A simple question, I hope. How do I change the default timeout for a certain miner - panos syslog miner in may case.
I'd like to change the timeout to be 30 days, rather then an hour or so that seems to be set now. I could not find a way to make change through the GUI, I figure one of the config files needs editing?
Solved! Go to Solution.
@LucaMarchiori : You must create a new prototype out of the SyslogMiner one and add an "age_out" object in the config section with a default interval value of "first_seen+30d"
config: age_out: default: first_seen+30d interval: 3600
More info on age_policy and other node configuration attributes at https://live.paloaltonetworks.com/t5/MineMeld-Articles/Configuring-nodes/ta-p/77185
@xhoms: Sorry I think I spoke too soon. I created a new local prototype with confidence 80, and added the section you provided. Everything worked, except records kept being aged out in a little over an hour (unless they are cought again by a rule in the meantime). So basically the age_out statemement was not being applied.
This is what the config file (/opt/minemeld/local/prototypes/minemeldlocal.yml) looked like:
author: minemeld-web description: Local prototype library managed via MineMeld WebUI prototypes: stdlib_syslogMiner_local: class: minemeld.ft.syslog.SyslogMiner config: attributes: confidence: 80 share_level: green config: age_out: default: first_seen+30d interval: 3600 sudden_death: false source_name: panos.syslog description: 'Miner for PAN-OS syslog messages ' development_status: EXPERIMENTAL indicator_types: - URL - IPv4 - IPv6 node_type: miner tags: - ConfidenceHigh
I thought the problem was that I goofed out, and inserted an extra "config:" in the... config section, so I've tried editing out that extra "config:" line:
author: minemeld-web description: Local prototype library managed via MineMeld WebUI prototypes: stdlib_syslogMiner_Local: class: minemeld.ft.syslog.SyslogMiner config: age_out: default: first_seen+30d interval: 1800 sudden_death: false attributes: confidence: 80 share_level: green source_name: panos.syslog description: 'Miner for PAN-OS syslog messages ' development_status: EXPERIMENTAL indicator_types: - URL - IPv4 - IPv6 node_type: miner tags: - ConfidenceHigh
Unfortunately, with the edited minemeldlocal.yml (above), the Minemeld engine is not happy, and refuses to start. It just goes through a couple of starting /
backup backoff cycles and then gives up. To summarize: config one everything works, except age_out (still one hour); config two MMeld engine does not start.
Before I started editing the config file, I looked for a way to change the local protoype from the WebUI, but could not find it. It's very possible I'm just having a senior moment, :)
@LucaMarchiori: My fault. I didn't check before posting. I've just realized like SyslogMiner class extends Base (not BasePoller) so the sudden_death attribute in the age_out policy is not supported. I just checked that the following prototype do instantiates correctly.
Do you mean cloning this one?
By the way: the current WebUI do not allow you changing the node configuration. The only moment it allows you to do so is at prototype->new time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!