MineMeld Engine Stuck in Restart Loop

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MineMeld Engine Stuck in Restart Loop

L1 Bithead

Hello,

 

I face an issue where my MineMeld server keeps on restarting continuously. Initially, it showed an error about low disk space, which got fixed by purging logs, however, the engine keeps restarting. Below is the sample log which I keep seeing repeatedly in engine logs. Attached the complete file. Any help is appreciated. Thanks in advance.

 

2019-11-13T02:44:00 (37331)launcher.main ERROR: Exception initializing graph
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/run/launcher.py", line 288, in main
mbusmaster.wait_for_chassis(timeout=10)
File "/minemeld-ansible/minemeld/engine/core/minemeld/mgmtbus.py", line 140, in wait_for_chassis
raise RuntimeError('Timeout waiting for chassis')
RuntimeError: Timeout waiting for chassis
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: checkpoint_graph called, checking current state
2019-11-13T02:44:00 (37331)mgmtbus.checkpoint_graph INFO: graph status None, checkpoint_graph ignored
2019-11-13T02:44:00 (37636)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37638)chassis.stop INFO: chassis stop called
2019-11-13T02:44:00 (37636)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)base.stop ERROR: stop on not IDLE or STARTED FT
2019-11-13T02:44:00 (37638)chassis.stop ERROR: Error stopping Test-Vendor-IP
Traceback (most recent call last):
File "/minemeld-ansible/minemeld/engine/core/minemeld/chassis.py", line 210, in stop
ft.stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/actorbase.py", line 69, in stop
super(ActorBaseFT, self).stop()
File "/minemeld-ansible/minemeld/engine/core/minemeld/ft/base.py", line 763, in stop
raise AssertionError("stop on not IDLE or STARTED FT")

1 accepted solution

Accepted Solutions

L7 Applicator

The problem is in the custom prototype of Azure-AD_Test node. infilters should be an array. If you paste the custom prototype conig here I can help.

View solution in original post

5 REPLIES 5

L7 Applicator

The problem is in the custom prototype of Azure-AD_Test node. infilters should be an array. If you paste the custom prototype conig here I can help.

Thanks Luigi.

 

That was the issue. Commit fixed it.

Coming to the Custom Prototype: I am trying to split the JSON feed of Azure IPs based on services/region/both.

Here is what I tried which failed. I can’t remember exactly, but I think it was created from aws.AMAZON

    minemeldlocal_ms_AzurePublicIP_JSON-AD:

        class: minemeld.ft.json.SimpleJSON

        config:

            age_out:

                default: null

                interval: 257

                sudden_death: true

            attributes:

                confidence: 100

                share_level: green

                type: IPv4

            extractor: values[].properties.addressPrefixes[].{indicator:@}

            infilters:

                actions: accept

                conditions: __method == 'withdraw' name_azure == 'AzureActiveDirectory'

                name: accept withdraws

            prefix: azure

            source_name: azure

            url: https://www.microsoft.com/en-us/download/details.aspx?id=56519

        description: all Azure ranges

        development_status: STABLE

        indicator_types:

        - IPv4

        node_type: miner

        tags:

        - ConfidenceHigh

        - ShareLevelGreen

 

 --------------------------------------

I found it worked for region in another post and tried similar conditions to accept indicators. It does work for region+service, but not for services alone.

 

Here is what I have created

 

Miner uses prototype: azure.cloudIPsWithServiceTags

Processor uses:

------------

infilters:

-   actions:

    - accept

    conditions:

    - __method == 'withdraw'

    name: accept withdraws

-   actions:

    - accept

    conditions:

    - type == 'IPv4'

    - azure_id == 'AzureCloud.uksouth2'

    name: accept IPv4

-   actions:

    - drop

    name: drop all

 

This seems to be working in most of the cases unless I filter services which have their names matching with other IDs (region based) – example:

"id": "AzureActiveDirectory",  - 95 indicators

"id": "AzureActiveDirectoryDomainServices", - 73 indicators

 

When such is the case, it keeps only unique values (22 indicators) and removes both values in case of a duplicate.

I’m not really good with scripting. Is there a way we can make the condition attribute as exact match?

 

Thanks again for your help.

hi

 

did you resolved your problem of filtering by service name?

i have the same problem.

Hi @Farouk.Kahoul,

which MineMeld version are you using? the most recent version (0.9.68) has several improvements in how the Azure feeds are handled and you can adopt a solution similar to the one used for regions also for services.

 

Luigi

hi Luigi

 

thx for your answer.

 

im using the VERSION: 0.9.66.

i have found a way to filter using the syntax: contains(xxxxx_list, 'yyyyyyy') == true

  • 1 accepted solution
  • 8716 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!