MineMeld Articles

Manually install MineMeld on Ubuntu Server 16.04

by lmori on ‎03-12-2019 06:45 AM (5,559 Views)

An easy way to use MineMeld is installing the binary packages on an Ubuntu 16.04 instance.

 

Supported distributions

Ubuntu Server LTS 16.04

 

1. Hardening the instance

First thing you should harden your new instance. MineMeld won't take of this for you. A good tutorial is this one.

 

2. Update the instance

Update all the packages of the instance before installing.

sudo apt update && sudo apt dist-upgrade -y

3. Setting up iptables

You can use the following commands to configure iptables to allow sessions on ports used by MineMeld. Also these rules drop all IPv6 traffic, if you are running MineMeld in an IPv6 network make sure you change the suggested rules.

 

sudo apt install -y iptables-persistent
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 13514 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo bash -c "ip6tables-save > /etc/iptables/rules.v6"

 

4. Adding the repo GPG key

Add the MineMeld repo GPG key to the APT trusted keyring:

 

 wget -qO - https://minemeld-updates.panw.io/gpg.key | sudo apt-key add -

 

Double check the GPG key fingerprint, to make sure it is matching the official MineMeld GPG key (fingerprint should match characters in bold):

 

apt-key adv --fingerprint DD0DA1F9
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.W74MaAG3pI --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --fingerprint DD0DA1F9
pub 4096R/DD0DA1F9 2016-07-15
Key fingerprint = E558 CE6E 3968 0F31 8F6C BFAC B401 E02E DD0D A1F9
uid Palo Alto Networks, MineMeld Team <minemeld@paloaltonetworks.com>
[...]

 

5. Adding the MineMeld APT repo

Add the MineMeld APT repo to the system list and update the apt cache:

 

sudo add-apt-repository "deb http://minemeld-updates.panw.io/ubuntu xenial-minemeld main"
sudo apt update

 

6. Installing nginx and redis

MineMeld requires nginx and redis. We have to install them before installing MineMeld package to avoid configuration conflicts:

sudo apt install -y nginx redis-server

7. Installing MineMeld

Install the MineMeld infrastructure package via apt. This will also automatically trigger the download of the latest MineMeld packages. 

 

sudo apt install -o Dpkg::Options::="--force-overwrite" -y minemeld

8. Restart

We should restart the instance to make sure all the configurations are applied and all the services are started in the right order:

sudo shutdown -r now

8. Checking if MineMeld is running

Check if the 3 MineMeld services are up and running:

 

$ sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/local/supervisor/config/supervisord.conf status
minemeld-engine RUNNING pid 3727, uptime 0:08:50
minemeld-traced RUNNING pid 3728, uptime 0:08:50
minemeld-web RUNNING pid 3729, uptime 0:08:50
minemeld-supervisord-listener RUNNING pid 3730, uptime 0:08:50

 

7. BAM !

Done ! Check the Quick Tour article to get started.

Comments
by Eshrak
on ‎03-12-2019 03:01 PM

Hello,

 

I am getting these errors after installing minemeld. System returned no error during install.

Any thoughts would be highly appriciated.

Thanks,

 

administrator@ubuntu:~$ sudo -u minemeld /opt/minemeld/engine/current/bin/supervisorctl -c /opt/minemeld/supervisor/config/supervisord.conf status
[sudo] password for administrator:
sudo: /opt/minemeld/engine/current/bin/supervisorctl: command not found
administrator@ubuntu:~$ ps -ef | grep mine
adminis+ 937 921 0 14:58 pts/0 00:00:00 grep --color=auto mine
administrator@ubuntu:~$ systemctl start minemeld
Failed to start minemeld.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files
See system logs and 'systemctl status minemeld.service' for details.
administrator@ubuntu:~$ systemctl status minemeld.service
● minemeld.service - Process Monitoring and Control Daemon
Loaded: loaded (/lib/systemd/system/minemeld.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2019-03-12 14:57:54 PDT; 1min 32s ago
Process: 882 ExecStart=/opt/minemeld/engine/current/bin/supervisord -c /opt/minemeld/supervisor/config/supervisord.conf --pidfile /var/run/minemeld/minemeld.pid (code=exited, status=203/EXEC)
Process: 876 ExecStartPre=/bin/chown -R minemeld:minemeld /var/run/minemeld/ (code=exited, status=0/SUCCESS)
Process: 863 ExecStartPre=/bin/mkdir /var/run/minemeld (code=exited, status=0/SUCCESS)

Mar 12 14:57:54 ubuntu systemd[1]: Starting Process Monitoring and Control Daemon...
Mar 12 14:57:54 ubuntu systemd[1]: minemeld.service: Control process exited, code=exited status=203
Mar 12 14:57:54 ubuntu systemd[1]: Failed to start Process Monitoring and Control Daemon.
Mar 12 14:57:54 ubuntu systemd[1]: minemeld.service: Unit entered failed state.
Mar 12 14:57:54 ubuntu systemd[1]: minemeld.service: Failed with result 'exit-code'.

by lmori
on ‎03-13-2019 12:30 AM

Hi @Eshrak, it seems that the installer wasn't able to download the MM packages. Could you try running the following command? If you still have an error, please open a discussion

sudo /usr/sbin/minemeld-auto-update
by Eshrak
on ‎03-13-2019 06:32 AM

Hi @lmori ,

 

I have a discussion open with the issue.

 

https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Minemeld-install-errors-on-ubuntu-server-1...

 

Please advise.

 

Thanks!

by brian.mcdonald
on ‎04-24-2019 06:35 AM

is ubuntu 19.04 supported?

 

getting the following error

PLAY [minemeld playbook] ********************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
ok: [127.0.0.1]

TASK [infrastructure : debug] ***************************************************************************************************************************************************************************************************************
ok: [127.0.0.1] => {
"msg": "Loading vars for Ubuntu 19.04"
}

TASK [infrastructure : include_vars] ********************************************************************************************************************************************************************************************************
fatal: [127.0.0.1]: FAILED! => {"msg": "No file was found when using with_first_found. Use the 'skip: true' option to allow this task to be skipped if no files are found"}
to retry, use: --limit @/home/brian/minemeld-ansible/local.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
127.0.0.1 : ok=2 changed=0 unreachable=0 failed=1

 

by lmori
a month ago

@brian.mcdonald Not tested yet on 19.04

by srogatnev
2 weeks ago

Awesome step by step instruction.

Pls add to preamble "Supported distribution" - "no apache/apache2/httpd service installed/running" 

It will save some time to not soo savvy in linux. 

Ask Questions Get Answers Join the Live Community
Labels
Contributors