#opensearch — Public Fediverse posts

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0

• ✨ Features and enhancements
  • #726 — use hierarchical structure for NetBox device roles
    • Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
  • #867 — examine large chown'ed directories in container images and see if they can be reduced
  • #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
    • Added NetBox custom script support in the container/runtime and docs, including bind-mounting ./netbox/custom-scripts and automatic script registration at startup
    • Renamed NetBox startup/control scripts from netbox/scripts to netbox/control-scripts
  • Added file.strings extraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE
  • Added configurable Zeek file analyzer timeout via ZEEK_FILE_ANALYZER_TIMEOUT_SEC
  • netdev users in ISO-installed environment can run nmcli and nmtui to configure network interfaces.
  • the malcolm_appliance_packager.sh script that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
• ✅ Component version updates
  • Arkime to v6.3.1
  • cryptography to v46.0.7
  • Filebeat OSS to v9.3.4
  • Fluent Bit to v5.0.4
  • GitPython to v3.1.47
  • Keycloak to v26.6
  • Logstash OSS to v9.2.8
  • OpenSearch and Opensearch Dashboards to v3.6.0
  • opensearch-py to v3.2.0
  • pillow to v12.2.0
  • python-dotenv to v1.2.2
  • Supercronic to v0.2.45
  • yq to v4.53.2
  • Zeek to v8.1.2
• 🐛 Bug fixes
  • #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
    • OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to 0
    • OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
  • #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
    • Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
    • Hedgehog Raspberry Pi image now forces password change for sensor on first login and disables direct root password login by default
    • Refactored Raspberry Pi GitHub Actions build into reusable workflow .github/workflows/raspi-build-push.yml
  • #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
    • Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
    • Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
    • Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
  • #957 — configuration script can disable ICS parsers unintentionally
  • #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
  • Fixed one-off cleanup of interrupted Zeek intel files during stop --wipe
• 🧹 Code and project maintenance
  • Documentation improvements
  • #913 — replace ingress-nginx which is EOL
    • Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
    • Fixed malformed indentation in kubernetes/01-volumes-nfs.yml.example for the filescan volume section
    • Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
    • opensearch is no longer part of the hedgehog Docker Compose profile, and some depends_on relationships were adjusted accordingly
  • #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
  • #917 — develop IronBank (US DoD) images for Malcolm
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ZEEK_FILE_ANALYZER_TIMEOUT_SEC (default 5) to zeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
  • ZEEK_CLUSTER_BACKEND can be specified in zeek.env to specify the Zeek cluster backend (ZeroMQ vs Broker).
• ❌ Errata
  • Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.02.0...v26.04.1

Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.

• ✨ Features and enhancements
  • implemented easier way to enable/disable Strelka scanners #935
  • Handle nested file scanning (e.g., from ZIP files) with Strelka #922
  • index selected Strelka result fields #919
• ✅ Component version updates
  • Zeek to v8.1.1
  • Arkime to v6.1.1
  • crytography to v46.0.6 (for CVE-2026-34073)
  • evtx to v0.11.2
  • Flask to v3.1.3 (for CVE-2026-27205)
  • Fluent Bit to v5.0.2
  • Logstash to v9.2.7
  • Requests to v2.33.1 (for CVE-2026-25645)
  • supercronic to v0.2.43
  • yq to v4.52.5
  • Updates for ICSNPP Hart IP parser #924
• 🐛 Bug fixes
  • Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
  • Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
  • Using remote elasticsearch data store uses deprecated ssl_certificate_verification setting [https://github.com/cisagov/Malcolm/issues/915]
  • fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
  • fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
• 🧹 Code and project maintenance
  • swap redis out for valkey #882
  • pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
  • some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
  • some documentation updates
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added ARKIME_PCAP_LIBPCAP to arkime.env should uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (default false)
  • FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default in filescan.env has been changed from 1024 to 512
  • redis.env has been renamed to valkey.env and its variables also have been renamed accordingly
  • STRELKA_SCANNERS has been added to pipeline.env for #935
  • ZEEK_DISABLE_SPICY_ZIP has been added to zeek.env for #922 (default true)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.12.1 contains a few critical bug fixes and component version updates.

https://github.com/idaholab/Malcolm/compare/v25.12.0...v25.12.1

• ✨ Features and enhancements
  • Installer splash screen shows "HEDGEHOG" when using Hedgehog run profile
• ✅ Component version updates
  • supercronic to v0.2.40
  • Alpine (Docker base image) to v3.23
  • NetBox to v4.4.8
  • urllib3 to v2.6.0 (CVE-2025-66471, 8.9 High, GHSA-2xpw-w6gg-jr37)
• 🐛 Bug fixes
  • Changed field used in Threat Intelligence dashboard's file type table from zeek.intel.file_mime_type to file.mime_type so filters created from it can work on other dashboards
  • link for threat intelligence URL doesn't work correctly from dashboards (behind reverse proxy) (#832)
  • self-signed certificates not accepted by Chrome (#833)
  • Malcolm ISO installer's automatic partitioning may create too-small /var partition (#835)
• 🧹 Code and project maintenance
  • Added new Analytics section to documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.11.0 includes an overhaul of the install.py installation/configuration script, a few bug fixes, and some component version updates.

