Arkime Docker image/container
This repository contains the files to build a Docker image of the Arkime software:
Ready to use Docker images can be pulled from https://hub.docker.com/r/mammo0/docker-arkime
To run this image a working Elasticsearch environment is required. Please stick to their documentation for setting this up. (E.g. for docker: https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html)
This image can be run with
docker run \
-e ES_HOST=elasticsearch \
-e ES_PORT 9200 \
-v <config_volume>:/data/config \
-v <pcap_volume>:/data/pcap \
-v <log_volume>:/data/logs \
mammo0/docker-arkime:<tag>These parameters are available:
| ENV VARIABLE | DEFAULT VALUE | NOTES |
|---|---|---|
| ES_HOST | elasticsearch | The hostname or IP address where Elasticsearch is running. |
| ES_PORT | 9200 | The port where Elasticsearch is reachable. |
| ARKIME_ADMIN_PASSWORD | admin | This is the password for the Arkime admin user that is needed for the first login. It can be changed afterwards. |
| ARKIME_INTERFACE | eth0 | Network interface where capture process listens. This feature is not tested yet! |
| ARKIME_HOSTNAME | localhost | With this hostname Arkime authenticates at Elasticsearch. So if you change this you'll lose your Elasticsearch configuration. |
| CAPTURE | off | Set to "on" to activate the capture process. This feature is not tested yet! |
| VIEWER | on | Set to "off" to deactivate the Arkime viewer. |
| VOLUME | CONTAINER PATH | NOTES |
|---|---|---|
| config_volume | /data/config | In this directory the Arkime configuration is saved. |
| pcap_volume | /data/pcap | In this directory the pcap files are saved that are generated by capture. |
| log_volume | /data/logs | In this directory the Arkime log files are saved. |
You can use docker-compose if you want to setup Elasticsearch together with Arkime in one step.
-
Please ensure you have done this step (otherwise Elasticsearch won't start): https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html
-
Run
chmod -R 777 es_dataORchown -R 1000:1000 es_data. This is needed for the Elasticsearch containers to be able to write to that direcotry.
Simply run
docker-compose upIt can take some time until the Elasticsearch instances are fully started.
The Arkime viewer instance can be accessed via
Assuming you don't changed the default port in the .env file.
To import existing pcap files have a look at scripts/arkime-parse-pcap-folder.sh script. It can be run within the running container:
docker exec -it <container_name> \
/data/arkime-parse-pcap-folder.sh -d <directory_with_pcap_files> -t <tag>If parameter -d is omitted, the script asks if you want to import the default direcotry /data/pcap.