Skip to content

Instantly share code, notes, and snippets.

@tribalchicken

tribalchicken/arkime_on_freebsd.md

Created August 1, 2021 09:05
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Install Arkime (formerly Moloch) on FreeBSD
Raw
arkime_on_freebsd.md

Install and configure Arkime on FreeBSD 12 / FreeBSD 13

Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search system. It is available at https://arkime.com

Installing Arkime on FreeBSD is not officially supported according to the Arkime page - It can be done, but requires a bit of massaging.

It's fairly straightforward to get it running on FreeBSD. The key elements are to get the configure parameters right, and a few other small modifications. One of the dependencies fails to build on FreeBSD (not an Arkime issue), but that can be worked around very easily.

Install required packages

pkg install wget curl pcre flex bison gettext e2fsprogs-libuuid glib gmake autotools git yara libmaxminddb libyaml node npm pkgconf

Download Arkime

From the Git repository
git clone https://github.com/arkime/arkime
cd arkime

Run autoconf

autoreconf --verbose --install --force

Configure and build Arkime

Fix broken Node dependency

The Node dependency node-iptrie is broken on FreeBSD. The original Git repo for this has a pending pull request, but the repo has not been updated in quite some time.

I'm not super familiar with Node so there is likely a better way to do this. For now I've just edited package.json to pull a build from a fixed repository (this repository is identical to the original, but with the FreeBSD fix applied) and run npm install to update the package-lock.json file.

The steps are:

  1. Edit package.json
  2. Find the line for https://github.com/awick/node-iptrie
  3. Replace with https://github.com/tribalchicken/node-iptrie

You can also do that with sed:
cd wiseService
sed -i '' 's/\/github.com\/awick\/node-iptrie/\/github.com\/tribalchicken\/node-iptrie/g' package.json

Once package.json has been modified, run:

npm install

Then move back to the original directory:

cd ..

Download and build Yara

The easybutton-build.sh script usually builds Yara for you. I tried building Arkime with the latest Yara included in the FreeBSD packages (4.0.5), but the linker complained. It's possible that it could be made to work, but I suspect there is also a reason that the Arkime devs specifically call for Yara 4.0.2

Steps adapted from the original build script:

mkdir -p thirdparty/yara
wget https://github.com/VirusTotal/yara/archive/v4.0.2.tar.gz -O thirdparty/yara/yara-4.0.2.tar.gz
cd thirdparty/yara ; tar zxf yara-4.0.2.tar.gz
cd yara-4.0.2; ./bootstrap.sh ; ./configure --enable-static; make
cd ../../../

Run configure

./configure CFLAGS="-I/usr/local/include -I/usr/local/include/glib-2.0 -I/usr/local/include/glib-2.0/include -I/usr/local/lib/glib-2.0/include" LDFLAGS="-L/usr/local/lib" --with-yara=thirdparty/yara/yara-4.0.2 GLIB2_CFLAGS="-I/usr/local/include -I/usr/local/include/glib-2.0 -I/usr/local/lib/glib-2.0/include" GLIB2_LIBS="-L/usr/local/lib"

Update Makefile

Some small modifications to the Makefile are needed to make this work. BSD install doesn't support the -D flag, so we simply remove it.

sed -i '' 's/install -c -D/install -c/g' Makefile

Build

Make sure you use gmake

gmake

Install

If that builds successfully, run gmake install

mkdir -p /opt/arkime
gmake install

All going well you should now be able to configure Arkime as per usual, and point it to your Elasticsearch instance. Follow the install instructions and run /opt/arkime/bin/Configure

Init scripts

I use these init scripts to control arkimecapture and arkimeviewer on startup: https://github.com/tribalchicken/arkime-init-scripts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment