts (for example, on system reboot). This behavior depends on the value of the restart:
setting for each service in the docker-compose.yml
file. This value can be set by running ./scripts/configure
and answering “yes” to “Restart Malcolm upon system or Docker daemon restart?
.”
Run ./scripts/wipe
to stop the Malcolm instance and wipe its OpenSearch database (including index snapshots and management policies and alerting configuration).
To temporarily set the Malcolm user interfaces into read-only configuration, run the following commands from the Malcolm installation directory.
First, to configure Nginx to disable access to the upload and other interfaces for changing Malcolm settings, and to deny HTTP methods other than GET
and POST
:
docker compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
Second, to set the existing OpenSearch data store to read-only:
docker compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster
These commands must be re-run every time Malcolm is restarted.
Note: after running these commands there may be an increase of error messages in the Malcolm containers’ output as various background processes will fail due to the read-only nature of the indices. Additionally, some features such as Arkime’s Hunt and building your own visualizations and dashboards in OpenSearch Dashboards will not function correctly in read-only mode.