Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
2-22
FireSIGHT eStreamer Integration Guide
Chapter 2 Understanding the eStreamer Application Protocol
Event Data Message Format
The following table describes each field in the record header of correlation event messages.
Event Extra Data Message Format
The graphic below shows the structure of event extra data messages. The Intrusion Event Extra Data
message is an example of this message group.
message is an example of this message group.
Event extra data messages have the same format as correlation event messages, with a data block directly
after the record header. Unlike correlation messages, they use series 2 data blocks, not series 1 data
blocks, which have a separate numbering sequence. For information about series 2 block types, see
after the record header. Unlike correlation messages, they use series 2 data blocks, not series 1 data
blocks, which have a separate numbering sequence. For information about series 2 block types, see
.
Table 2-10
Correlation Event Message Record Header Fields
Field
Data Type
Description
Record Type
uint32
Identifies the data record content type. See
for the list of intrusion, correlation, and metadata
record types.
Record Length
uint32
Length of the content of the message after the record header.
Does not include the 8 or 16 bytes of the record header. (Record
Length plus the length of the record header equals Message
Length.)
Does not include the 8 or 16 bytes of the record header. (Record
Length plus the length of the record header equals Message
Length.)
eStreamer Server
Timestamp
Timestamp
uint32
Indicates the timestamp applied when the event was archived by
the eStreamer server. Also called the archival timestamp.
the eStreamer server. Also called the archival timestamp.
Field present only if bit 23 is set in the request message flags.
Field is zero for data generated by the Defense Center such as
host profiles and metadata.
host profiles and metadata.
Reserved for future
use
use
uint32
Reserved for future use.
Field present only if bit 23 is set in the request message flags.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Message Header
See
Record Header
Data Blocks...