Output limit?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Output limit?

L4 Transporter
 

Hi,


I run minemeld (standalone) in a virtual machine with 2 cpu, 6GB RAM and 40GB hd. My config has 63 miners (mainly youtube miners and ransomware trackers), 13 aggregators and 30 output nodes. The miners start the job, but when it reach the band "85k-95k indicators", the Minemeld stops mining. The miners get the status "started" and few of them "stopped". It doesn't restart the service each x sec, it just stop mining. I know it stops mining, because one of the Youtube channels has more than 30k videos and the miner only gets few URLs, the same with the ransonware IP trackers.

 

I noticed that my Minemeld hardly aged-out or removes indicators. For example, in a typical dashboard showed in many articles, the monitor presents the number of aged-out or removed indicators as a parable (half sine). In my case, figure bellow, I have flat lines. I thought it could be something related with NTP leading Minemeld to be to out of resources with so many indicators, but the time configuration in my server is perfect.

 

Finally, some time later (there is not a specific interval) the dashbord shows 0 indicators.

 

Could someone give me any tip, advice, help?

 

Thanks in advanced.

 

15 REPLIES 15

L7 Applicator

Hi @danilo.souza,

flat lines could be normal. But please could you add the minemeld-engine.log file to the thread? You can download it from System > Engine > Logs.

Please, check it before posting that it does not contain confidential information - especially credentials to access feeds.

 

Thanks,

luigi

Hi Luigi,

thank you for the fast reply. Just to be sure, there is no way to send the log just to you, right? I have to add the file here in the forum, right?

Thank you one more time.

Hi @danilo.souza,

sure, please send them to lmori@paloaltonetworks.com

 

Thanks,

luigi

Hi @danilo.souza,

I checked your logs and it seems a rabbitmq malfunction. Which distribution are you using? How much memory do you have on that instance?

 

luigi

Hi Luigi,

I am using the version 0.9.44 for CentOS. That is what I get from the engine log:

 

/opt/minemeld/log/minemeld-engine.log.6:2018-04-15T17:07:19 (2404)launcher.main INFO: Starting mm-run.py version 0.9.44.post1

 

What you mean by how much in memory in that instance? When you refers to rabbitmq, is it a bad news?

 

Thank you again.

Hi Luigi,

it is disabled (image attached).

Best regards.

Hi Luigi,


Is there any other information I can provide to help identifying the problem?

 

Thank you again

L4 Transporter

Hi,

is there anybody else with a similar case that could help in this case? It is really important.

Thanks.

L1 Bithead

I haven't been able to look through the files you uploaded, however, I've got several hundred thousand indicators on a couple production boxes. No issues with them updating or aging out. Have you tried exporting your config, setting up a test MM instance using the cloud loader, and then importing the config to see how it behaves? 

I should have stated earlier, I say this because I wonder if it is an issue with the flavor of linux you chose. Ubuntu 14.0.4.5 Trusty Tahr seems to not have any issues. 

Hi kethomas,

thank you for the reply, I really apreciated.

However I can not do this test. I am not authorized to upload my configuration and the API keys to the cloud. Thats is the reason we used the CentOS version for Minemeld. That is the distribuition we use in our Coorporation.

 

Is there anybody familiarized with rabbitmq? Luigi mentioned a possible malfunction on it.

Thanks.

Help me not dig back through posts please, which version of CentOS? Which version of RabbitMQ? Did you install MM from the git repository?
Edit: I looked and wonder if the MM package installed correctly with the correct permissions on the files. I think that’s why Luigi had you disable SEL. Aside from running off a stable version of Linux, check you packages and their versions to make sure you’re running a supported version.
You don’t have to upload any configuration or API to the cloud with the cloud loader or even a manual install on Ubuntu by the way.

Im running CentOS Linux 7 (Core) - Linux 3.10.0-693.5.2.el7.x86_64. The version of rabbitmq is 3.6.9. And yes, I installad MM from the git repository. I'm pretty sure my files have the correct permissions otherwise the MM wouldn't run correctly since the beginning. The point is that I'm increasing the number of miners and outputs. Doing so, the MM behave is not the same. About SEL, that was never enabled.

 

Would you mind mentiontioning with packages should I check the version?

 

"You don’t have to upload any configuration or API to the cloud with the cloud loader or even a manual install on Ubuntu by the way." I didn't understand that.

 

Best regards.

  • 15840 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!