About IlliaTimchenko

Hello Community,   I hope you will be kind enough to share your wisdom on the Minemeld performance tuning.   We are using Minemeld v.0.9.70 containerized instance, connected to the MISP containerized instance and QRadars (a bunch of them) via QRadar TI application v.2.1.0 and TAXII output nodes (6 nodes - IPv4, IPV6, URL, SHA1,SHA256,MD5).   Our MM TAXII URL is exposed to Internet via NGINX, which is doing SSL termination for the QRadar TI apps.   Our current volume of IOCs, transferred from MISP, is around 258K IPs/URLs/Hashes (which, according to the comments in this forum, is not too tremendously big for a Minemeld instance).   However, our Minemeld instance is suffering by the huge performance downgrade (in peaks we have 300%-500% of CPU consumption and up to 16Gb of RAM consumption). We tried to limit amount of resources, available for the MM container, however, it causes regular crashes of the MM engine. In fact, after the "crash" I can get to the Web GUI but the Dashboard show 0 amount of IOCs and the Nodes window shows "Loading" message without any updates. The Engine restart resolves the issue, however, it returns after one or two days. It is important to mention that we connected only two QRadar instances so far, but we are planning to add up to 10 consumers more.   Could you be so kind to advise me on this situation?   A side note - in the MM Docker container flavor I cannot get to the Logs via Web GUI.   Thank you in advance, Illia   ... View more