Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
2-17
FireSIGHT eStreamer Integration Guide
Chapter 2 Understanding the eStreamer Application Protocol
Event Data Message Format
Event Data Message Format
The eStreamer service transmits event data and related metadata to clients when it receives an event
request. Event data messages have a message type of 3. Each message contains a single data record with
either event data or metadata.
request. Event data messages have a message type of 3. Each message contains a single data record with
either event data or metadata.
Note that type 3 messages carry only event data and metadata. eStreamer transmits host information in
type 6 (single-host) and type 7 (multiple-host) messages. See
type 6 (single-host) and type 7 (multiple-host) messages. See
for information on host message formats.
Understanding the Organization of Event Data Messages
The event data and metadata messages that eStreamer sends contain the following sections:
•
eStreamer message header — the standard message header defined at
.
•
Event-specific sub-headers — sets of fields that vary by event type, with codes that describe
additional event details and determine the structure of the payload data that follows.
additional event details and determine the structure of the payload data that follows.
•
Data record — fixed-length fields and a data block.
Note
The client should unpack all messages on the basis of field length.
For the event message formats by event type, see the following:
•
for intrusion event data records and all
metadata records. These messages have fixed-length fields.
•
for messages with discovery event or user event data.
In addition to the standard eStreamer message header and a record header similar to the intrusion
event message, discovery messages have a distinctive discovery event header with an event type and
subtype field. The data record in discovery event messages is packaged in a series 1 block that can
have variable length fields and multiple layers of encapsulated blocks.
event message, discovery messages have a distinctive discovery event header with an event type and
subtype field. The data record in discovery event messages is packaged in a series 1 block that can
have variable length fields and multiple layers of encapsulated blocks.
•
for messages with connection statistics. Their general
structure is identical to discovery event messages. Their data block types, however, are specific for
connection statistics.
connection statistics.
•
for messages with correlation (compliance) event
data. The headers in these messages are the same as in intrusion event messages but the data blocks
are series 1 blocks.
are series 1 blocks.
•
for a series of messages that deliver intrusion-related
record types with variable-length fields and multiple layers of nested data blocks such as intrusion
event extra data. See
event extra data. See
for general information on the
for information about the
structures of this series of blocks which are similar to series 1 blocks but numbered separately.
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 0 1 1 0 0 1 0 1
Flag Bit
30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0