How to change a miner timeout

L3 Networker

How to change a miner timeout

Hi all,

 

A simple question, I hope.  How do I change the default timeout for a certain miner - panos syslog miner in may case.

I'd like to change the timeout to be 30 days, rather then an hour or so that seems to be set now.  I could not find a way to make change through the GUI, I figure one of the config files needs editing?

 

Thanks,

Luca

 

update withdraw.png

L5 Sessionator

Re: How to change a miner timeout

@LucaMarchiori : You must create a new prototype out of the SyslogMiner one and add an "age_out" object in the config section with a default interval value of "first_seen+30d"

 

config:
    age_out:
        default: first_seen+30d
        interval: 3600
sudden_death: false

 

More info on age_policy and other node configuration attributes at https://live.paloaltonetworks.com/t5/MineMeld-Articles/Configuring-nodes/ta-p/77185

L3 Networker

Re: How to change a miner timeout

@xhoms: Thank you, that worked!  Also changed the confidence level to 80.

L3 Networker

Re: How to change a miner timeout

@xhoms:  Sorry I think I spoke too soon.  I created a new local prototype with confidence 80, and added the section you provided.  Everything worked, except records kept being aged out in a little over an hour (unless they are cought again by a rule in the meantime).  So basically the age_out statemement was not being applied.

 

This is what the config file (/opt/minemeld/local/prototypes/minemeldlocal.yml) looked like:

 

author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
    stdlib_syslogMiner_local:
        class: minemeld.ft.syslog.SyslogMiner
        config:
            attributes:
                confidence: 80
                share_level: green
            config:
                age_out:
                    default: first_seen+30d
                    interval: 3600
                    sudden_death: false
            source_name: panos.syslog
        description: 'Miner for PAN-OS syslog messages

            '
        development_status: EXPERIMENTAL
        indicator_types:
        - URL
        - IPv4
        - IPv6
        node_type: miner
        tags:
        - ConfidenceHigh

I thought the problem was that I goofed out, and inserted an extra "config:" in the... config section, so I've tried editing out that extra "config:" line:

 

author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
    stdlib_syslogMiner_Local:
        class: minemeld.ft.syslog.SyslogMiner
        config:
            age_out:
                default: first_seen+30d
                interval: 1800
                sudden_death: false
            attributes:
                confidence: 80
                share_level: green
            source_name: panos.syslog
        description: 'Miner for PAN-OS syslog messages

            '
        development_status: EXPERIMENTAL
        indicator_types:
        - URL
        - IPv4
        - IPv6
        node_type: miner
        tags:
        - ConfidenceHigh

Unfortunately, with the edited minemeldlocal.yml (above), the Minemeld engine is not happy, and refuses to start.  It just goes through a couple of starting / backup backoff cycles and then gives up.  To summarize: config one everything works, except age_out (still one hour); config two MMeld engine does not start.

 

Before I started editing the config file, I looked for a way to change the local protoype from the WebUI, but could not find it.  It's very possible I'm just having a senior moment, :)

 

Luca

L5 Sessionator

Re: How to change a miner timeout

@LucaMarchiori: My fault. I didn't check before posting. I've just realized like SyslogMiner class extends Base (not BasePoller) so the sudden_death attribute in the age_out policy is not supported. I just checked that the following prototype do instantiates correctly.

 

Do you mean cloning this one?

 

Picture1.png

By the way: the current WebUI do not allow you changing the node configuration. The only moment it allows you to do so is at prototype->new time.

L3 Networker

Re: How to change a miner timeout

@xhoms  It looks as though deleting the sudden_death line did the trick, thanks.

 

Luca

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!