https://live.paloaltonetworks.com/t5/general-topics/aws-output-aggregator-with-unexpected-missing-indicators/m-p/156393#M98963 <P>Hello,</P> <P>&nbsp;</P> <P>I have a dev and prod instance of MM. &nbsp;Noticed both dev and prod behaving the same way, where many indicators were not showing up in output feed for AWS miners. &nbsp;Config on both is the following:</P> <P>&nbsp;</P> <PRE>nodes: aws_route53_miner: inputs: [] output: true prototype: aws.ROUTE53 aws_ipv4_output: inputs: - aws_ipv4_aggregator output: false prototype: stdlib.feedHCWithValue aws_s3_miner: inputs: [] output: true prototype: minemeldlocal.aws_S3 aws_ec2_miner: inputs: [] output: true prototype: aws.EC2 aws_amazon_miner: inputs: [] output: true prototype: aws.AMAZON aws_ipv4_aggregator: inputs: - aws_cloudfront_miner - aws_ec2_miner - aws_route53_miner - aws_route53_healthchecks_miner - aws_amazon_miner - aws_s3_miner output: true prototype: stdlib.aggregatorIPv4Generic aws_cloudfront_miner: inputs: [] output: true prototype: aws.CLOUDFRONT aws_route53_healthchecks_miner: inputs: [] output: true prototype: aws.ROUTE53_HEALTHCHECKS </PRE> <P>Dev/Prod both showed the same # of indicators on Nodes tab:</P> <P>&nbsp;</P> <P>aws_amazon_miner 511</P> <P>aws_cloudfront_miner 35</P> <P>aws_ec2_miner 222</P> <P>aws_route53_healthchecks_miner 16</P> <P>aws_route53_miner 2</P> <P>aws_s3_miner 62</P> <P>&nbsp;</P> <P>aws_ipv4_aggregator 323</P> <P>aws_ipv4_output 346</P> <P>&nbsp;</P> <P>I made a change in dev to take the aws_amazon_miner with 511 indicators straight to an output.</P> <P>&nbsp;</P> <PRE>nodes: aws_test_full_output: inputs: - aws_amazon_miner output: false prototype: stdlib.feedHCWithValue </PRE> <P>The result is that the issue is not seen on this output, but the original aggregator and output nodes also&nbsp;had the issue go away for the time being:</P> <P>&nbsp;</P> <P>aws_ipv4_aggregator 848</P> <P>aws_ipv4_output 577</P> <P>aws_test_full_output 511</P> <P>&nbsp;</P> <P>Was planning to go production with this AWS output next week. &nbsp;Need to vet out this issue asap.</P> <P>&nbsp;</P> <P>Attaching engine logs from both instances as well as copys of output feeds in multiple versions.</P> <P>&nbsp;</P> <P>prod &nbsp;0.9.36</P> <P>dev 0.9.38</P> <P>&nbsp;</P> Mon, 15 May 2017 15:17:14 GMT andrew.stanton 2017-05-15T15:17:14Z https://live.paloaltonetworks.com/t5/general-topics/aws-output-aggregator-with-unexpected-missing-indicators/m-p/156393#M98963 <P>Hello,</P> <P>&nbsp;</P> <P>I have a dev and prod instance of MM. &nbsp;Noticed both dev and prod behaving the same way, where many indicators were not showing up in output feed for AWS miners. &nbsp;Config on both is the following:</P> <P>&nbsp;</P> <PRE>nodes: aws_route53_miner: inputs: [] output: true prototype: aws.ROUTE53 aws_ipv4_output: inputs: - aws_ipv4_aggregator output: false prototype: stdlib.feedHCWithValue aws_s3_miner: inputs: [] output: true prototype: minemeldlocal.aws_S3 aws_ec2_miner: inputs: [] output: true prototype: aws.EC2 aws_amazon_miner: inputs: [] output: true prototype: aws.AMAZON aws_ipv4_aggregator: inputs: - aws_cloudfront_miner - aws_ec2_miner - aws_route53_miner - aws_route53_healthchecks_miner - aws_amazon_miner - aws_s3_miner output: true prototype: stdlib.aggregatorIPv4Generic aws_cloudfront_miner: inputs: [] output: true prototype: aws.CLOUDFRONT aws_route53_healthchecks_miner: inputs: [] output: true prototype: aws.ROUTE53_HEALTHCHECKS </PRE> <P>Dev/Prod both showed the same # of indicators on Nodes tab:</P> <P>&nbsp;</P> <P>aws_amazon_miner 511</P> <P>aws_cloudfront_miner 35</P> <P>aws_ec2_miner 222</P> <P>aws_route53_healthchecks_miner 16</P> <P>aws_route53_miner 2</P> <P>aws_s3_miner 62</P> <P>&nbsp;</P> <P>aws_ipv4_aggregator 323</P> <P>aws_ipv4_output 346</P> <P>&nbsp;</P> <P>I made a change in dev to take the aws_amazon_miner with 511 indicators straight to an output.</P> <P>&nbsp;</P> <PRE>nodes: aws_test_full_output: inputs: - aws_amazon_miner output: false prototype: stdlib.feedHCWithValue </PRE> <P>The result is that the issue is not seen on this output, but the original aggregator and output nodes also&nbsp;had the issue go away for the time being:</P> <P>&nbsp;</P> <P>aws_ipv4_aggregator 848</P> <P>aws_ipv4_output 577</P> <P>aws_test_full_output 511</P> <P>&nbsp;</P> <P>Was planning to go production with this AWS output next week. &nbsp;Need to vet out this issue asap.</P> <P>&nbsp;</P> <P>Attaching engine logs from both instances as well as copys of output feeds in multiple versions.</P> <P>&nbsp;</P> <P>prod &nbsp;0.9.36</P> <P>dev 0.9.38</P> <P>&nbsp;</P> Mon, 15 May 2017 15:17:14 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-output-aggregator-with-unexpected-missing-indicators/m-p/156393#M98963 andrew.stanton 2017-05-15T15:17:14Z https://live.paloaltonetworks.com/t5/general-topics/aws-output-aggregator-with-unexpected-missing-indicators/m-p/156618#M98964 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/33044">@andrew.stanton</a>,</P> <P>thanks, this is a bug and will be fixed in the next release. Details here:&nbsp;<A href="https://github.com/PaloAltoNetworks/minemeld-core/issues/213" target="_blank">https://github.com/PaloAltoNetworks/minemeld-core/issues/213</A></P> <P>&nbsp;</P> <P>A workaround is forcing a flush and an update on the existing miner you just added to the aggregator:</P> <PRE>$ /opt/minemeld/engine/current/bin/mm-console signal flush aws_amazon_miner $ /opt/minemeld/engine/current/bin/mm-console hup aws_amazon_miner</PRE> Mon, 15 May 2017 09:03:10 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-output-aggregator-with-unexpected-missing-indicators/m-p/156618#M98964 lmori 2017-05-15T09:03:10Z