topic Re: How to change a miner timeout in General Topics

How to change a miner timeout

LucaMarchiori — Thu, 12 Oct 2017 20:47:30 GMT

Hi all,

A simple question, I hope. How do I change the default timeout for a certain miner - panos syslog miner in may case.

I'd like to change the timeout to be 30 days, rather then an hour or so that seems to be set now. I could not find a way to make change through the GUI, I figure one of the config files needs editing?

Thanks,

Luca

Re: How to change a miner timeout

xhoms — Fri, 13 Oct 2017 09:44:40 GMT

@LucaMarchiori : You must create a new prototype out of the SyslogMiner one and add an "age_out" object in the config section with a default interval value of "first_seen+30d"

config:
    age_out:
        default: first_seen+30d
        interval: 3600
        sudden_death: false

More info on age_policy and other node configuration attributes at https://live.paloaltonetworks.com/t5/MineMeld-Articles/Configuring-nodes/ta-p/77185

Re: How to change a miner timeout

LucaMarchiori — Fri, 13 Oct 2017 16:30:42 GMT

@xhoms: Thank you, that worked! Also changed the confidence level to 80.

Re: How to change a miner timeout

LucaMarchiori — Fri, 13 Oct 2017 22:16:50 GMT

@xhoms: Sorry I think I spoke too soon. I created a new local prototype with confidence 80, and added the section you provided. Everything worked, except records kept being aged out in a little over an hour (unless they are cought again by a rule in the meantime). So basically the age_out statemement was not being applied.

This is what the config file (/opt/minemeld/local/prototypes/minemeldlocal.yml) looked like:

author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
    stdlib_syslogMiner_local:
        class: minemeld.ft.syslog.SyslogMiner
        config:
            attributes:
                confidence: 80
                share_level: green
            config:
                age_out:
                    default: first_seen+30d
                    interval: 3600
                    sudden_death: false
            source_name: panos.syslog
        description: 'Miner for PAN-OS syslog messages

            '
        development_status: EXPERIMENTAL
        indicator_types:
        - URL
        - IPv4
        - IPv6
        node_type: miner
        tags:
        - ConfidenceHigh

I thought the problem was that I goofed out, and inserted an extra "config:" in the... config section, so I've tried editing out that extra "config:" line:

author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
    stdlib_syslogMiner_Local:
        class: minemeld.ft.syslog.SyslogMiner
        config:
            age_out:
                default: first_seen+30d
                interval: 1800
                sudden_death: false
            attributes:
                confidence: 80
                share_level: green
            source_name: panos.syslog
        description: 'Miner for PAN-OS syslog messages

            '
        development_status: EXPERIMENTAL
        indicator_types:
        - URL
        - IPv4
        - IPv6
        node_type: miner
        tags:
        - ConfidenceHigh

Unfortunately, with the edited minemeldlocal.yml (above), the Minemeld engine is not happy, and refuses to start. It just goes through a couple of starting / ~~backup~~ backoff cycles and then gives up. To summarize: config one everything works, except age_out (still one hour); config two MMeld engine does not start.

Before I started editing the config file, I looked for a way to change the local protoype from the WebUI, but could not find it. It's very possible I'm just having a senior moment, 🙂

Luca

Re: How to change a miner timeout

xhoms — Sun, 15 Oct 2017 13:28:39 GMT

@LucaMarchiori: My fault. I didn't check before posting. I've just realized like SyslogMiner class extends Base (not BasePoller) so the sudden_death attribute in the age_out policy is not supported. I just checked that the following prototype do instantiates correctly.

Do you mean cloning this one?

By the way: the current WebUI do not allow you changing the node configuration. The only moment it allows you to do so is at prototype->new time.

Re: How to change a miner timeout

LucaMarchiori — Mon, 16 Oct 2017 17:59:30 GMT

@xhoms It looks as though deleting the sudden_death line did the trick, thanks.

Luca