-
|
Hi, I am new here. I have installed Arkime (ver5.6) and ES (ver 8.16) on a server. I have installed Zeek and an File beat Agent on another server. The plan was to view Zeek logs in Arkime. How do I use Malcolm to acheieve this? What should I do? Can someone please help me? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Malcolm is a tool suite that includes both Zeek and Arkime, and has some customizations to both that makes it possible to see Zeek logs in Arkime. But if you've just installed Zeek on one endpoint, and Arkime on another, and those aren't part of a Malcolm installation, then Malcolm isn't really going to be able to help you. If you're interested in installing Malcolm, here are some resources I can point you to (most of which are also gathered in the wiki):
Malcolm isn't just a plugin for your existing Arkime/Zeek installation, it is in and of itself a deployment of those tools. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much for your clarification. So if i have to have Arkime display Zeek. I will have to uninstall the Arkime and Zeek Installations I have done and install Malcolm instead. What about Elasticsearch? Can I use that as the database for collecting the logs? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, you can configure Malcolm to use a remote instance of Elasticsearch rather than its internal one. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you !!
Appreciate your support. I am is discussions with my team on how to proceed
forward.
Regards
Satish
…On Wed, Apr 16, 2025 at 9:35 AM Seth Grover ***@***.***> wrote:
Yes, you can configure Malcolm to use a remote instance of Elasticsearch
<https://cisagov.github.io/Malcolm/docs/opensearch-instances.html#OpenSearchInstance>
rather than its internal one.
—
Reply to this email directly, view it on GitHub
<#648 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BRQZP7JOJCLLF4QIDLPOT7T2ZWJVPAVCNFSM6AAAAAB3FT4EISVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEOBUG44DGNQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
Malcolm is a tool suite that includes both Zeek and Arkime, and has some customizations to both that makes it possible to see Zeek logs in Arkime. But if you've just installed Zeek on one endpoint, and Arkime on another, and those aren't part of a Malcolm installation, then Malcolm isn't really going to be able to help you.
If you're interested in installing Malcolm, here are some resources I can point you to (most of which are also gathered in the wiki):
Malcolm isn't…