https://github.com/idaholab/Malcolm/compare/v25.09.0...v25.11.0

• ✨ Features and enhancements
  • We're in the process of majorly overhauling our install.py script (#395) used for setting up a Linux or MacOS system to run Malcolm and for configuring Malcolm's runtime options. There are future updates still to come (#766) but for now the command-line and dialog-based interfaces' functionality and backend are in place. The step-by-step wizard has been replaced with a menu-based interface that allows for changing individual values without having to step through the whole set of questions. The Docker-based Malcolm installation example on Ubuntu and end-to-end installation example have useful information about this change, as does the command-line arguments document. We've done a lot of testing on what's a complete rewrite of this, but there is a possibility we missed something; if you find an issue with the new install/configure script, please open a discussion or log a bug and let us know. For the next release or so, we're leaving the legacy installer in place as scripts/legacy_install.py which could be used in a pinch (e.g., run scripts/legacy_install.py --configure for the old configuration menu).
  • We've incorporated a new "Connections Tree" visualization. This visualization tracks the potential of lateral movement based on the observed communications between all devices that reach a root node, identified by IP address. It gives a high-level view showing both direct and indirect connetions between the root IP and all of its destinations, regardless of time, along with enriched data for each endpoint and connection.
  • Updates to the Validated Design Architecture Review (VADR) dashboards.
  • The OpenSearch container now includes the repository-s3 plugin, useful for those who wish to configure OpenSearch's snapshots to save to S3-compatible buckets.
• ✅ Component version updates
  • Arkime to v5.8.2
  • Fluent Bit to v4.1.1
  • Keycloak to v26.4.2
  • OpenResty to v1.27.1.2
  • OpenSearch Dashboards to v3.3.0
  • OpenSearch to v3.3.2
  • supercronic to v0.2.38
  • yq to v4.48.1
  • Zeek to v8.0.3
• 🐛 Bug fixes
  • Double imports when restarting Malcolm (#588) (thanks @KchChr)
• 🧹 Code and project maintenance
  • Refactored a number of Python functions to reduce cyclomatic complexity (#765, work ongoing)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml without intervention on the user's part.
  • Malcolm
    • NGINX_RESOLVER_IPV4_OFF and NGINX_RESOLVER_IPV6_OFF have been renamed to NGINX_RESOLVER_IPV4 and NGINX_RESOLVER_IPV6, respectively, and their logic reversed, in nginx.env.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v25.09.0 includes new features and available customizations, improvements to Threat Intelligence, component version updates, and several important bug fixes.

https://github.com/idaholab/Malcolm/compare/v25.08.1...v25.09.0

• ✨ Features and enhancements
  • improve Modbus register tracking with new modbus_detailed.log (cisagov/Malcolm#762)
  • add non-LVM option(s) for Malcolm/Hedgehog Linux ISO installers (cisagov/Malcolm#725)
  • allow configuring default search time frame for OpenSearch Dashboards (cisagov/Malcolm#724)
  • allow customizing maximum upload file size (cisagov/Malcolm#769)
  • add Arkime capture statistics to the Packet Capture Statistics dashboard (cisagov/Malcolm#703)
  • integrate Validated Architecture Design Review (VADR) dashboards (cisagov/Malcolm#780)
  • Threat Intelligence improvements
    • support Google Threat Intelligence feed for building Zeek intel source (cisagov/Malcolm#758)
    • renamed Zeek Intelligence dashboard to Threat Intelligence and improved it
    • links from context menu items in Arkime and Dashboards (like reference URLs for IOCs) now ask the user before navigating to external sites
  • Added icons with links to "ready" and "ingest statistics" APIs to landing page
  • Include tx-rx-secure.sh in files packaged by malcolm_appliance_packager.sh
• ✅ Component version updates
  • Arkime to v5.8.0
  • NetBox to v4.3.7
  • yq to v4.47.2
  • Fluent Bit to v4.0.10
• 🐛 Bug fixes
  • Python code handling X-Forwarded- headers should do case insensitive lookup (cisagov/Malcolm#764)
  • uploaded PCAPs that result in no filename-derived tags erroneously end up with internal tags on them (cisagov/Malcolm#774)
  • installer option for encrypted storage are not marking secondary data/artifact storage for encryption (cisagov/Malcolm#779)
  • Malcolm/Hedgehog Linux ISO-installed environments' auditd service fails to start (cisagov/Malcolm#761)
  • Failed shard query error on Overview dashboard (cisagov/Malcolm#754)
• 🧹 Code and project maintenance
  • refactor GitHub build actions for Malcolm Docker images to reduce duplication (cisagov/Malcolm#717)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • PCAP_UPLOAD_MAX_FILE_GB added to upload-common.env to allow configuring maximum PCAP upload size (cisagov/Malcolm#769)
    • DASHBOARDS_TIMEPICKER_FROM and DASHBOARDS_TIMEPICKER_TO added to dashboards-helper.env to allow configuring default search time frame for OpenSearch Dashboards (cisagov/Malcolm#724)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL