{"id":22671,"date":"2024-06-05T19:01:36","date_gmt":"2024-06-05T16:01:36","guid":{"rendered":"https:\/\/kifarunix.com\/?p=22671"},"modified":"2024-06-05T19:01:39","modified_gmt":"2024-06-05T16:01:39","slug":"how-to-install-arkime-with-elasticsearch-8-on-ubuntu-24-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-arkime-with-elasticsearch-8-on-ubuntu-24-04\/","title":{"rendered":"How to Install Arkime with Elasticsearch 8 on Ubuntu 24.04"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1071\" height=\"602\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/install-arkime.png?v=1717603228\" alt=\"Install Arkime with Elasticsearch 8 on Ubuntu 24.04\" class=\"wp-image-22680\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/install-arkime.png?v=1717603228 1071w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/install-arkime-768x432.png?v=1717603228 768w\" sizes=\"(max-width: 1071px) 100vw, 1071px\" \/><\/figure>\n\n\n\n<p>This tutorial provides a step by step guide on how to install Arkime with Elasticsearch 8 on Ubuntu 24.04.\u00a0<a href=\"https:\/\/arkime.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Arkime<\/a>, formerly known as Moloch, is a powerful open-source solution for large-scale network traffic capture and indexing. It empowers security professionals to efficiently capture, store, and analyze vast amounts of network data. By leveraging Arkime&#8217;s capabilities, you can gain valuable insights into network activity, identify potential threats, and conduct thorough forensic investigations. Whether you&#8217;re a seasoned network security professional or just starting your journey in this field, Arkime offers a user-friendly and scalable platform for managing your network traffic analysis needs.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-arkime-with-elasticsearch-8-on-ubuntu-24-04\">Installing Arkime with Elasticsearch 8 on Ubuntu 24.04<\/a><ul><li><a href=\"#arkime-features\">Arkime Features<\/a><\/li><li><a href=\"#arkime-installation-methods\">Arkime Installation Methods<\/a><\/li><li><a href=\"#install-elasticsearch-8\">Install Elasticsearch 8<\/a><\/li><li><a href=\"#install-arkime-on-ubuntu-using-prebuilt-binary\">Install Arkime on Ubuntu using Prebuilt Binary<\/a><ul><li><a href=\"#download-arkime-binary-installer\">Download Arkime Binary Installer<\/a><\/li><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#installing-arkime-ubuntu\">Installing Arkime Ubuntu<\/a><\/li><\/ul><\/li><li><a href=\"#install-arkime-by-building-it-from-the-source\">Install Arkime by Building it from the Source<\/a><\/li><li><a href=\"#configuring-arkime\">Configuring Arkime<\/a><ul><li><a href=\"#configure-arkime\">Configure Arkime<\/a><\/li><li><a href=\"#update-the-maximum-size-of-a-packet-arkime-will-read-off-the-interface\">Update the maximum size of a packet Arkime will read off the interface<\/a><\/li><li><a href=\"#initialize-elasticsearch-arkime-configuration\">Initialize Elasticsearch Arkime configuration<\/a><\/li><li><a href=\"#create-arkime-admin-user-account\">Create Arkime Admin User Account<\/a><\/li><\/ul><\/li><li><a href=\"#running-arkime-services\">Running Arkime Services<\/a><\/li><li><a href=\"#log-files\">Log Files<\/a><\/li><li><a href=\"#adjusting-arkime-configurations\">Adjusting Arkime configurations;<\/a><\/li><\/ul><\/li><li><a href=\"#accessing-arkime-web-interface\">Accessing Arkime Web Interface<\/a><ul><li><a href=\"#accessing-arkime-with-ssl-tls\">Accessing Arkime with SSL\/TLS<\/a><\/li><li><a href=\"#reference\">Reference<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-arkime-with-elasticsearch-8-on-ubuntu-24-04\">Installing Arkime with Elasticsearch 8 on Ubuntu 24.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"arkime-features\">Arkime Features<\/h3>\n\n\n\n<p>According to its\u00a0<a href=\"https:\/\/github.com\/arkime\/arkime\" target=\"_blank\" rel=\"noreferrer noopener\">Github repository<\/a>\u00a0page, some of the features of Arkime tool include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It stores and indexes network traffic in standard PCAP format, providing fast, indexed access.<\/li>\n\n\n\n<li>Provides an intuitive web interface for PCAP browsing, searching, and exporting.<\/li>\n\n\n\n<li>Exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly.<\/li>\n\n\n\n<li>Stores and exports all packets in standard PCAP format, allowing you to also use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"arkime-installation-methods\">Arkime Installation Methods<\/h3>\n\n\n\n<p>You can install Arkime on Ubuntu by either:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#prebuild-binary\">Using prebuilt binary packages<\/a> or<\/li>\n\n\n\n<li><a href=\"#build-from-source\">Build it from the source code<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-elasticsearch-8\">Install Elasticsearch 8<\/h3>\n\n\n\n<p>As a pre-requisite, irrespective of the installation method, you need to install Elasticsearch. Arkime uses Elasticsearch for storing, managing and indexing vast amounts of network traffic captured by Arkime. This enables efficient search and retrieval of specific packets or patterns within the captured data.<\/p>\n\n\n\n<p>Arkime version 5.x are now <a href=\"https:\/\/arkime.com\/faq#upgrading-arkime\" target=\"_blank\" rel=\"noreferrer noopener\">compatible with Elasticsearch 8.x<\/a>. <\/p>\n\n\n\n<p>Thus, to install Elasticsearch 8.x on Ubuntu 24.04, you need to install the Elastic APT repositories as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install apt-transport-https \\\n\tca-certificates \\\n\tcurl \\\n\tgnupg2 \\\n\tsoftware-properties-common<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO - https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | \\\n\tsudo gpg --dearmor -o \/etc\/apt\/trusted.gpg.d\/elastic.gpg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb https:\/\/artifacts.elastic.co\/packages\/8.x\/apt stable main\" |\\\nsudo tee \/etc\/apt\/sources.list.d\/elastic-8.x.list<\/code><\/pre>\n\n\n\n<p>Run system update;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update<\/code><\/pre>\n\n\n\n<p>Once the repos are in place, install Elasticsearch 8.x on all the cluster nodes using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install elasticsearch<\/code><\/pre>\n\n\n\n<p>Sample installation output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Reading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nThe following NEW packages will be installed:\n  elasticsearch\n0 upgraded, 1 newly installed, 0 to remove and 34 not upgraded.\nNeed to get 589 MB of archives.\nAfter this operation, 1,149 MB of additional disk space will be used.\nGet:1 https:\/\/artifacts.elastic.co\/packages\/8.x\/apt stable\/main amd64 elasticsearch amd64 8.14.0 [589 MB]\nFetched 589 MB in 5s (111 MB\/s)        \nSelecting previously unselected package elasticsearch.\n(Reading database ... 121440 files and directories currently installed.)\nPreparing to unpack ...\/elasticsearch_8.14.0_amd64.deb ...\nCreating elasticsearch group... OK\nCreating elasticsearch user... OK\nUnpacking elasticsearch (8.14.0) ...\nSetting up elasticsearch (8.14.0) ...\n--------------------------- Security autoconfiguration information ------------------------------\n\nAuthentication and authorization are enabled.\nTLS for the transport and HTTP layers is enabled and configured.\n\nThe generated password for the elastic built-in superuser is : _nqt*3UnqvVuC3Qnai6l\n\nIf this node should join an existing cluster, you can reconfigure this with\n'\/usr\/share\/elasticsearch\/bin\/elasticsearch-reconfigure-node --enrollment-token <token-here>'\nafter creating an enrollment token on your existing cluster.\n\nYou can complete the following actions at any time:\n\nReset the password of the elastic built-in superuser with \n'\/usr\/share\/elasticsearch\/bin\/elasticsearch-reset-password -u elastic'.\n\nGenerate an enrollment token for Kibana instances with \n '\/usr\/share\/elasticsearch\/bin\/elasticsearch-create-enrollment-token -s kibana'.\n\nGenerate an enrollment token for Elasticsearch nodes with \n'\/usr\/share\/elasticsearch\/bin\/elasticsearch-create-enrollment-token -s node'.\n\n-------------------------------------------------------------------------------------------------\n### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd\n sudo systemctl daemon-reload\n sudo systemctl enable elasticsearch.service\n### You can start elasticsearch service by executing\n sudo systemctl start elasticsearch.service\nScanning processes...                                                                                                                                                                                              \nScanning candidates...                                                                                                                                                                                             \nScanning linux images...                                                                                                                                                                                           \n\nPending kernel upgrade!\nRunning kernel version:\n  6.8.0-31-generic\nDiagnostics:\n  The currently running kernel version is not the expected kernel version 6.8.0-35-generic.\n\nRestarting the system to load the new kernel will not be handled automatically, so you should consider rebooting.\n\nRestarting services...\n\nService restarts being deferred:\n \/etc\/needrestart\/restart.d\/dbus.service\n systemctl restart systemd-logind.service\n systemctl restart unattended-upgrades.service\n\nNo containers need to be restarted.\n\nUser sessions running outdated binaries:\n kifarunix @ session #2: login[885], su[1059]\n kifarunix @ session #4: sshd[1384,1439]\n kifarunix @ user manager service: systemd[994]\n\nNo VM guests are running outdated hypervisor (qemu) binaries on this host.\n<\/code><\/pre>\n\n\n\n<p>Elasticsearch 8.x enables Authentication and use of TLS certificates (for both HTTP and Transport) by default.<\/p>\n\n\n\n<p>Ensure you provide as much RAM for Elasticsearch.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote td_pull_quote td_pull_center is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-small-font-size\">NOTE: It is recommended that you run Elasticsearch on a different node apart from the one running Arkime. This is because Arkime capture and viewer will fail to start if Elasticsearch takes time to start. You can however update the Arkime capture and viewer services to run after ES service if you want to run everything on the same host.<\/p>\n<\/blockquote>\n\n\n\n<p>Start and enable Elasticsearch to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now elasticsearch<\/code><\/pre>\n\n\n\n<p>Verify if Elasticsearch is running;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl https:\/\/localhost:9200 -k -u elastic -p<\/code><\/pre>\n\n\n\n<p>elastic is a super user created by Elasticsearch during installation. The password is printed on the installation output.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Enter host password for user 'elastic':\n{\n  \"name\" : \"lb-01\",\n  \"cluster_name\" : \"elasticsearch\",\n  \"cluster_uuid\" : \"DA8qokqkQz6xFinTwDXI4g\",\n  \"version\" : {\n    \"number\" : \"8.14.0\",\n    \"build_flavor\" : \"default\",\n    \"build_type\" : \"deb\",\n    \"build_hash\" : \"8d96bbe3bf5fed931f3119733895458eab75dca9\",\n    \"build_date\" : \"2024-06-03T10:05:49.073003402Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"9.10.0\",\n    \"minimum_wire_compatibility_version\" : \"7.17.0\",\n    \"minimum_index_compatibility_version\" : \"7.0.0\"\n  },\n  \"tagline\" : \"You Know, for Search\"\n}\n<\/code><\/pre>\n\n\n\n<p>You can also use OpenSearch instead of Elasticsearch if you want.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-arkime-on-ubuntu-using-prebuilt-binary\">Install Arkime on Ubuntu using Prebuilt Binary<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"download-arkime-binary-installer\">Download Arkime Binary Installer<\/h4>\n\n\n\n<p>Arkime 5.2.0 is the current stable release as per the <a href=\"https:\/\/github.com\/arkime\/arkime\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">releases page<\/a>.<\/p>\n\n\n\n<p>Navigate to the\u00a0<a href=\"https:\/\/arkime.com\/downloads\" target=\"_blank\" rel=\"noreferrer noopener\">downloads page<\/a>\u00a0and grab the latest stable release Arkime binary installer for Ubuntu 24.04. Ensure the binary downloaded matches your respective system CPU architecture;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>uname -p<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>x86_64<\/strong>: amd<\/li>\n\n\n\n<li><strong>arm64\/aarch64<\/strong>: arm<\/li>\n<\/ul>\n\n\n\n<p>You can as well grab the link to the binary installer and pull it using\u00a0<code><strong>curl<\/strong><\/code>\u00a0or\u00a0<strong><code>wget<\/code><\/strong>\u00a0command.<\/p>\n\n\n\n<p>For example, the command below downloads the current stable release version of Arkime binary installer for Ubuntu 24.04;<\/p>\n\n\n\n<p>Replace the value of VER variable with the current latest stable release version number.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=5.2.0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/arkime\/arkime\/releases\/download\/v${VER}\/arkime_${VER}-1.ubuntu2404_amd64.deb<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h4>\n\n\n\n<p>Update your system package cache;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt update<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"installing-arkime-ubuntu\">Installing Arkime Ubuntu<\/h4>\n\n\n\n<p>Next, install Arkime using the downloaded binary installer.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install .\/arkime_${VER}-1.ubuntu2404_amd64.deb<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Reading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nNote, selecting 'arkime' instead of '.\/arkime_5.2.0-1.ubuntu2404_amd64.deb'\nThe following additional packages will be installed:\n  libauthen-sasl-perl libclone-perl libcommon-sense-perl libdata-dump-perl libencode-locale-perl libfile-listing-perl libfont-afm-perl libhtml-form-perl libhtml-format-perl libhtml-parser-perl\n  libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libio-html-perl libio-socket-ssl-perl libjson-perl libjson-xs-perl\n  liblua5.4-0 liblwp-mediatypes-perl liblwp-protocol-https-perl libmailtools-perl libnet-http-perl libnet-smtp-ssl-perl libnet-ssleay-perl libpcre3 librdkafka1 libtimedate-perl libtry-tiny-perl\n  libtypes-serialiser-perl liburi-perl libwww-perl libwww-robotrules-perl libyaml-dev libyara10 perl-openssl-defaults\nSuggested packages:\n  libdigest-hmac-perl libgssapi-perl libio-compress-brotli-perl libcrypt-ssleay-perl libsub-name-perl libbusiness-isbn-perl libregexp-ipv6-perl libauthen-ntlm-perl libyaml-doc debhelper\nThe following NEW packages will be installed:\n  arkime libauthen-sasl-perl libclone-perl libcommon-sense-perl libdata-dump-perl libencode-locale-perl libfile-listing-perl libfont-afm-perl libhtml-form-perl libhtml-format-perl libhtml-parser-perl\n  libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libio-html-perl libio-socket-ssl-perl libjson-perl libjson-xs-perl\n  liblua5.4-0 liblwp-mediatypes-perl liblwp-protocol-https-perl libmailtools-perl libnet-http-perl libnet-smtp-ssl-perl libnet-ssleay-perl libpcre3 librdkafka1 libtimedate-perl libtry-tiny-perl\n  libtypes-serialiser-perl liburi-perl libwww-perl libwww-robotrules-perl libyaml-dev libyara10 perl-openssl-defaults\n0 upgraded, 40 newly installed, 0 to remove and 34 not upgraded.\nNeed to get 3,192 kB\/121 MB of archives.\nAfter this operation, 393 MB of additional disk space will be used.\nDo you want to continue? [Y\/n] y\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-arkime-by-building-it-from-the-source\">Install Arkime by Building it from the Source<\/h3>\n\n\n\n<p>If you want, you can as well install Arkime by building it from the source. Check the&nbsp;<a href=\"https:\/\/github.com\/arkime\/arkime#install\" target=\"_blank\" rel=\"noreferrer noopener\">installation page<\/a>&nbsp;for instructions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-arkime\">Configuring Arkime<\/h3>\n\n\n\n<p>The default configuration file for Arkime is <strong>\/opt\/arkime\/etc\/config.ini<\/strong>.<\/p>\n\n\n\n<p>All relevant configuration settings are stated on the <a href=\"https:\/\/arkime.com\/settings\" target=\"_blank\" rel=\"noreferrer noopener\">settings page<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-arkime\">Configure Arkime<\/h4>\n\n\n\n<p>Once the installation is done, run the script below to configure Arkime;<\/p>\n\n\n\n<p>Answer the script prompts accordingly;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo \/opt\/arkime\/bin\/Configure<\/code><\/pre>\n\n\n\n<p>Select an interface to monitor;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Found interfaces: lo;enp0s3;enp0s8\nSemicolon ';' seperated list of interfaces to monitor &#91;eth1] <strong>enp0s8<\/strong><\/code><\/pre>\n\n\n\n<p>Choose whether to install Elasticsearch automatically or you want to install manually yourself.<\/p>\n\n\n\n<p>(<strong>We have already installed Elasticsearch, hence choose no<\/strong>).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) &#91;no] <strong>no<\/strong> &#91;or <strong>SIMPLY PRESS ENTER<\/strong>]<\/code><\/pre>\n\n\n\n<p>Set Elasticsearch server URL, localhost:9200 in this setup. Just press Enter to accept the defaults.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>OpenSearch\/Elasticsearch server URL &#91;https:\/\/localhost:9200] <strong>ENTER<\/strong><\/code><\/pre>\n\n\n\n<p>Define Elasticsearch user and password. As stated before, Elasticsearch 8.x now enables authentication\/authorization by default. We are using the default Elasticsearch super user created during installation.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>OpenSearch\/Elasticsearch user &#91;empty is no user] <strong>elastic<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>OpenSearch\/Elasticsearch password &#91;empty is no password] <strong>_nqt*3UnqvVuC3Qnai6l<\/strong><\/code><\/pre>\n\n\n\n<p>Set encryption password. Be sure to replace the password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Password to encrypt S2S and other things &#91;no-default] <strong>changeme<\/strong><\/code><\/pre>\n\n\n\n<p>The configuration of Arkime then runs.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Arkime - Creating configuration files\nInstalling sample \/opt\/arkime\/etc\/config.ini\nsed: can't read : No such file or directory\nArkime - Installing \/etc\/security\/limits.d\/99-arkime.conf to make core and memlock unlimited\nDownload GEO files? You'll need a MaxMind account https:\/\/arkime.com\/faq#maxmind (yes or no) [yes] yes\nArkime - Downloading GEO files\n2024-06-05 14:59:26 URL:https:\/\/www.iana.org\/assignments\/ipv4-address-space\/ipv4-address-space.csv [23323\/23323] -> \"\/tmp\/tmp.vlBLa1rwrr\" [1]\n2024-06-05 14:59:27 URL:https:\/\/www.wireshark.org\/download\/automated\/data\/manuf [2767520\/2767520] -> \"\/tmp\/tmp.bbmKRi4bOU\" [1]\n\nArkime - Configured - Now continue with step 4 in \/opt\/arkime\/README.txt\n\n 4) The Configure script can install OpenSearch\/Elasticsearch for you or you can install yourself\n 5) Initialize\/Upgrade OpenSearch\/Elasticsearch Arkime configuration\n  a) If this is the first install, or want to delete all data\n      \/opt\/arkime\/db\/db.pl http:\/\/ESHOST:9200 init\n  b) If this is an update to an Arkime package\n      \/opt\/arkime\/db\/db.pl http:\/\/ESHOST:9200 upgrade\n 6) Add an admin user if a new install or after an init\n      \/opt\/arkime\/bin\/arkime_add_user.sh admin \"Admin User\" THEPASSWORD --admin\n 7) Start everything\n      systemctl start arkimecapture.service\n      systemctl start arkimeviewer.service\n 8) Look at log files for errors\n      \/opt\/arkime\/logs\/viewer.log\n      \/opt\/arkime\/logs\/capture.log\n 9) Visit http:\/\/arkimeHOST:8005 with your favorite browser.\n      user: admin\n      password: THEPASSWORD from step #6\n\nIf you want IP -> Geo\/ASN to work, you need to setup a maxmind account and the geoipupdate program.\nSee https:\/\/arkime.com\/faq#maxmind\n\nAny configuration changes can be made to \/opt\/arkime\/etc\/config.ini\nSee https:\/\/arkime.com\/faq#arkime-is-not-working for issues\n\nAdditional information can be found at:\n  * https:\/\/arkime.com\/install\n  * https:\/\/arkime.com\/faq\n  * https:\/\/arkime.com\/settings\n<\/code><\/pre>\n\n\n\n<p>Sample configuration file settings after configuring it.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/opt\/arkime\/etc\/config.ini<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># Latest settings documentation: https:\/\/arkime.com\/settings\n#\n# Arkime capture\/viewer uses a tiered system for configuration variables. This allows Arkime\n# to share one config file for many machines. The ordering of sections in this\n# file doesn't matter.\n#\n# Order of config variables use:\n# 1st) [optional] The section titled with the node name is used first.\n# 2nd) [optional] If a node has a nodeClass variable, the section titled with\n#      the nodeClass name is used next. Sessions will be tagged with\n#      class:<node class name> which may be useful if watching different networks.\n# 3rd) The section titled \"default\" is used last.\n\n[default]\n# Comma seperated list of OpenSearch\/Elasticsearch host:port combinations. If not using a\n# Elasticsearch load balancer, a different OpenSearch\/Elasticsearch node in the cluster can be\n# specified for each Arkime node to help spread load on high volume clusters. For user\/password\n# use https:\/\/user:pass@host:port OR elasticsearchBasicAuth\nelasticsearch=https:\/\/localhost:9200\nelasticsearchBasicAuth=elastic:_nqt*3UnqvVuC3Qnai6l\n\n# Where the user database is, the above is used if not set\n# For user\/password use https:\/\/user:pass@host:port OR usersElasticsearchBasicAuth\n# usersElasticsearch=https:\/\/localhost:9200\n# usersElasticsearchBasicAuth=\n\n# How often to create a new OpenSearch\/Elasticsearch index. hourly,hourly[23468],hourly12,daily,weekly,monthly\n# See https:\/\/arkime.com\/settings#rotateindex\nrotateIndex=daily\n\n# Uncomment if this node should process the cron queries and packet search jobs, only ONE node should\n# process cron queries and packet search jobs\n# cronQueries=true\n\n# Cert file to use, comment out to use http instead\n# certFile=\/opt\/arkime\/etc\/arkime.cert\n\n# File with trusted roots\/certs. WARNING! this replaces default roots\n# Useful with self signed certs and can be set per node.\n# caTrustFile=\/opt\/arkime\/etc\/roots.cert\n\n# Private key file to use, comment out to use http instead\n# keyFile=\/opt\/arkime\/etc\/arkime.key\n\n# Password Hash Secret - Must be in default section. Since OpenSearch\/Elasticsearch\n# is wide open by default, we encrypt the stored password hashes with this\n# so a malicous person can't insert a working new account.\n# Comment out for no user authentication.\n# Changing the value will make all previously stored passwords no longer work.\n# Make this RANDOM, you never need to type in\npasswordSecret=changme\n\n# Use a different password for S2S communication then passwordSecret.\n# Must be in default section. Make this RANDOM, you never need to type in\n#serverSecret=\n\n# HTTP Digest Realm - Must be in default section. Changing the value\n# will make all previously stored passwords no longer work\nhttpRealm=Moloch\n\n# Semicolon ';' seperated list of interfaces to listen on for traffic\ninterface=enp1s0\n\n# Host to connect to for wiseService\n#wiseHost=127.0.0.1\n\n# Log viewer access requests to a different log file\n#accessLogFile=\/opt\/arkime\/logs\/access.log\n\n# Control the log format for access requests. This uses URI % encoding.\n#accessLogFormat=:date :username %1b[1m:method%1b[0m %1b[33m:url%1b[0m :status :res[content-length] bytes :response-time ms\n\n# The directory to save raw pcap files to\npcapDir=\/opt\/arkime\/raw\n\n# The max raw pcap file size in gigabytes, with a max value of 36G.\n# The disk should have room for at least 10*maxFileSizeG\nmaxFileSizeG=12\n\n# The max time in minutes between rotating pcap files. Default is 0, which means\n# only rotate based on current file size and the maxFileSizeG variable\n#maxFileTimeM=60\n\n# TCP timeout value. Arkime writes a session record after this many seconds\n# of inactivity.\ntcpTimeout=600\n\n# Arkime writes a session record after this many seconds, no matter if\n# active or inactive\ntcpSaveTimeout=720\n\n# UDP timeout value. Arkime assumes the UDP session is ended after this\n# many seconds of inactivity.\nudpTimeout=30\n\n# ICMP timeout value. Arkime assumes the ICMP session is ended after this\n# many seconds of inactivity.\nicmpTimeout=10\n\n# An aproximiate maximum number of active sessions Arkime will try and monitor\nmaxStreams=1000000\n\n# Arkime writes a session record after this many packets\nmaxPackets=10000\n\n# Delete pcap files when free space is lower then this in gigabytes OR it can be\n# expressed as a percentage (ex: 5%). This does NOT delete the session records in\n# the database. It is recommended this value is between 5% and 10% of the disk.\n# Database deletes are done by the db.pl expire script\nfreeSpaceG=5%\n\n# The port to listen on, by default 8005\n#viewPort=8005\n\n# The host\/ip to listen on, by default 0.0.0.0 which is ALL\n#viewHost=localhost\n\n# A MaxMind account is now required, Arkime checks several install locations, or\n# will work without Geo files installed. See https:\/\/arkime.com\/faq#maxmind\n#geoLite2Country=\/var\/lib\/GeoIP\/GeoLite2-Country.mmdb;\/usr\/share\/GeoIP\/GeoLite2-Country.mmdb;\/opt\/arkime\/etc\/GeoLite2-Country.mmdb\n#geoLite2ASN=\/var\/lib\/GeoIP\/GeoLite2-ASN.mmdb;\/usr\/share\/GeoIP\/GeoLite2-ASN.mmdb;\/opt\/arkime\/etc\/GeoLite2-ASN.mmdb\n\n# Path of the rir assignments file\n#  https:\/\/www.iana.org\/assignments\/ipv4-address-space\/ipv4-address-space.csv\nrirFile=\/opt\/arkime\/etc\/ipv4-address-space.csv\n\n# Path of the OUI file from whareshark\n#  https:\/\/raw.githubusercontent.com\/wireshark\/wireshark\/release-4.0\/manuf\nouiFile=\/opt\/arkime\/etc\/oui.txt\n\n# Arkime rules to allow you specify actions to perform when criteria are met with certain fields or state.\n# See https:\/\/arkime.com\/rulesformat\n#rulesFiles=\/opt\/arkime\/etc\/arkime.rules\n\n# User to drop privileges to. The pcapDir must be writable by this user or group below\ndropUser=nobody\n\n# Group to drop privileges to. The pcapDir must be writable by this group or user above\ndropGroup=daemon\n\n# Header to use for determining the username to check in the database for instead of\n# using http digest. Use this if apache or something else is doing the auth.\n# Set viewHost to localhost or use iptables\n# Might need something like this in the httpd.conf\n# RewriteRule .* - [E=ENV_RU:%{REMOTE_USER}]\n# RequestHeader set ARKIME_USER %{ENV_RU}e\n#userNameHeader=arkime_user\n\n#\n# Headers to use to determine if user from `userNameHeader` is\n# authorized to use the system, and if so create a new user\n# in the Arkime user database. This implementation expects that\n# the users LDAP\/AD groups (or similar) are populated into an\n# HTTP header by the Apache (or similar) referenced above.\n# The JSON in userAutoCreateTmpl is used to insert the new\n# user into the arkime database (if not already present)\n# and additional HTTP headers can be sourced from the request\n# to populate various fields.\n#\n# The example below pulls verifies that an HTTP header called `UserGroup`\n# is present, and contains the value \"ARKIME_ACCESS\". If this authorization\n# check passes, the user database is inspected for the user in `userNameHeader`\n# and if it is not present it is created. The system uses the\n# `arkime_user` and `http_auth_mail` headers from the\n# request and uses them to populate `userId` and `userName`\n# fields for the new user record.\n#\n# Once the user record is created, this functionaity\n# neither updates nor deletes the data, though if the user is no longer\n# reported to be in the group, access is denied regardless of the status\n# in the arkime database.\n#\n#requiredAuthHeader=\"UserGroup\"\n#requiredAuthHeaderVal=\"ARKIME_ACCESS\"\n#userAutoCreateTmpl={\"userId\": \"${this.arkime_user}\", \"userName\": \"${this.http_auth_mail}\", \"enabled\": true, \"webEnabled\": true, \"headerAuthEnabled\": true, \"emailSearch\": true, \"createEnabled\": false, \"removeEnabled\": false, \"packetSearch\": true }\n\n# Should we parse extra smtp traffic info\nparseSMTP=true\n\n# Should we parse extra smb traffic info\nparseSMB=true\n\n# Should we parse HTTP QS Values\nparseQSValue=false\n\n# Should we calculate sha256 for bodies\nsupportSha256=false\n\n# Only index HTTP request bodies less than this number of bytes *\/\nmaxReqBody=64\n\n# Only store request bodies that Utf-8?\nreqBodyOnlyUtf8=true\n\n# Semicolon ';' seperated list of SMTP Headers that have ips, need to have the terminating colon ':'\nsmtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP:\n\n# Semicolon ';' seperated list of directories to load parsers from\nparsersDir=\/opt\/arkime\/parsers\n\n# Semicolon ';' seperated list of directories to load plugins from\npluginsDir=\/opt\/arkime\/plugins\n\n# Semicolon ';' seperated list of plugins to load and the order to load in\n# plugins=tagger.so; netflow.so\n\n# Plugins to load as root, usually just readers\n#rootPlugins=reader-pfring; reader-daq.so\n\n# Semicolon ';' seperated list of viewer plugins to load and the order to load in\n# viewerPlugins=wise.js\n\n# NetFlowPlugin\n# Input device id, 0 by default\n#netflowSNMPInput=1\n# Outout device id, 0 by default\n#netflowSNMPOutput=2\n# Netflow version 1,5,7 supported, 7 by default\n#netflowVersion=1\n# Semicolon ';' seperated list of netflow destinations\n#netflowDestinations=localhost:9993\n\n# Specify the max number of indices we calculate spidata for.\n# ES will blow up if we allow the spiData to search too many indices.\nspiDataMaxIndices=4\n\n# Uncomment the following to allow direct uploads. This is experimental\n#uploadCommand=\/opt\/arkime\/bin\/capture --copy -n {NODE} -r {TMPFILE} -c {CONFIG} {TAGS}\n\n# Title Template\n# _cluster_ = ES cluster name\n# _userId_  = logged in User Id\n# _userName_ = logged in User Name\n# _page_ = internal page name\n# _expression_ = current search expression if set, otherwise blank\n# _-expression_ = \" - \" + current search expression if set, otherwise blank, prior spaces removed\n# _view_ = current view if set, otherwise blank\n# _-view_ = \" - \" + current view if set, otherwise blank, prior spaces removed\n#titleTemplate=_cluster_ - _page_ _-view_ _-expression_\n\n# Number of threads processing packets\npacketThreads=2\n\n# ADVANCED - Semicolon ';' seperated list of files to load for config. Files are loaded\n# in order and can replace values set in this file or previous files.\n#includes=\n\n# ADVANCED - How is pcap written to disk\n#  simple          = use O_DIRECT if available, writes in pcapWriteSize chunks,\n#                    a file per packet thread.\n#  simple-nodirect = don't use O_DIRECT. Required for zfs and others\npcapWriteMethod=simple\n\n# ADVANCED - Buffer size when writing pcap files. Should be a multiple of the raid 5 or xfs\n# stripe size. Defaults to 256k\npcapWriteSize=262143\n\n# ADVANCED - Max number of connections to OpenSearch\/Elasticsearch\nmaxESConns=30\n\n# ADVANCED - Max number of es requests outstanding in q\nmaxESRequests=500\n\n# ADVANCED - Number of packets to ask libpcap to read per poll\/spin\n# Increasing may hurt stats and ES performance\n# Decreasing may cause more dropped packets\npacketsPerPoll=50000\n\n# ADVANCED - The base path for Arkime web access. Must end with a \/ or bad things will happen\n# Only set when using a reverse proxy\n# webBasePath=\/arkime\/\n\n# DEBUG - Write to stdout info every X packets.\n# Set to -1 to never log status\nlogEveryXPackets=100000\n\n# DEBUG - Write to stdout unknown protocols\nlogUnknownProtocols=false\n\n# DEBUG - Write to stdout OpenSearch\/Elasticsearch requests\nlogESRequests=true\n\n# DEBUG - Write to stdout file creation information\nlogFileCreation=true\n\n\n### High Performance settings\n# https:\/\/arkime.com\/settings#high-performance-settings\n# magicMode=basic\n# pcapReadMethod=tpacketv3\n# tpacketv3NumThreads=2\n# pcapWriteMethod=simple\n# pcapWriteSize=2560000\n# packetThreads=5\n# maxPacketsInQueue=200000\n\n### Low Bandwidth settings\n# packetThreads=1\n# pcapWriteSize=65536\n\n##############################################################################\n# override-ips is a special section that overrides the MaxMind databases for\n# the fields set, but fields not set will still use MaxMind (example if you set\n# tags but not country it will use MaxMind for the country)\n# Spaces and capitalization is very important.\n# IP Can be a single IP or a CIDR\n# Up to 10 tags can be added\n#\n# ip=tag:TAGNAME1;tag:TAGNAME2;country:3LetterUpperCaseCountry;asn:ASN STRING\n#[override-ips]\n#10.1.0.0\/16=tag:ny-office;country:USA;asn:AS0000 This is an ASN\n\n##############################################################################\n# It is possible to define in the config file extra http\/email headers\n# to index. They are accessed using the expression http.<fieldname> and\n# email.<fieldname> with optional .cnt expressions\n#\n# Possible config atributes for all headers\n#   type:<string> (string|integer|ip)  = data type                (default string)\n#  count:<boolean>                     = index count of items     (default false)\n#  unique:<boolean>                    = only record unique items (default true)\n\n# headers-http-request is used to configure request headers to index\nsnapLen=65536\n[headers-http-request]\nreferer=type:string;count:true;unique:true\nauthorization=type:string;count:true\ncontent-type=type:string;count:true\norigin=type:string\n\n# headers-http-response is used to configure http response headers to index\n[headers-http-response]\nlocation=type:string\nserver=type:string\ncontent-type=type:string;count:true\n\n# headers-email is used to configure email headers to index\n[headers-email]\nx-priority=type:integer\nauthorization=type:string\n\n\n##############################################################################\n# If you have multiple clusters and you want the ability to send sessions\n# from one cluster to another either manually or with the cron feature fill out\n# this section\n\n#[remote-clusters]\n#forensics=url:https:\/\/viewer1.host.domain:8005;serverSecret:password4arkime;name:Forensics Cluster\n#shortname2=url:http:\/\/viewer2.host.domain:8123;serverSecret:password4arkime;name:Testing Cluster\n\n\n# WARNING: This is an ini file with sections, most likely you don't want to put a setting here.\n#          New settings usually go near the top in the [default] section, or in [nodename] sections.\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-the-maximum-size-of-a-packet-arkime-will-read-off-the-interface\">Update the maximum size of a packet Arkime will read off the interface<\/h4>\n\n\n\n<p>The default maximum size of a packet that Arkime can capture on an interface is <strong>16384<\/strong>. This can be changed to fix the &#8220;Arkime requires full packet captures&#8221; error. We will change this to <strong>65536<\/strong>.<\/p>\n\n\n\n<p>You can update the size using the parameter <strong>snapLen<\/strong> and setting the value to <strong>65536<\/strong> (<strong>snapLen=65536<\/strong>) under the <strong>[default]<\/strong> configuration section.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sed -i '\/\\&#91;headers-http-request\\]\/i snapLen=65536' \/opt\/arkime\/etc\/config.ini<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-small-font-size\">It is recommend that instead of changing this value that all the card &#8220;offline&#8221; features are turned off so that capture gets a picture of whats on the network instead of what the capture card has reassembled. For VMs, those features must be turned off on the physical interface and not the virtual interface. This setting can be used when changing the settings isn&#8217;t possible or desired.<\/p>\n<\/blockquote>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"initialize-elasticsearch-arkime-configuration\">Initialize Elasticsearch Arkime configuration<\/h4>\n\n\n\n<p>Run the command below to initialize Elasticsearch Arkime configuration.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo \/opt\/arkime\/db\/db.pl --esuser elastic:'_nqt*3UnqvVuC3Qnai6l' https:\/\/localhost:9200 init<\/pre>\n\n\n\n<p>Read more on;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/db\/db.pl --help<\/code><\/pre>\n\n\n\n<p>Sample initialization output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>It is STRONGLY recommended that you stop ALL Arkime captures and viewers before proceeding.  Use 'db.pl https:\/\/localhost:9200 backup' to backup db first.\n\nThere is 1 OpenSearch\/Elasticsearch data node, if you expect more please fix first before proceeding.\n\nThis is a fresh Arkime install\nErasing\nCreating\nFinished\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-arkime-admin-user-account\">Create Arkime Admin User Account<\/h4>\n\n\n\n<p>You can use the <code><strong>\/opt\/arkime\/bin\/arkime_add_user.sh<\/strong><\/code> script to create Arkime admin user account;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/bin\/arkime_add_user.sh -h<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>addUser.js [&lt;config options&gt;] &lt;user id&gt; &lt;user friendly name&gt; &lt;password&gt; [&lt;options&gt;]\n\nOptions:\n  --admin                 Has admin privileges\n  --apionly               Can only use api, not web pages\n  --email                 Can do email searches\n  --expression  <expr>    Forced user expression\n  --remove                Can remove data (scrub, delete tags)\n  --webauth               Can auth using the web auth header or password\n  --webauthonly           Can auth using the web auth header only, password ignored\n  --packetSearch          Can create a packet search job (hunt)\n  --createOnly            Only create the user if it doesn't exist\n  --roles                 Comma seperated list of roles\n\nConfig Options:\n  -c, --config <file|url> Where to fetch the config file from\n  -n <node name>          Node name section to use in config file\n  --insecure              Disable certificate verification for https calls\n<\/code><\/pre>\n\n\n\naddUser.js [<config options>] <user id> <user friendly name> <password> [<options>]\n\n\n\n<p>Run the command below to create Arkime admin user account.