v6.1.0 development

[mmguero]

Malcolm v6.1.0 is a feature release with a number of updates and improvements.

v6.0.1...v6.1.0

• Bugs fixed

  • Zeek logs get reingested after container restart - Zeek-Logs get reingested after container restart #101
  • Added IPsec fields that were not being parsed
  • Fixed some dashboards that should have been using ECS field names
  • Split the STUN attribute type field on comma during stun.log parsing

• Improvements

  • Malcolm's OpenSearch index template is now composed upon initialization with elements from the latest Elastic Common Schema release.
  • Replaced most instances of beats on Hedgehog Linux (with the exception of the Apache-licensed 7.10.2 filebeat which is compatible with OpenSearch) with Fluent Bit (see replace beats with fluentbit #102) for resource utilization monitoring, etc. and recreated dashboards referencing these metrics
  • Replaced Auditbeat file integrity checking module with AIDE for Hedgehog Linux
  • Added an optionally exposed (disabled by default) a TCP input endpoint to Malcolm to allow easier ingestion of other third-party logs not natively supported by Malcolm
  • Improvements to APIs for listing fields and indices
  • Removed old environment variable-configured Index State Management code as the new OpenSearch v2.1.0 release has nice UIs for both index state management and snapshot management

• Version bumps of note

  • Supercronic to v0.2.1
  • OpenSearch and OpenSearch Dashboards to v2.1.0 (incorporating changes from v2.0.0, v2.0.1 and v2.1.0)
  • Zeek to v5.0.0 with built-in Spicy and Spicy Zeek plugin
  • YARA to v4.2.2

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.