Руководство Разработчика для Cisco Cisco Firepower Management Center 4000
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
42
Understanding the eStreamer Application Protocol
Event Data Message Format
Chapter 2
The
table describes the fields in the
record header and the event header of the discovery event message.
Connection Event Message Format
Messages with connection statistics have a structure identical to discovery event
messages. See
on page 40 for general
message format information. Connection event messages are distinct in terms of
the data block types they incorporate.
Correlation Event Message Format
The graphic below shows the general structure of correlation (compliance) event
messages. The standard eStreamer message header and record header are
Discovery Event Message Header Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Record
Type
uint32
Identifies the data record content type. See the
on page 166 for the list of record types.
Record
Length
uint32
Length of the content of the message after the
record header. Does not include the 8 or 16 bytes
of the record header. (Record Length plus the
length of the record header equals Message
Length.)
eStreamer
Server
Timestamp
uint32
Indicates the timestamp applied when the event
was archived by the eStreamer server. Also called
the archival timestamp. Field present only if bit 23
is set in the request flags field of the event
stream request.
Reserved
for future
use
uint32
Reserved for future use. Field present only if bit
23 is set in the request message flags.
Discovery
Event
Header
Varied
Contains a number of fields, including the event
type and subtype, which together form a unique
key to the data structure that follows. See
on page 198 for
definitions of fields in the discovery event header.