<\/p>\n\n\n\n<p>Replace the username (<strong>admin<\/strong>) and password (<strong>changeme)<\/strong> accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo \/opt\/arkime\/bin\/arkime_add_user.sh admin \"Arkime SuperAdmin\" changeme --admin<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-arkime-services\">Running Arkime Services<\/h3>\n\n\n\n<p>Arkime is made up of 3 components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><strong>capture<\/strong>&nbsp;\u2013 A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets, and sends metadata (SPI data) to elasticsearch.<\/em><\/li>\n\n\n\n<li><em><strong>viewer<\/strong>&nbsp;\u2013 A&nbsp;node.js&nbsp;application that runs per capture machine. It handles the web interface and transfer of PCAP files.<\/em><\/li>\n\n\n\n<li><em><strong>elasticsearch<\/strong>&nbsp;\u2013 The search database technology powering Arkime.<\/em><\/li>\n<\/ul>\n\n\n\n<p>We already started Elasticsearch.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status elasticsearch<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf elasticsearch.service - Elasticsearch\n     Loaded: loaded (\/usr\/lib\/systemd\/system\/elasticsearch.service; enabled; preset: enabled)\n     Active: active (running) since Wed 2024-06-05 14:47:36 UTC; 25min ago\n       Docs: https:\/\/www.elastic.co\n   Main PID: 27505 (java)\n      Tasks: 92 (limit: 4614)\n     Memory: 2.4G (peak: 2.4G)\n        CPU: 54.642s\n     CGroup: \/system.slice\/elasticsearch.service\n             \u251c\u250027505 \/usr\/share\/elasticsearch\/jdk\/bin\/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.script=\/usr\/share\/elasticsearch\/bin\/elasticsearch -Dcli.libs=lib\/tools\/server-cli -Des.path.hom>\n             \u251c\u250027563 \/usr\/share\/elasticsearch\/jdk\/bin\/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -Djava.security.manager=allow -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless>\n             \u2514\u250027583 \/usr\/share\/elasticsearch\/modules\/x-pack-ml\/platform\/linux-x86_64\/bin\/controller\n\nJun 05 14:47:22 lb-01 systemd[1]: Starting elasticsearch.service - Elasticsearch...\nJun 05 14:47:24 lb-01 systemd-entrypoint[27505]: Jun 05, 2024 2:47:24 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>\nJun 05 14:47:24 lb-01 systemd-entrypoint[27505]: WARNING: COMPAT locale provider will be removed in a future release\nJun 05 14:47:36 lb-01 systemd[1]: Started elasticsearch.service - Elasticsearch.\n<\/code><\/pre>\n\n\n\n<p>Now start and enable Arkime Capture and viewer services to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now arkimecapture<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now arkimeviewer<\/code><\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status arkimecapture<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf arkimecapture.service - Arkime Capture\n     Loaded: loaded (\/etc\/systemd\/system\/arkimecapture.service; enabled; preset: enabled)\n     Active: active (running) since Wed 2024-06-05 15:23:26 UTC; 27s ago\n   Main PID: 28525 (sh)\n      Tasks: 7 (limit: 4614)\n     Memory: 326.6M (peak: 328.3M)\n        CPU: 329ms\n     CGroup: \/system.slice\/arkimecapture.service\n             \u251c\u250028525 \/bin\/sh -c \"\/opt\/arkime\/bin\/capture -c \/opt\/arkime\/etc\/config.ini  >> \/opt\/arkime\/logs\/capture.log 2>&1\"\n             \u2514\u250028526 \/opt\/arkime\/bin\/capture -c \/opt\/arkime\/etc\/config.ini\n\nJun 05 15:23:26 lb-01 systemd[1]: Starting arkimecapture.service - Arkime Capture...\nJun 05 15:23:26 lb-01 systemd[1]: Started arkimecapture.service - Arkime Capture.\nJun 05 15:23:26 lb-01 (sh)[28525]: arkimecapture.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status arkimeviewer<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf arkimeviewer.service - Arkime Viewer\n     Loaded: loaded (\/etc\/systemd\/system\/arkimeviewer.service; enabled; preset: enabled)\n     Active: active (running) since Wed 2024-06-05 15:23:44 UTC; 1min 52s ago\n   Main PID: 28614 (sh)\n      Tasks: 12 (limit: 4614)\n     Memory: 111.7M (peak: 142.9M)\n        CPU: 1.305s\n     CGroup: \/system.slice\/arkimeviewer.service\n             \u251c\u250028614 \/bin\/sh -c \"\/opt\/arkime\/bin\/node viewer.js -c \/opt\/arkime\/etc\/config.ini  >> \/opt\/arkime\/logs\/viewer.log 2>&1\"\n             \u2514\u250028616 \/opt\/arkime\/bin\/node viewer.js -c \/opt\/arkime\/etc\/config.ini\n\nJun 05 15:23:44 lb-01 systemd[1]: Started arkimeviewer.service - Arkime Viewer.\nJun 05 15:23:44 lb-01 (sh)[28614]: arkimeviewer.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS\n<\/code><\/pre>\n\n\n\n<p>At this point, if you reboot your server, Arkime capture and viewer services may fail to start, due to slow starting of elasticsearch service.<\/p>\n\n\n\n<p>Here is a temporary solution. Configure these services to start only when Elasticsearch starts. You may miss the traffic capture during the period when Elasticsearch is starting.<\/p>\n\n\n\n<p>Add these lines;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>After=network.target elasticsearch.service\nRequires=network.target elasticsearch.service<\/code><\/pre>\n\n\n\n<p>You can use sed to update these services;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sed -i 's\/network.target\/network.target elasticsearch.service\/' \/etc\/systemd\/system\/arkimecapture.service \/etc\/systemd\/system\/arkimeviewer.service<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sed -i '\/After=\/a Requires=network.target elasticsearch.service' \/etc\/systemd\/system\/arkimecapture.service \/etc\/systemd\/system\/arkimeviewer.service<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>This will ensure that Arkime capture and viewer will start only after Elasticsearch.