-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malcolm v24.03.1 #301
Merged
Merged
Malcolm v24.03.1 #301
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…o enable debugging
…o enable debugging
…into arkime_search_indices_423
…t isn't being used for capture. the issue was a missing `lb_custom.InterfacePrefix=af_packet::` line in zeekctl.cfg, which was being set in Hedgehog Linux but not in Malcolm's zeek Docker container. this fix makes sure that line is enabled in both Malcolm and Hedgehog for zeek live capture
…TTERN was not being applied correctly
…ount the search time frame
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…index and artifact storage, NOT DONE YET
…ex and artifact storage
…ex and artifact storage
…ex and artifact storage
… pattern for Arkime to query in addition to arkime_sessions3-* (idaholab#423)
…ow that the PR has been pulled
…into v24.03.1_merge_cisagov
…ex and artifact storage; fix directory permissions
…into v24.03.1_merge_cisagov
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Malcolm v24.03.1 contains new features, improvements, bug fixes and component version updates.
v24.03.0...v24.03.1
Because some of the environment variables used for configuring Malcolm have been reorganized in the
.env
files found in the./config
directory, it is strongly recommended you re-run./scripts/configure
for this release.NETBOX_PRELOAD_PREFIXES
variable, which no longer has any effect) in which three giant buckets (one for each block in the RFC1918 private address definitions) could be created once at startup. (autocreation and assignment of NetBox subnets in Logstash idaholab/Malcolm#436). So, for example:10./16
(255.255.0.0
)10.9.0.215
would cause us to create and assign it to a10.9.0.0/16
subnet192.168./24
(255.255.255.0
)192.168.100.123
would cause us to create and assign it to a192.168.100.0/24
subnet172.16./20
(255.255.240.0
)172.16.29.10
would cause us to create and assign it to a172.16.29.10/20
subnetSURICATA_EVE_THREADED
- controls threaded file output (defaultfalse
)SURICATA_EVE_ROTATE_INTERVAL
- controls eve.json file rotation (default1h
)100
andotherBucket: true
has been set for all of these table visualizations to ensure that the end user knows thatOther
rows may also exist outside of the rows shown. (unformly increase number of results for table visualizations in Dashboards idaholab/Malcolm#447)bro_logs
were renamed tozeek_logs
on Hedgehog Linuxnotice.log
install.py
instead of just failingzeek-live
container. This did not affect Suricata, Arkime capture, or any of the Hedgehog Linux processes. (AF_PACKET isn't being enabled for zeek-live container capture idaholab/Malcolm#437)MALCOLM_OTHER_INDEX_PATTERN
variable had been set to something other than the default../config/
)ARKIME_DEBUG_LEVEL=0
has been added toarkime.env
to control thedebug
level for Arkime'sconfig.ini
.netbox-common.env
(also, see below for some existing variables that were moved fromlogstash.env
):NETBOX_PRELOAD_PREFIXES
has been removed and replaced withNETBOX_AUTO_CREATE_PREFIX
for autocreation and assignment of NetBox subnets in Logstash idaholab/Malcolm#436NETBOX_ENRICHMENT_LOOKUP_SERVICE=true
has been added to indicate whether or not services (i.e., destination IP/port) should be looked up during NetBox enrichmentopensearch.env
to give examples of how to set the time bucketing for OpenSearch/Elasticsearch indexesLOG_CLEANUP_MINUTES
andZIP_CLEANUP_MINUTES
are now infilebeat.env
, moved fromupload-common.env
logstash.env
tonetbox-common.env
and renamed:LOGSTASH_NETBOX_ENRICHMENT
is nowNETBOX_ENRICHMENT
LOGSTASH_NETBOX_AUTO_POPULATE
is nowNETBOX_AUTO_POPULATE
LOGSTASH_NETBOX_CACHE_SIZE
is nowNETBOX_CACHE_SIZE
LOGSTASH_NETBOX_CACHE_TTL
is nowLOGSTASH_NETBOX_CACHE_TTL