Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
2-5
FireSIGHT eStreamer Integration Guide
Chapter 2 Understanding the eStreamer Application Protocol
Understanding eStreamer Communication Stages
Accepting Data from eStreamer
Note
The eStreamer server does not keep a history of the events it sends. Your client application must check
for duplicate events, which can inadvertently occur for a number of reasons. For example, when starting
up a new streaming session, the time specified by the client as the starting point for the new session can
have multiple messages, some of which may have been sent in the previous session and some of which
were not. eStreamer sends all message that meet the specified request criteria. Your application should
detect any resulting duplicates.
for duplicate events, which can inadvertently occur for a number of reasons. For example, when starting
up a new streaming session, the time specified by the client as the starting point for the new session can
have multiple messages, some of which may have been sent in the previous session and some of which
were not. eStreamer sends all message that meet the specified request criteria. Your application should
detect any resulting duplicates.
During periods of inactivity, eStreamer sends periodic null messages to the client to keep the connection
open. If it receives an error message from the client or an intermediate host, it closes the connection.
open. If it receives an error message from the client or an intermediate host, it closes the connection.
eStreamer transmits requested data to the client differently, depending on the request mode.
Event Stream Requests
If the client submits an event stream request, eStreamer returns data message by message. It may send
multiple messages in a row without waiting for a client acknowledgment. At a certain point, it pauses
and waits for the client. The client operating system buffers received data and lets the client process it
at its own pace.
multiple messages in a row without waiting for a client acknowledgment. At a certain point, it pauses
and waits for the client. The client operating system buffers received data and lets the client process it
at its own pace.
If the client request includes a request for metadata, eStreamer sends the metadata first. The client should
store it in memory to be available when processing the event records that follow.
store it in memory to be available when processing the event records that follow.
Extended Requests
If the client submits an extended request, eStreamer queues up messages and sends them in bundles.
eStreamer may send multiple bundles in a row without waiting for a client acknowledgment. At a certain
point, it pauses and waits for the client. The client operating system buffers received data and lets the
client read it off at its own pace.
eStreamer may send multiple bundles in a row without waiting for a client acknowledgment. At a certain
point, it pauses and waits for the client. The client operating system buffers received data and lets the
client read it off at its own pace.
The client unpacks each bundle, message by message, and uses the lengths of the records and the blocks
to parse each message. The overall message length in each message header can be used to calculate when
the end of each message has been reached, and the overall bundle length can be used to know when the
end of the bundle is reached. The bundle requires no index of its contents to be correctly parsed.
to parse each message. The overall message length in each message header can be used to calculate when
the end of each message has been reached, and the overall bundle length can be used to know when the
end of the bundle is reached. The bundle requires no index of its contents to be correctly parsed.
For information about the message bundling mechanism, see
.
For information about the null message that the client can use for additional flow control, see
.
Terminating Connections
The eStreamer server attempts to send an error message before closing the connection. For information
on error messages, see
on error messages, see
The eStreamer server can close a client connection for the following reasons:
•
Any time sending a message results in an error. This includes both event data messages and the null
keep-alive message eStreamer sends during periods of inactivity.
keep-alive message eStreamer sends during periods of inactivity.
•
An error occurs while processing a client request.