Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Enrichment takes place in the logstash pipeline. This, of course, precludes data being processed by Arkime capture from having the same enrichments done on them. Of particular note is the NetBox enrichment.
Arkime does have a plugin architecture. It's possible that we could build an Arkime plugin .so that takes care of this.
Need to:
investigate how to create an Arkime plugin .so
identify which enrichment(s) would be appropriate to do in the plugin, avoiding too much duplicated code if possible (although I don't know how we'd reuse any of it, tbh, as we're not going to be able to use the logstash filter stuff at all outside of logstash)
Enrichment takes place in the logstash pipeline. This, of course, precludes data being processed by Arkime capture from having the same enrichments done on them. Of particular note is the NetBox enrichment.
Arkime does have a plugin architecture. It's possible that we could build an Arkime plugin .so that takes care of this.
Need to:
Another option is to point Arkime
capture
at the elasticsearch/opensearch fluent bit input plugin and see if we can use that to get them through Logstash rather than straight into ES/OS.