eStreamer
Synopsis
Creates an eStreamer client that connects to an eStreamer server to receive various security events. Supports TLS encryption, event filtering, and batch processing of events.
See Appendix for details.
Schema
- id: <numeric>
name: <string>
description: <string>
type: estreamer
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
address: <string>
port: <numeric>
tls:
status: <boolean>
cert_name: <string>
key_name: <string>
non_secure: <boolean>
reuse: <boolean>
workers: <numeric>
batch_size: <numeric>
flush_interval: <numeric>
inputs:
- id: <numeric>
status: <boolean>
Configuration
The following are the minimum requirements to define the device.
Device
| Field | Required | Default | Description |
|---|---|---|---|
id | Y | Unique identifier | |
name | Y | Device name | |
description | N | - | Optional description |
type | Y | Must be estreamer | |
status | N | true | Enable/disable the device |
Network
| Field | Required | Default | Description |
|---|---|---|---|
address | N | "0.0.0.0" | Server address to connect to |
port | N | 8302 | Server port |
TLS
| Field | Required | Default | Description |
|---|---|---|---|
tls.status | Y | true | Enable TLS encryption (always required) |
tls.cert_name | Y | Client certificate file path | |
tls.key_name | Y | Client private key file path | |
tls.non_secure | N | false | Allow less secure TLS versions |
The client certificate and private key files must be placed in the service root directory.
Advanced Configuration
To enhance performance and achieve better event handling, the following settings are used.
Events
The following settings are used for event processing:
| Field | Required | Default | Description |
|---|---|---|---|
batch_size | N | 1000 | Number of events to batch before processing |
flush_interval | N | 60 | Event flush interval in seconds |
The event types are specified with:
| Field | Required | Default | Description |
|---|---|---|---|
inputs[].id | N | - | Event type ID to process |
inputs[].status | N | true | Enable/disable specific event type. Available options: 102 (Connection), 103 (File), 104 (Malware), 106 (Intrusion) |
Key Features
- Real-time event streaming with TLS encryption
- Support for multiple event types and metadata
- Configurable batch processing and performance tuning
- Automatic reconnection handling
- Event filtering capabilities
Event Types
eStreamer supports four main types of security events:
-
Connection Events (ID: 102)
- Network connection tracking
- Protocol information
- Source and destination details
- Connection statistics
- Available block types: 163, 160, 157, 155, 154, 152, 137
-
File Events (ID: 103)
- File transfers detection
- File type identification
- File SHA hashes
- Available block types: 56, 46, 43, 38, 32
-
Malware Events (ID: 104)
- Malware detection results
- File disposition
- Threat scores
- Available block types: 62, 47, 44, 35, 33, 24, 16
-
Intrusion Events (ID: 106)
- IPS/IDS alerts
- Rule-based detections
- Threat classifications
- Available block types: 60, 45, 42, 41, 34, 25
Examples
The following are commonly used configuration types.
Basic
For a basic client, enable TLS encryption and use default event types and settings.
Creating a simple eStreamer client... | |
High-Volume
To enhance performance, make sure that the batch size is larger, the flush interval is smaller, and multiple workers are used.
Optimizing for high event volumes... | |
Events
For selective event processing, enable connection and intrusion events, and disable file and malware events.
Collecting specific event types... | |
Legacy Systems
Compatibility with legacy systems allows use of older TLS versions, standard event processing, and default security events.
Connecting to older eStreamer servers... | |
For improved security, unless you are connecting to legacy systems that require older TLS versions, set tls.non_secure: false.