An easy and powerful way of installing MineMeld is using MineMeld docker image. A docker-based installation of MineMeld can run on any Linux distribution supported by Docker and it is extremely easy to upgrade and maintain.
The procedure to use MineMeld is pretty simple:
The rest of the article will guide you thru installing Docker CE on RHEL 7 and run MineMeld on top of it. Only the first part, the one related to installing Docker on RHEL, is RHEL specific. The second part, the one related to MineMeld itself, is distribution independent.
sudo yum update -y
sudo yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
sudo yum install -y http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.107-1.el7_6.noarch.rpm
sudo yum install -y yum-utils device-mapper-persistent-data lvm2 container-selinux
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum update -y && sudo yum makecache fast
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker
sudo docker run hello-world
sudo docker pull paloaltonetworks/minemeld
sudo docker volume create minemeld-logs sudo docker volume create minemeld-local
sudo docker run -dit --name minemeld --restart unless-stopped --tmpfs /run -v minemeld-local:/opt/minemeld/local -v minemeld-logs:/opt/minemeld/log -p 443:443 -p 80:80 paloaltonetworks/minemeld
[ec2-user@minemeld ~]$ sudo docker logs minemeld *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 7 minemeld: checking if dependencies are running... run: redis: (pid 18) 0s run: collectd: (pid 19) 0s Copying constraints Starting redis-server... Regenarating CA bundle Sep 18 14:07:31 d0b5d1fbc102 syslog-ng[20]: syslog-ng starting up; version='3.5.6' 2019-09-18T14:07:31 (35)cacert_merge.main INFO: config: {'cafile': ['/opt/minemeld/local/certs/site/'], 'dst': '/opt/minemeld/local/certs/bundle.crt', 'config': '/opt/minemeld/local/certs/cacert-merge-config.yml', 'no_merge_certifi': False} (integer) 0 Starting minemeld... /opt/minemeld/engine/0.9.64/local/lib/python2.7/site-packages/supervisor/options.py:383: PkgResourcesDeprecationWarning: Parameters to load are deprecated. Call .resolve and .require separately. return pkg_resources.EntryPoint.parse("x="+spec).load(False) 2019-09-18 14:07:32,153 CRIT Set uid to user 106 2019-09-18 14:07:32,154 WARN Included extra file "/opt/minemeld/supervisor/config/conf.d/minemeld-engine.conf" during parsing 2019-09-18 14:07:32,154 WARN Included extra file "/opt/minemeld/supervisor/config/conf.d/minemeld-supervisord-listener.conf" during parsing 2019-09-18 14:07:32,154 WARN Included extra file "/opt/minemeld/supervisor/config/conf.d/minemeld-traced.conf" during parsing 2019-09-18 14:07:32,154 WARN Included extra file "/opt/minemeld/supervisor/config/conf.d/minemeld-web.conf" during parsing 2019-09-18 14:07:32,164 INFO RPC interface 'supervisor' initialized 2019-09-18 14:07:32,164 CRIT Server 'unix_http_server' running without any HTTP authentication checking 2019-09-18 14:07:32,164 INFO supervisord started with pid 21 2019-09-18 14:07:33,167 INFO spawned: 'minemeld-supervisord-listener' with pid 60 2019-09-18 14:07:33,168 INFO spawned: 'minemeld-engine' with pid 61 2019-09-18 14:07:33,170 INFO spawned: 'minemeld-traced' with pid 62 2019-09-18 14:07:33,172 INFO spawned: 'minemeld-web' with pid 63 2019-09-18 14:07:34,322 INFO success: minemeld-supervisord-listener entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2019-09-18 14:07:34,322 INFO success: minemeld-traced entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2019-09-18 14:07:34,322 INFO success: minemeld-web entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2019-09-18 14:08:03,191 INFO success: minemeld-engine entered RUNNING state, process has stayed up for > than 30 seconds (startsecs)
You can check MineMeld engine and MineMeld audit logs from outside the container. Inspect the minemeld-logs volume to grab the directory used by the Docker engine to store volume files. Your logs will be there.
