Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

2-22

FireSIGHT eStreamer Integration Guide

Chapter 2 Understanding the eStreamer Application Protocol

Event Data Message Format

The following table describes each field in the record header of correlation event messages.

Event Extra Data Message Format

The graphic below shows the structure of event extra data messages. The Intrusion Event Extra Data
message is an example of this message group.

Event extra data messages have the same format as correlation event messages, with a data block directly
after the record header. Unlike correlation messages, they use series 2 data blocks, not series 1 data
blocks, which have a separate numbering sequence. For information about series 2 block types, see

Understanding Series 2 Data Blocks, page 3-44

Table 2-10

Correlation Event Message Record Header Fields

Field

Data Type

Description

Record Type

uint32

Identifies the data record content type. See

Table 3-1 on

page 3-1

for the list of intrusion, correlation, and metadata

record types.

Record Length

uint32

Length of the content of the message after the record header.
Does not include the 8 or 16 bytes of the record header. (Record
Length plus the length of the record header equals Message
Length.)

eStreamer Server
Timestamp

uint32

Indicates the timestamp applied when the event was archived by
the eStreamer server. Also called the archival timestamp.

Field present only if bit 23 is set in the request message flags.

Field is zero for data generated by the Defense Center such as
host profiles and metadata.

Reserved for future
use

uint32

Reserved for future use.

Field present only if bit 23 is set in the request message flags.

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31