Malcolm v25.08.0

[mmguero]

Malcolm v25.08.0 is a minor release fixing a regression bug inadvertently introduced in v25.07.0.

v25.07.0...v25.08.0

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

• ✨ Features and enhancements
  • Performance improvements to the clean-processed-folder.py script in the filebeat container responsible for pruning already-processed Zeek and Suricata log files (performance improvements for filebeat processed file cleanup #736)
• 🐛 Bug fixes
  • Malcolm fields are not created in Arkime (Malcolm fields are not created in Arkime #735)
    • Due to this commit, the order in which the Arkime fields database was initialized and the WISE service started was switched, which resulted in the initial run of capture (responsible for populating Malcolm's custom fields) failing. The order of these operations has been corrected.
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • FILEBEAT_CLEANUP_VERBOSITY and added to filebeat.env to control the verbosity of the clean-processed-folder.py script mentioned above in relation to performance improvements for filebeat processed file cleanup #736. For example, setting FILEBEAT_CLEANUP_VERBOSITY=-vvvv corresponds to the DEBUG log level, and will produce output like this once per minute:

  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 2099 Zeek processed directory files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 135 Zeek live directory files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 2099 Zeek processed directory files at a rate of 10804 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 135 Zeek live directory files at a rate of 1411 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 161 Suricata files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 161 Suricata files at a rate of 18018 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Finished pruning files.
  

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

---

This discussion was created from the release Malcolm v25.08.0.