MineMeld Engine Stuck in Restart Loop

Reply
L0 Member

MineMeld Engine Stuck in Restart Loop

Hello,

 

I face an issue where my MineMeld server keeps on restarting continuously. Initially, it showed an error about low disk space, which got fixed by purging logs, however, the engine keeps restarting. Below is the sample log which I keep seeing repeatedly in engine logs. Attached the complete file. Any help is appreciated. Thanks in advance.

 

2019-11-13T02:44:00 (37331)launcher.main ERROR: Exception initializing graph
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/run/launcher.py", line 288, in main
mbusmaster.wait_for_chassis(timeout=10)
File "/minemeld-ansible/minemeld/engine/core/minemeld/mgmtbus.py", line 140, in wait_for_chassis
raise RuntimeError('Timeout waiting for chassis')
RuntimeError: Timeout waiting for chassis
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: checkpoint_graph called, checking current state
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: graph status None, checkpoint_graph ignored
2019-11-13T02:44:00 (37636)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37638)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37636)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)chassis.stop ERROR: Error stopping Test-Vendor-IP
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/chassis.py", line 210, in stop
ft.stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/actorbase.py", line 69, in stop
super(ActorBaseFT, self).stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/base.py", line 763, in stop
raise AssertionError("stop on not IDLE or STARTED FT")

L7 Applicator

Re: MineMeld Engine Stuck in Restart Loop

The problem is in the custom prototype of Azure-AD_Test node. infilters should be an array. If you paste the custom prototype conig here I can help.

L0 Member

Re: MineMeld Engine Stuck in Restart Loop

Thanks Luigi.

 

That was the issue. Commit fixed it.

Coming to the Custom Prototype: I am trying to split the JSON feed of Azure IPs based on services/region/both.

Here is what I tried which failed. I can’t remember exactly, but I think it was created from aws.AMAZON

    minemeldlocal_ms_AzurePublicIP_JSON-AD:

        class: minemeld.ft.json.SimpleJSON

        config:

            age_out:

                default: null

                interval: 257

                sudden_death: true

            attributes:

                confidence: 100

                share_level: green

                type: IPv4

            extractor: values[].properties.addressPrefixes[].{indicator:@}

            infilters:

                actions: accept

                conditions: __method == 'withdraw' name_azure == 'AzureActiveDirectory'

                name: accept withdraws

            prefix: azure

            source_name: azure

            url: https://www.microsoft.com/en-us/download/details.aspx?id=56519

        description: all Azure ranges

        development_status: STABLE

        indicator_types:

        - IPv4

        node_type: miner

        tags:

        - ConfidenceHigh

        - ShareLevelGreen

 

 --------------------------------------

I found it worked for region in another post and tried similar conditions to accept indicators. It does work for region+service, but not for services alone.

 

Here is what I have created

 

Miner uses prototype: azure.cloudIPsWithServiceTags

Processor uses:

------------

infilters:

-   actions:

    - accept

    conditions:

    - __method == 'withdraw'

    name: accept withdraws

-   actions:

    - accept

    conditions:

    - type == 'IPv4'

    - azure_id == 'AzureCloud.uksouth2'

    name: accept IPv4

-   actions:

    - drop

    name: drop all

 

This seems to be working in most of the cases unless I filter services which have their names matching with other IDs (region based) – example:

"id": "AzureActiveDirectory",  - 95 indicators

"id": "AzureActiveDirectoryDomainServices", - 73 indicators

 

When such is the case, it keeps only unique values (22 indicators) and removes both values in case of a duplicate.

I’m not really good with scripting. Is there a way we can make the condition attribute as exact match?

 

Thanks again for your help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!