Late response (holiday taking) but if you're still looking...
I believe the stock patterns are largely out-of-date so it may just be that
machine_1 is getting hit on one of the pattern/rules that works (e.g. ssh login) while
machine_2 isn't. So, I'd start by looking at the logs and patterns, then the SQLite databases, then the code.
This post looks vaguely accurate on how to dig around.