Cisco Cisco Firepower Management Center 2000 开发者指南
2-21
FireSIGHT eStreamer Integration Guide
Chapter 2 Understanding the eStreamer Application Protocol
Event Data Message Format
Correlation Record Header
The shaded section of the following graphic shows the fields of the record header in correlation event
messages. Note that correlation messages use series 1 data blocks; however, they do not have the
discovery header that appears in discovery event messages. Their header fields resemble those of
intrusion event messages. The table that follows the graphic below defines the record header fields for
correlation events.
messages. Note that correlation messages use series 1 data blocks; however, they do not have the
discovery header that appears in discovery event messages. Their header fields resemble those of
intrusion event messages. The table that follows the graphic below defines the record header fields for
correlation events.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Message Header
Record Header
See
for field details.
Data Record Block
...
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (3)
Message Length
Record Type
Record Length
eStreamer Server Timestamp
(for events only, not used in metadata records)
Reserved for Future Use
(for events only, not used in metadata records)
Data Record Block
Uses Series 1 block, see
...