I've made some progress. I can get Minemeld to start with, supposedly, my certs. The issue was the -v option, which apparently, at this point is only used for volumes/directories. For files, --mount is needed instead (https://docs.docker.com/storage/bind-mounts/). My run command now looks like this:
sudo docker run -dit \ --name minemeld \ --restart unless-stopped \ --tmpfs /run \ -v minemeld-local:/opt/minemeld/local \ -v minemeld-logs:/opt/minemeld/log \ --mount type=bind,source=/var/lib/minemeld/real-cert.crt,target=/etc/nginx/minemeld.cer,readonly \ --mount type=bind,source=/var/lib/minemeld/real-cert.pem,target=/etc/nginx/minemeld.pem,readonly \ -p 443:443 -p 80:80 \ paloaltonetworks/minemeld
Docker starts Minemeld without any errors returned, but the site is still not accessible. I first assumed that it did not like my root CA, which is a local CA from my PAN firewall. I added the CA to the file
/var/lib/docker/volumes/minemeld-local/_data/certs/bundle.crt (I also tried simply copying the root CA file into that directory and restarting docker).
Unfortunately, although it appears that Minemeld is running, the internal nginx server resets my HTTPS connection attempt and I cannot load the site.
Still searching ......
... View more
I believe I have fixed it, at least in the interim until it can be added to the Palo repo. According to Luigi here rsyslog (or more appropriately the package called rsyslog-minemeld in Ubuntu 14.04) Was built by them from source with additional features enabled, and distributed through their repo. It does not seem that rsyslog-minemeld is distrubuted in their current Xenial/16.04 repo.
http://minemeld-updates.panw.io/ubuntu xenial-minemeld main
However, when I built a current version of rsyslog with those features; it was incompatible with the /etc/rsyslog.d/*.conf files. I was able to find an old version of rsyslog "8.19.0", combile it, install the .deb file on my minemeld-server. I also installed I also installed via apt "librabbitmq4" and "liblognorm2" as refferenced by some of my /var/log/syslog errors. Once I did that, all the errors went away, and IPs started showing up in my miner/output.
... View more