I have two instances of MineMeld, both built off the instructions at https://live.paloaltonetworks.com/t5/MineMeld-Articles/Manually-install-MineMeld-on-Ubuntu-Server-14...
My dev instance built in June and reporting version 0.9.40 appears to be functioning correctly
My prod instance built in Aug and reporting version 0.9.40 appears to be simply echoing the raw data as the output.
This does not occur on all datafeeds. In particular it does occur on a cloned protoype for IPv4, stdlib.aggregatorIPv4Generic.
The source miner nodes all report the same number of IOCs. Once the data hits the processor node the dev instance reports 139 IOCs while the prod reports 1236 IOCs.
I have attempted to verify permissions, compare files etc. The last modification was copying the same custom prototypes file minemeldlocal.yml to both instances.
What am I missing?
Thinks I'd check:
xhoms - Yep, had done all that which is what was really confusing me.
Update: I stopped services, deleted all exisiting data files in /opt/minemeld/local/data, restarted services.
Now the two instances are reporting the same numbers across the board.
Am I possibly correct in assuming there was some difference in learned confidence values as the dev instance had been runnning for an additional 60ish days, or some other built in logic?
Depending on the age_out policy of a miner you can expect the instance running for more time to keep indicators that have never been seen by the newer instance. But if the number of indicators at the miner level between instances is the same then I would assume they all have the same confidence values.
A common mistake is to "clone" a miner prototype from the library that has "share_level = red" and attaching it to a processor with a filter that only accepts indicators in the "share_level = green"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!