Malcolm v6.1.0 is a feature release with a number of updates and improvements.
-
Bugs fixed
- Zeek logs get reingested after container restart - (idaholab#101)
- Added IPsec fields that were not being parsed
- Fixed some dashboards that should have been using ECS field names
- Split the STUN attribute type field on comma during
stun.logparsing
-
Improvements
- Malcolm's OpenSearch index template is now composed upon initialization with elements from the latest Elastic Common Schema release.
- Replaced most instances of beats on Hedgehog Linux (with the exception of the Apache-licensed 7.10.2 filebeat which is compatible with OpenSearch) with Fluent Bit (see idaholab#102) for resource utilization monitoring, etc. and recreated dashboards referencing these metrics
- Replaced Auditbeat file integrity checking module with AIDE for Hedgehog Linux
- Added an optionally exposed (disabled by default) a TCP input endpoint to Malcolm to allow easier ingestion of other third-party logs not natively supported by Malcolm
- Improvements to APIs for listing fields and indices
- Removed old environment variable-configured Index State Management code as the new OpenSearch v2.1.0 release has nice UIs for both index state management and snapshot management
-
Version bumps of note
- Supercronic to v0.2.1
- OpenSearch and OpenSearch Dashboards to v2.1.0 (incorporating changes from v2.0.0, v2.0.1 and v2.1.0)
- Zeek to v5.0.0 with built-in Spicy and Spicy Zeek plugin
- YARA to v4.2.2
Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.