Installation of Moloch/Arkime
- Author : Miroslav Kohútik
- Tested version : 1.7.0
- Operating system : Ubuntu 16.04
Installation of Moloch is no trivial matter, that is why we have prepared this guide on how to set up the system in cloud environment.
Setup before installation
Before installing Moloch itself, you need to install the Elasticsearch database and make the following changes in configuration of the operating system.
Add Java repository
sudo add-apt-repository ppa:webupd8team/java
Perform an update of the list of packages and packages themselves to the latest versions
sudo apt-get update -y && sudo apt-get upgrade -y
Download and install the public GPG signing key
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add Elastic Repository
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
Perform another package update
sudo apt-get update -y && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y
Clean-up (Optional)
sudo apt-get autoremove
Disable swap
sudo swapoff -a
sudo nano /etc/fstab
Edit fstab – comment out the following:
#/dev/mapper/logs--vg-swap_1 none swap sw 0 0
or
#/dev/mapper/user--vg-swap_1 none swap sw 0 0
Install Java 8
sudo apt-get install oracle-java8-installer
Install Elasticsearch
sudo apt-get install elasticsearch
Install Moloch/Arkime
Install additional necessary packages
sudo apt-get install wget curl libpcre3-dev uuid-dev libmagic-dev pkg-config g++ flex bison zlib1g-dev libffi-dev gettext libgeoip-dev make libjson-perl libbz2-dev libwww-perl libpng-dev xz-utils libffi-dev
Download the newest version of Moloch/Arkime (Arkime downloads)
wget https://files.molo.ch/builds/ubuntu-16.04/moloch_1.7.0-1_amd64.deb
Install Moloch
Note: when asked whether or not to install Elasticsearch choose no, since you have already installed Elasticsearch earlier and this script offers only the demo version.
sudo dpkg -i moloch_1.7.0-1_amd64.deb
Install dependencies (If the previous step halts due to errors)
sudo apt-get -f install
Configure Moloch/Arkime
Start Elasticsearch on startup
sudo systemctl enable elasticsearch.service
Configure Elasticsearch (OPTIONAL) (Configure as needed [max RAM allocation is 32GB])
It is recommended Elasticsearch be installed on a separate machine
sudo nano /etc/elasticsearch/jvm.options
Start Elasticsearch
sudo systemctl start elasticsearch.service
Check Elasticsearch Status
sudo systemctl status elasticsearch.service
To configure Moloch, you can either download a configuration file from https://github.com/aol/moloch/wiki/Settings or you can configure Moloch yourself using the following two commands
Before configuring Moloch manually, delete the config.ini file from /data/moloch/etc/
sudo rm /data/moloch/etc/config.ini
Configure Moloch as needed
sudo /data/moloch/bin/Configure
Initialize Elasticsearch Database
sudo /data/moloch/db/db.pl http://localhost:9200 init
Install and update npm
sudo apt install npm
npm update
Add Moloch User
sudo /data/moloch/bin/moloch_add_user.sh admin admin PASSWORDGOESHERE --admin
Start Moloch Capture Service
sudo systemctl start molochcapture.service
Check Moloch Capture Service status
sudo systemctl status molochcapture.service
Start Moloch Viewer Service
sudo systemctl start molochviewer.service
Check Moloch Viewer Service status
sudo systemctl status molochviewer.service
Provided you have done everything right so far, you should be able to access the web interface at http://IPADDRESSOFINTERFACE:8005
Sources:
- Github Information about Moloch
- Moloch Initial Install
Pingback:Integrating Moloch and Suricata - NIL - Network Information Library
Pingback:Moloch - Cyber Defense Monitoring Course Suite - NIL - Network Information Library