Cisco Cisco Firepower Management Center 4000 Developer's Guide
2-3
FireSIGHT eStreamer Integration Guide
Chapter 2 Understanding the eStreamer Application Protocol
Understanding eStreamer Communication Stages
While the client is not required to perform post-connection verification, Cisco recommends that the
client perform this verification step. The authentication certificate contains the following field values in
the subject name of the certificate:
client perform this verification step. The authentication certificate contains the following field values in
the subject name of the certificate:
After the post-connection verification is finished, the eStreamer server awaits a data request from the
client.
client.
Requesting Data from eStreamer
Your client performs the following high-level tasks in managing data requests:
•
initializing the request session — see
.
•
requesting events from the eStreamer event archive —
.
•
requesting host data — see
.
•
changing a request — see
Establishing a Session
The client establishes a session by sending an initial Event Stream request to the eStreamer service.
In this initial message, you can either include data request flags or submit the data requests in a follow-on
message. This initial Event Stream request message itself is a prerequisite for all eStreamer requests,
whether for event data or for host data. For information about using the Event Stream request message,
see
message. This initial Event Stream request message itself is a prerequisite for all eStreamer requests,
whether for event data or for host data. For information about using the Event Stream request message,
see
Using Event Stream Requests and Extended Requests to Initiate Event Streaming
The eStreamer service provides two modes of requests for event streaming. Your request can combine
modes. In both modes, your client starts the request with an Event Stream request message but sets the
request flag bits differently. For details about the Event Stream message format, see
modes. In both modes, your client starts the request with an Event Stream request message but sets the
request flag bits differently. For details about the Event Stream message format, see
When eStreamer receives an Event Stream request message, it processes the client request as follows:
•
If the request message does not set bit 30 in the request flag field, eStreamer begins streaming any
events requested by other set bits in the request flag field. For information, see
events requested by other set bits in the request flag field. For information, see
.
•
If bit 30 is set in the Event Stream request, eStreamer provides extended request processing.
Extended request flags must be sent if this bit is set. For information, see
Extended request flags must be sent if this bit is set. For information, see
. Note that eStreamer resolves any duplicate requests. If you request multiple
versions of the same data, either by multiple flags or multiple extended requests, the highest version
is used. For example, if eStreamer receives flag requests for discovery events version 1 and 6 and
an extended request for version 3, it sends version 6.
is used. For example, if eStreamer receives flag requests for discovery events version 1 and 6 and
an extended request for version 3, it sends version 6.
Table 2-1
Certificate Subject Name Fields
Field
Value
title
estreamer
generationQualifier
server