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"log-files\">Log Files<\/h3>\n\n\n\n<p>You can find Arkime logs and Elasticsearch logs on the log files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/logs\/viewer.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/logs\/capture.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/log\/elasticsearch\/*<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"adjusting-arkime-configurations\">Adjusting Arkime configurations;<\/h3>\n\n\n\n<p>If you ever want to update Arkime configs, check the configuration file\u00a0<code><strong>\/opt\/arkime\/etc\/config.ini<\/strong><\/code>. Ensure you restart the Capture\/Viewer services after making changes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"accessing-arkime-web-interface\">Accessing Arkime Web Interface<\/h2>\n\n\n\n<p>Arkime is listening on port 8005\/tcp by default.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altnp | grep 8005<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>LISTEN 0      511                     *:8005             *:*    users:((\"node\",pid=1021,fd=26))<\/code><\/pre>\n\n\n\n<p>If UFW is running, open this port on it to allow external access.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 8005\/tcp<\/code><\/pre>\n\n\n\n<p>You can then access Arkime using the URL,\u00a0<code><strong>http:\/\/ARKIMEHOST:8005<\/strong><\/code>\u00a0with your favorite browser.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"accessing-arkime-with-ssl-tls\"><a href=\"#arkime-with-ssl\">Accessing Arkime with SSL\/TLS<\/a><\/h3>\n\n\n\n<p>If you want to use SSL\/TLS serts, update the lines below by uncommenting them and then specify the full paths to the files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo vim \/opt\/arkime\/etc\/config.ini<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n# Cert file to use, comment out to use http instead\n#certFile=\/opt\/arkime\/etc\/arkime.cert\n<strong>certFile=\/opt\/arkime\/etc\/arkime.cert<\/strong>\n...\n# Private key file to use, comment out to use http instead\n#keyFile=\/opt\/arkime\/etc\/arkime.key\n<strong>keyFile=\/opt\/arkime\/etc\/arkime.key<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Next, restart Arkime viewer;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart arkimeviewer<\/code><\/pre>\n\n\n\n<p>You can then access your Arkime using the url: <strong>https:\/\/ARKIMEHOST-DOMAIN-NAME:8005<\/strong><\/p>\n\n\n\n<p>You will be prompted to enter the basic user authentication credentials you create above. We didnt enable SSL in our case (screenshot below).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1425\" height=\"571\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/arkime-basic-auth.png?v=1717602305\" alt=\"\" class=\"wp-image-22675\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/arkime-basic-auth.png?v=1717602305 1425w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/arkime-basic-auth-768x308.png?v=1717602305 768w\" sizes=\"(max-width: 1425px) 100vw, 1425px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication.png\"><\/a><\/p>\n\n\n\n<p>Upon successful authentication, you land on Arkime Web interface.<\/p>\n\n\n\n<p>Sample traffic sessions for last hour.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1621\" height=\"850\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/traffic-sessions-arkime.png?v=1717602366\" alt=\"\" class=\"wp-image-22676\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/traffic-sessions-arkime.png?v=1717602366 1621w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/traffic-sessions-arkime-768x403.png?v=1717602366 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/traffic-sessions-arkime-1536x805.png?v=1717602366 1536w\" sizes=\"(max-width: 1621px) 100vw, 1621px\" \/><\/figure>\n\n\n\n<p>Arkime help page. Click the Arkime Icon at the top left corner.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1625\" height=\"853\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/arkime-help-page.png?v=1717602415\" alt=\"\" class=\"wp-image-22677\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/arkime-help-page.png?v=1717602415 1625w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/arkime-help-page-768x403.png?v=1717602415 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/06\/arkime-help-page-1536x806.png?v=1717602415 1536w\" sizes=\"(max-width: 1625px) 100vw, 1625px\" \/><\/figure>\n\n\n\n<p>And that is how simple it is to install Arkime on Debian.<\/p>\n\n\n\n<p>You can now configure network traffic mirroring to Arkime for analysis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reference\">Reference<\/h3>\n\n\n\n<p><a href=\"https:\/\/raw.githubusercontent.com\/arkime\/arkime\/master\/release\/README.txt\" target=\"_blank\" rel=\"noreferrer noopener\">Arkime Installation README.txt<\/a><\/p>\n\n\n\n<p>Arkime Demo (Credentials: <strong>arkime:arkime<\/strong>)<\/p>\n\n\n\n<p><a href=\"https:\/\/demo.arkime.com\/?date=-1\" target=\"_blank\" rel=\"noreferrer noopener\">Arkime Demo<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tutorial provides a step by step guide on how to install Arkime with Elasticsearch 8 on Ubuntu 24.04.\u00a0Arkime, formerly known as Moloch, is a<\/p>\n","protected":false},"author":10,"featured_media":10915,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,34],"tags":[3184,7513,5464,7512],"class_list":["post-22671","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-security","tag-arkime","tag-arkime-and-elasticsearch-8","tag-elasticsearch-8","tag-install-arkime-ubuntu-24-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22671"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=22671"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22671\/revisions"}],"predecessor-version":[{"id":22682,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22671\/revisions\/22682"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10915"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=22671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=22671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=22671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}