This example can be also found in the json_request.json
file in the eStreamer SDK.
{ "Events":
This section specifies the requested fields from connection events. If this section were removed, the eStreamer server would
not send any connection events.
{ "ConnectionEvent":
{ "FieldSetDef":
{ "OutputFieldSet":
["HeaderFieldSet", "ConnectionKeySet", "DetailFieldSet"] },
"Fields":
["OutputFieldSet"] },
This section specifies the requested fields from intrusion events. If this section were removed, the eStreamer server would
not send any intrusion events.
"IntrusionEvent":
{ "FieldSetDef":
{ "OutputFieldSet":
["HeaderFieldSet", "ConnectionKeySet", "DetailFieldSet", "Impact"] },
"Fields": ["OutputFieldSet"] },
This section specifies the requested fields from intrusion event packets. If this section were removed, the eStreamer server
would not send any intrusion event packets.
"IntrusionPacket":
{ "FieldSetDef":
{ "OutputFieldSet":
["HeaderFieldSet", "DetailFieldSet"] },
"Fields": ["OutputFieldSet"] },
This section specifies the requested fields from file events. If this section were removed, the eStreamer server would not
send any file events.
"FileEvent":
{ "FieldSetDef":
{ "OutputFieldSet":
["HeaderFieldSet", "ConnectionKeySet", "DetailFieldSet"] },
"Fields":
["OutputFieldSet"] } },
This section specifies the output format as described below.
"OutputFormat":
{ "Transform": "Text", "TransformConfig": "JSON" } }
In the Events
section, specify a block for each event type that you would like the client to receive (only the three example types are
supported: ConnectionEvent
, IntrusionEvent
, IntrusionPacket,
and FileEvent
). The FieldSetDef
section for each event must specify an OutputFieldSet
, which lists the fields or field sets which will be included in the events for that event type. The sample file only specifies
field sets, but you can use any combination of field names and field sets.
The list of available fields for each event type, and the predefined field sets, can be found on the Firepower Management
Center in the file /etc/sf/EventHandler/EventCatalog/EventCatalog.json
. In the Fields section towards the end of the file, look for the desired event type (such as IntrusionEvent
), then see the Fields
and FieldSetDef
blocks to see what is available for that event type.
The OutputFormat
section has settings for the output. The Transform
field is always Text
, and you specify the output transformation format with the TransformConfig
field. The example shows JSON
, but you can also specify CSV
. Other text formats are available, as well as FlatBuffer
, but you will need to request documentation for these formats.
When JSON output is specified in TransformConfig
, the output will contain name-value pairs for each requested field, except any fields which are irrelevant to the event are
skipped (e.g. if you requested SSL fields, and an event did not use SSL, then the output will not contain those fields).
When CSV output is specified in TransformConfig
, the output will contain the desired fields in the order listed in the configuration. If a field is not relevant to the event
then the CSV will only contain a comma for that field. Do not use predefined field sets when requesting CSV because the field
sets may change between versions, making the CSV incompatible.