eStreamer
Synopsis
Creates an eStreamer client that connects to a Cisco Firepower eStreamer server to receive security events. Director polls the source system's API at configured intervals to retrieve log and telemetry data rather than receiving pushed events.
For details, see Appendix.
Schema
- id: <numeric>
name: <string>
description: <string>
type: estreamer
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
address: <string>
port: <numeric>
tls:
status: <boolean>
cert_name: <string>
key_name: <string>
non_secure: <boolean>
batch_size: <numeric>
flush_interval: <numeric>
inputs:
- id: <numeric>
status: <boolean>
Configuration
The following fields are used to define the device:
Device
| Field | Required | Default | Description |
|---|---|---|---|
id | Y | Unique identifier | |
name | Y | Device name | |
description | N | - | Optional description |
type | Y | Must be estreamer | |
tags | N | - | Optional tags |
pipelines | N | - | Optional pre-processor pipelines |
status | N | true | Enable/disable the device |
Connection
| Field | Required | Default | Description |
|---|---|---|---|
address | Y | eStreamer server address to connect to | |
port | N | 8302 | eStreamer server port |
TLS
| Field | Required | Default | Description |
|---|---|---|---|
tls.status | N | true | Enable TLS encryption |
tls.cert_name | Y | Client certificate file name in the service root directory | |
tls.key_name | Y | Client private key file name in the service root directory | |
tls.non_secure | N | false | Allow less secure TLS versions |
The client certificate and private key files must be placed in the service root directory. TLS is required by the eStreamer protocol.
Advanced Configuration
To enhance performance and achieve better event handling, the following settings are used.
Events
| Field | Required | Default | Description |
|---|---|---|---|
batch_size | N | 1000 | Number of events to batch before processing |
flush_interval | N | 1 | Event flush interval in seconds |
| Field | Required | Default | Description |
|---|---|---|---|
inputs[].id | N | - | Event type ID to process |
inputs[].status | N | true | Enable/disable specific event type. Available options: 102 (Connection), 103 (File), 104 (Malware), 106 (Intrusion) |
Event Types
eStreamer supports four main types of security events:
-
Connection Events (ID: 102)
- Network connection tracking
- Protocol information
- Source and destination details
- Connection statistics
- Available block types: 163, 160, 157, 155, 154, 152, 137
-
File Events (ID: 103)
- File transfers detection
- File type identification
- File SHA hashes
- Available block types: 56, 46, 43, 38, 32
-
Malware Events (ID: 104)
- Malware detection results
- File disposition
- Threat scores
- Available block types: 62, 47, 44, 35, 33, 24, 16
-
Intrusion Events (ID: 106)
- IPS/IDS alerts
- Rule-based detections
- Threat classifications
- Available block types: 60, 45, 42, 41, 34, 25
Examples
The following are commonly used configuration types.
Basic
Minimal eStreamer client connecting to a Firepower server with TLS:
Creating a simple eStreamer client... | |
High-Volume
Optimizing for high event volumes with larger batch and shorter flush interval... | |
Events
Collecting connection and intrusion events only:
Collecting specific event types... | |
Legacy Systems
Connecting to older Firepower servers that require less secure TLS versions:
Connecting to older eStreamer servers... | |
For improved security, unless you are connecting to legacy systems that require older TLS versions, set tls.non_secure: false.