Logo

A powerful, easily deployable network traffic analysis tool suite for network security monitoring

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

Running Malcolm

Starting Malcolm

Docker compose is used to coordinate running the containers. To start Malcolm, navigate to the directory containing docker-compose.yml and run:

$ ./scripts/start

This will create the containers’ virtual network and instantiate them, then leave them running in the background. The Malcolm containers may take several minutes to start up completely. To follow the debug output for an already-running Malcolm instance, run:

$ ./scripts/logs

You can also use docker stats to monitor the resource utilization of running containers.

Stopping and restarting Malcolm

You can run ./scripts/stop to stop the containers and remove their virtual network. Alternatively, ./scripts/restart will restart an instance of Malcolm. Because the data on disk is stored on the host in bind-mounted volumes, performing these operations will not result in loss of data.

Malcolm can be configured to automatically restart when the Docker system daemon restarts (for example, on system reboot). This behavior depends on the value of the restart: setting for each service in the docker-compose.yml file. This value can be set by running ./scripts/configure and answering “yes” to “Restart Malcolm upon system or container daemon restart?.”

Clearing Malcolm’s data

Run ./scripts/wipe to stop the Malcolm instance and wipe its OpenSearch database (including index snapshots and management policies and alerting configuration).

Temporary read-only interface

To temporarily set the Malcolm user interfaces into read-only configuration, run the following commands from the Malcolm installation directory.

First, to configure Nginx to disable access to the upload and other interfaces for changing Malcolm settings, and to deny HTTP methods other than GET and POST:

docker compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"

Second, to set the existing OpenSearch data store to read-only:

docker compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster

These commands must be re-run every time Malcolm is restarted.

Note: after running these commands there may be an increase of error messages in the Malcolm containers’ output as various background processes will fail due to the read-only nature of the indices. Additionally, some features such as Arkime’s Hunt and building your own visualizations and dashboards in OpenSearch Dashboards will not function correctly in read-only mode.