[ec2-user@minemeld ~]$ sudo docker inspect minemeld-logs [ { "CreatedAt": "2019-09-18T10:07:32-04:00", "Driver": "local", "Labels": {}, "Mountpoint": "/var/lib/docker/volumes/minemeld-logs/_data", "Name": "minemeld-logs", "Options": {}, "Scope": "local" } ] [ec2-user@minemeld ~]$ sudo ls /var/lib/docker/volumes/minemeld-logs/_data minemeld-engine-stderr---supervisor-PV9ZPJ.log minemeld-supervisord-listener.log minemeld-web-stderr---supervisor-cXauy4.log minemeld-engine.log minemeld-traced-stderr---supervisor-4V3T4E.log minemeld-web.log minemeld-supervisord-listener-stdout---supervisor-T3Wfwi.log minemeld-traced.log supervisord.log
The config directory in the minemeld-local volume contains all the file needed to restore the MineMeld installation. You can backup the files by inspecting the volume and perform a backup of the config directory.
[ec2-user@minemeld ~]$ sudo docker inspect minemeld-local [ { "CreatedAt": "2019-09-18T10:03:12-04:00", "Driver": "local", "Labels": {}, "Mountpoint": "/var/lib/docker/volumes/minemeld-local/_data", "Name": "minemeld-local", "Options": {}, "Scope": "local" } ] [ec2-user@minemeld ~]$ sudo ls /var/lib/docker/volumes/minemeld-local/_data certs config data library prototypes redis supervisor trace
To upgrade to the latest and greatest release:
sudo docker pull paloaltonetworks/minemeld
sudo docker stop minemeld sudo docker rm minemeld
sudo docker run -dit --name minemeld --restart unless-stopped --tmpfs /run -v minemeld-local:/opt/minemeld/local -v minemeld-logs:/opt/minemeld/log -p 443:443 -p 80:80 paloaltonetworks/minemeld
The default certificate used by MineMeld is a self-signed certificate. You should change it when running in production. To do it just map your certificate and private key on the default certificate:
sudo docker run -dit \
--name minemeld \
--restart unless-stopped \
--tmpfs /run \
-v minemeld-local:/opt/minemeld/local \
-v minemeld-logs:/opt/minemeld/log \
-v /var/lib/minemeld/real-cert.crt:/etc/nginx/minemeld.cer:ro \
-v /var/lib/minemeld/real-cert.pem:/etc/nginx/minemeld.pem:ro \
-p 443:443 -p 80:80 \
paloaltonetworks/minemeld
Thanks @lmori this looks great I may give it a go. I am at that point where I'm about to build our Minemeld solution. I have successfully created a 16.04 Ubuntu build using anisible in our Dev environment. All other distro are listed as "Still experimental" on the minemeld site.
How stable is the Docker install? I'd be interested in what you would recommend.
@Potato-soup It is stable, it is being used in production.
I can confirm this will work on Ubuntu as well. Get docker running on Ubuntu using the instructions below. Then follow the instructions from Install & Run MineMeld.
https://docs.docker.com/install/linux/docker-ce/ubuntu/
Great article @lmori
Thank you to Ksampson and Lmori. Following the provided instructions I was able to install MimeMeld within Ubuntu 18.04.1 LTS and have it properly function. I have been attempting to replace my Ubuntu 14.x MineMeld install and these were the only instructions which actually worked.
It doesn't look like port 13514 is being exposed for the syslog miner. Does the docker container support the syslog miner in this article?
Hello
I am running Unbuntu 18.04.3 LTS and have Minemeld installed and running in docker, however I can't not get my new certificate into the docker and replace the the self-signed certificates for Minemeld. I have tried SCP/WinSCP/SFTP I just can't seem to get my new certificates in the correct location. #nearlythere! Can anyone point me in the right direction I am a total novice with Docker please bear with!
Hello all,
So I am able to get the cert there now
However I have an issue now that I can't restart the NGINX service
root@4416471727a8:/etc/nginx# sudo /etc/init.d/nginx restart
* Restarting nginx nginx [fail]
This happens even if I do a fresh rebuild of the docker. Has anyone else had this issue? I can't see any issues?
Any help or ideas would be great