Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
29
Understanding the eStreamer Application Protocol
Event Stream Request Message Format
Chapter 2
The
table describes each field in Event
Stream Request messages.
Initial Timestamp
IMPORTANT!
Your client application should use the archival timestamp in the
Initial Timestamp field when submitting an event stream request, as explained
below. This ensures that you do not inadvertently exclude events. Devices
transmit data to the Defense Center using a “store and forward” mechanism
with transmission delays. If you request events by the generation timestamp
assigned by the device that detects it, delayed events may be missed.
When starting a session, a best practice is to start up from the archival timestamp
(also known as the “server timestamp”) of the last record in the previous
session. It is not a technical requirement but is strongly recommended. Under
certain circumstances, if you use the generation timestamp you can inadvertently
exclude events from the new streaming session.
To include the archival timestamp in your streamed events, you must set bit 23 in
To include the archival timestamp in your streamed events, you must set bit 23 in
the request flag field.
Note that only time-based events have archival timestamps. Events that
Note that only time-based events have archival timestamps. Events that
eStreamer generates, such as metadata, have zero in this field when extended
event headers have been requested with bit 23 set.
Event Stream Request Message Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Initial
Timestamp
uint32
Defines the start of the session. To start at:
• the time the client connects to eStreamer, set
• the time the client connects to eStreamer, set
all timestamp bits to 1.
• the oldest data available, set all timestamp bits
to zero.
• a given date and time, specify the UNIX
timestamp (number of seconds since January
1, 1970).
See
below for important
information.
Request
Flags
bits[32]
Specifies the types and versions of events and
metadata to be returned in event stream
requests. See
on page 30 for flag
definitions.
Setting bit 30 initiates an extended request, which
Setting bit 30 initiates an extended request, which
can co-exist with event stream requests in the
same message.