Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Installation

Quick Install

curl -fsSL https://docs.rockfishndr.com/install.sh | bash

The installer auto-detects your platform and installs via the appropriate method:

  • Debian/Ubuntu: APT repository (recommended)
  • Other Linux: Docker or binary
  • macOS: Docker or binary

Options:

# Install specific version
ROCKFISH_VERSION=1.0.0 curl -fsSL https://docs.rockfishndr.com/install.sh | bash

# Force specific installation method
ROCKFISH_METHOD=apt curl -fsSL https://docs.rockfishndr.com/install.sh | bash
ROCKFISH_METHOD=docker curl -fsSL https://docs.rockfishndr.com/install.sh | bash

APT Repository (Debian/Ubuntu)

The recommended installation method for Debian-based systems. Enables automatic updates via apt-get upgrade.

Add Repository

# 1. Download and install the GPG key
curl -fsSL https://repo.rockfishndr.com/apt/rockfish-archive-keyring.gpg | \
  sudo gpg --dearmor -o /usr/share/keyrings/rockfish-archive-keyring.gpg

# 2. Add the repository
echo "deb [signed-by=/usr/share/keyrings/rockfish-archive-keyring.gpg] https://repo.rockfishndr.com/apt stable main" | \
  sudo tee /etc/apt/sources.list.d/rockfish.list

# 3. Update and install
sudo apt-get update
sudo apt-get install rockfishtoolkit

Update

sudo apt-get update
sudo apt-get upgrade rockfishtoolkit

System Requirements

  • Operating System: Debian 11+, Ubuntu 20.04+, or Docker-compatible host
  • Architecture: x86_64 (amd64), ARM64 (arm64)
  • Memory: 2GB minimum (4GB+ recommended for high-traffic networks)
  • Storage: Depends on retention policy (10GB minimum)

Installation Directory Structure

After installation, Rockfish NDR is installed to /opt/rockfish:

/opt/rockfish/
├── bin/        # Compiled binaries
├── etc/        # Configuration files
├── lib/        # DuckDB extensions and libraries
└── example/    # Example systemd services and configs

System Directories

PathDescription
/opt/rockfish/bin/Rockfish binaries
/opt/rockfish/etc/Configuration directory
/opt/rockfish/example/Example configs and systemd services
/var/lib/rockfish/Data directory
/var/log/rockfish/Log directory
/var/run/rockfish/Runtime directory

Configuration

Configuration File

# Copy or create configuration
sudo cp /opt/rockfish/example/rockfish.yaml.example /opt/rockfish/etc/rockfish.yaml

Rockfish searches for configuration in this order:

  1. --config <path> (CLI argument)
  2. ./rockfish.yaml
  3. /etc/rockfish/rockfish.yaml
  4. ~/.config/rockfish/rockfish.yaml

Environment File

Credentials and secrets are stored in an environment file:

# Create environment file
cat > /opt/rockfish/etc/rockfish.env << 'EOF'
ROCKFISH_S3_BUCKET=rockfish-data
ROCKFISH_S3_REGION=us-east-1
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
ABUSEIPDB_API_KEY=...
EOF

Systemd Services

The package installs systemd service files to /lib/systemd/system/. To enable and start a service:

# Reload systemd to pick up new service files
sudo systemctl daemon-reload

# Enable service to start on boot
sudo systemctl enable rockfish

# Start the service
sudo systemctl start rockfish

# Check status
sudo systemctl status rockfish

# View logs
sudo journalctl -u rockfish -f

Docker Installation

Pull the Rockfish NDR image from Docker Hub:

docker pull rockfishnetworks/toolkit:latest

The toolkit image includes the Rockfish binary with all features enabled.

Running Rockfish (Ingest Mode)

docker run -d \
  --name rockfish \
  -v /opt/rockfish/etc:/opt/rockfish/etc:ro \
  -v /data/rockfish:/data/rockfish \
  -p 3000:3000 \
  -p 8082:8082 \
  rockfishnetworks/toolkit:latest \
  rockfish ingest --socket /var/run/suricata/eve.sock
PortService
3000MCP server
8082Chat server

Docker Compose

Example docker-compose.yml:

version: '3.8'

services:
  rockfish:
    image: rockfishnetworks/toolkit:latest
    ports:
      - "3000:3000"
      - "8082:8082"
    volumes:
      - ./config:/opt/rockfish/etc:ro
      - ./data:/data/rockfish
    command: ["rockfish", "ingest", "--socket", "/var/run/suricata/eve.sock"]
    restart: unless-stopped

Verify Installation

# Check version
rockfish --version

# Show configuration and features
rockfish config

Uninstalling

APT Package

# Remove package (keeps configuration)
sudo apt-get remove rockfishtoolkit

# Remove package and configuration
sudo apt-get purge rockfishtoolkit

# Remove repository
sudo rm /etc/apt/sources.list.d/rockfish.list
sudo rm /usr/share/keyrings/rockfish-archive-keyring.gpg

Docker

docker stop rockfish
docker rm rockfish
docker rmi rockfishnetworks/toolkit:latest

Next Steps