Arkime Docker image/container
This repository contains the files to build a Docker image of the Arkime software:
Ready to use Docker images can be pulled from https://hub.docker.com/r/mammo0/docker-arkime
To run this image a working Elasticsearch environment is required. Please stick to their documentation for setting this up. (E.g. for docker: https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html)
This image can be run with
docker run \
-e ES_HOST=elasticsearch \
-e ES_PORT 9200 \
-v <config_volume>:/data/config \
-v <pcap_volume>:/data/pcap \
-v <log_volume>:/data/logs \
mammo0/docker-arkime:<tag>
These parameters are available:
ENV VARIABLE | DEFAULT VALUE | NOTES |
---|---|---|
ES_HOST | elasticsearch | The hostname or IP address where Elasticsearch is running. |
ES_PORT | 9200 | The port where Elasticsearch is reachable. |
MOLOCH_PASSWORD | admin | This is the password for the Arkime admin user that is needed for the first login. It can be changed afterwards. |
MOLOCH_INTERFACE | eth0 | Network interface where moloch-capture process listens. This feature is not tested yet! |
ARKIME_HOSTNAME | localhost | With this hostname Arkime authenticates at Elasticsearch. So if you change this you'll lose your Elasticsearch configuration. |
CAPTURE | off | Set to "on" to activate the moloch-capture process. This feature is not tested yet! |
VIEWER | on | Set to "off" to deactivate the Arkime viewer. |
VOLUME | CONTAINER PATH | NOTES |
---|---|---|
config_volume | /data/config | In this directory the Arkime configuration is saved. |
pcap_volume | /data/pcap | In this directory the pcap files are saved that are generated by moloch-capture . |
log_volume | /data/logs | In this directory the Arkime log files are saved. |
You can use docker-compose
if you want to setup Elasticsearch together with Arkime in one step.
-
Please copy or rename the file
docker-compose.env
to.env
before runningdocker-compose up
. You may want to change some of the variables inside. Each variable is documented there. -
Please ensure you have done this step (otherwise Elasticsearch won't start): https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html
-
Run
chmod -R 777 es_data
ORchown -R 1000:1000 es_data
. This is needed for the Elasticsearch containers to be able to write to that direcotry.
Simply run
docker-compose up -d
It can take some time until the Elasticsearch instances are fully started.
The Arkime viewer instance can be accessed via
Assuming you don't changed the default port in the .env
file.
To import existing pcap files have a look at scripts/arkime-parse-pcap-folder.sh
script. It can be run within the running container:
docker exec -it <container_name> \
/data/arkime-parse-pcap-folder.sh -d <directory_with_pcap_files> -t <tag>
If parameter -d
is omitted, the script asks if you want to import the default direcotry /data/pcap
.