topic Re: MineMeld sudden_death...how does it work? in General Topics

MineMeld sudden_death...how does it work?

BRosenba — Fri, 14 Jul 2017 15:31:26 GMT

I need some help understanding the sudden_death behavior with a MineMeld miner/prototype.

From the documentation[1], I understand that sudden_death is designed to immediately age out indicators when they disappear from a feed.

Is it comparing the current indicator list to the latest run of the feed, recording indicators in the current list but no longer in the feed and then setting to age out at the next age out? If so, what happens if the indicator appears in a subsequent run of the feed? Will it be added back to the list of indicators, or is excluded because it previously disappeared?

Thanks for your help understanding.

[1] - https://live.paloaltonetworks.com/t5/MineMeld-Articles/Configuring-nodes/ta-p/77185

Re: MineMeld sudden_death...how does it work?

BPry — Fri, 14 Jul 2017 19:44:10 GMT

@BRosenba,

If you have it set to sudden_death:true and the run is missing an indicator currently in the miner then the EMIT_WITHDRAW is immeditely issued and the indicator is removed from the miner.

If an IP is listed on the next pull then it will be given a new age_out run number. The process continues until the indicator is no longer listed in the feed that the miner node is looking at.

Generally I would say that sudden_death and age_out are not usually used in conjunction with each other, or at the very least it's ineffective to use both depending on what you are doing. If you have age_out:3d for example the indicator is going to be removed after 3 days but if it's still in the listing it will just get added to the list of indicators again. If you have sudden_death:true then the indicator will be removed whenever the miner completes a run and the indicator is now missing. If you have both enabled essentially you only have a sudden_death configuration because the listing is just going to get readded until it gets removed from the list that you are polling.

Re: MineMeld sudden_death...how does it work?

BRosenba — Fri, 14 Jul 2017 20:14:00 GMT

@BPry

Thanks, that seems logical. That moves me on to my next troubleshooting step.

I created a separate thread for this[1], but are you aware of any way to debug a specific miner?

I'd like to see the command that is running when a particular miner is connecting so that I can verify that it isn't the miner that is contributing to what appears to be a much smaller number of indicators than expected the miner with sudden_death:true.

[1] - https://live.paloaltonetworks.com/t5/General-Topics/MineMeld-debugging-miner/m-p/166625

Re: MineMeld sudden_death...how does it work?

BPry — Sun, 16 Jul 2017 23:53:43 GMT

@BRosenba,

I don't know a way to actually debug a miner node in the way that you are asking, if you could post the actual configuration that you are using I could take a look at it and see if anything sticks out.