Malcolm v25.01.0 contains quite a few UI/UX improvements; new parsers; a bevy of component version updates including to Arkime, Zeek, NetBox; and several bug fixes.
- ✨ Features and enhancements
- integrate Omron FINS parser and added corresponding dashboard (cisagov#554)
- integrate PostgreSQL parser (added in Zeek v7.1.0) and added corresponding dashboard (cisagov#553)
- normalize Winlogbeat with Fluent Bit's
winlog
/winevtlog
event andevtx
event schemas (cisagov#356)- Winlogbeat seems to parse more fields from Windows events than Fluent Bit's
winevtlog
orwinlog
do, so users forwarding Windows event logs to Malcolm using Fluent Bit may want to evaluate Winlogbeat as an alternative.
- Winlogbeat seems to parse more fields from Windows events than Fluent Bit's
- support syslog ingestion over UDP and/or TCP (cisagov#354)
- clicking field values in Dashboards tables will now pivot to Arkime or NetBox (cisagov#551)
- add navigation pane to all non-network dashboards (cisagov#543)
- ✅ Component version updates
- 🐛 Bug fixes
- Extracted File Downloads interface not working with some filenames (cisagov#524)
- user-defined custom field formats for index patterns are overwritten (cisagov#542)
- port numbers should not be shown with commas in Dashboards (cisagov#540)
- pivoting between Arkime and Dashboards doesn't work when Malcolm is behind a reverse proxy (e.g., traefik) (cisagov#552)
opensearch.keystore
not created when running in Hedgehog run profile (cisagov#533)- ensure all conn.log entries are tagged
ics
for OT protocols (cisagov#541)
- 📄 Configuration changes (in environment variables in
./config/
) for Malcolm and incontrol_vars.conf
for Hedgehog Linux- The following variables in
./config/filebeat.env
configure Malcolm's ability to accept syslog messages:FILEBEAT_SYSLOG_TCP_LISTEN
andFILEBEAT_SYSLOG_UDP_LISTEN
- if set totrue
, Malcolm will accept syslog messages over TCP and/or UDP, respectivelyFILEBEAT_SYSLOG_TCP_PORT
andFILEBEAT_SYSLOG_UDP_PORT
- the port on which Malcolm will accept syslog messages over TCP and/or UDP, respectivelyFILEBEAT_SYSLOG_TCP_FORMAT
andFILEBEAT_SYSLOG_UDP_FORMAT
- one ofauto
,rfc3164
, orrfc5424
, to specify the allowed format for syslog messages over TCP and/or UDP, respectively (defaultauto
)FILEBEAT_SYSLOG_TCP_MAX_MESSAGE_SIZE
andFILEBEAT_SYSLOG_UDP_MAX_MESSAGE_SIZE
- defines the maximum message size of the message received over TCP and/or UDP, respectively (default:10KiB
for UDP,20MiB
for TCP)FILEBEAT_SYSLOG_TCP_MAX_CONNECTIONS
- specifies the maximum current number of TCP connections for syslog messagesFILEBEAT_SYSLOG_TCP_SSL
- if set totrue
, syslog messages over TCP will require the use of TLS. When./scripts/auth_setup
is run, self-signed certificates are generated which may be used by remote log forwarders. Located in Malcolm's./filebeat/certs/
directory, the certificate authority and client certificate and key files should be copied to the host on which the forwarder is running and used when defining its settings for connecting to Malcolm.
- The following variables in
./config/zeek.env
for Malcolm andcontrol_vars.conf
for Hedgehog Linux pertain to the new Omron FINS protocol parser:ZEEK_DISABLE_ICS_OMRON_FINS
- if set totrue
, the Omron FINS parser will be disabledZEEK_OMRON_FINS_DETAILED
- if set totrue
, a verbose Omron FINS details log (omron_fins_detail.log
) will be created
- The following variables in
- 🧹 Code and project maintenance
- Changed ⓒ year to 2025
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh
) and PowerShell 🪟 (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.