Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
The contributor's guide gives instructions for exporting a newly created dashboard for inclusion in ./dashboards/dashboards in the Malcolm source repository, but this would be better to be at least a script. I think ideally the script would live inside the dashboards-helper container and could be executed using docker compose and avoid having to have dependencies outside the container.
The script would need to:
call the /dashboards/api/opensearch-dashboards/dashboards/export API to get the dashboard by ID (perhaps it could be looked up by name, but ID is surer)
remove the arkime_sessions3-* index pattern definition section completely
replace the string arkime_sessions3-* with MALCOLM_NETWORK_INDEX_PATTERN_REPLACER and malcolm_beats_* with MALCOLM_OTHER_INDEX_PATTERN_REPLACER
in my opinion, set any instances of highlightAll in the JSON to false
The contributor's guide gives instructions for exporting a newly created dashboard for inclusion in
./dashboards/dashboardsin the Malcolm source repository, but this would be better to be at least a script. I think ideally the script would live inside thedashboards-helpercontainer and could be executed usingdocker composeand avoid having to have dependencies outside the container.The script would need to:
/dashboards/api/opensearch-dashboards/dashboards/exportAPI to get the dashboard by ID (perhaps it could be looked up by name, but ID is surer)arkime_sessions3-*index pattern definition section completelyarkime_sessions3-*withMALCOLM_NETWORK_INDEX_PATTERN_REPLACERandmalcolm_beats_*withMALCOLM_OTHER_INDEX_PATTERN_REPLACERhighlightAllin the JSON tofalse