Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
45
Understanding the eStreamer Application Protocol
Event Data Message Format
Chapter 2
Event extra data messages have the same format as correlation event messages,
with a data block directly after the record header. Unlike correlation messages,
they use series 2 data blocks, not series 1 data blocks, which have a separate
numbering sequence. For information about series 2 block types, see
Event Extra Data Message Record Header
The shaded section of the following graphic shows the fields of the record header
in event extra data messages. The table that follows defines the record header
fields for event extra data messages.
table describes each field in
the record header of event extra data messages.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (3)
Message Length
Record Type
See
Record Length
eStreamer Server Timestamp
(for events only, not used in metadata records)
Reserved for Future Use
(for events only, not used in metadata records)
Data Record Block
Uses series 2 block, see
...
Event Extra Data Message Record Header Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Record
Type
uint32
Identifies the data record content type. See the
on page 65 for the list of event extra
data record types.
Record
Length
uint32
Length of the content of the message after the
record header. Does not include the 8 or 16 bytes
of the record header. (Record Length plus the
length of the record header equals Message
Length.)