Skip to main content

eStreamer

Pull

Synopsis

Creates an eStreamer client that connects to an eStreamer server to receive various security events. Supports TLS encryption, event filtering, and batch processing of events.

Schema

- id: <numeric>
  name: <string>
  description: <string>
  type: estreamer
  tags: <string[]>
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    address: <string>
    port: <numeric>
    tls:
      status: <boolean>
      cert_name: <string>
      key_name: <string>
      non_secure: <boolean>
    reuse: <boolean>
    workers: <numeric>
    batch_size: <numeric>
    flush_interval: <numeric>
    inputs:
      - id: <numeric>
        status: <boolean>

Configuration

The following are the minimum requirements to define the device.

Device

FieldRequiredDefaultDescription
idYUnique identifier
nameYDevice name
descriptionN-Optional description
typeYMust be estreamer
statusNtrueEnable/disable the device

Network

FieldRequiredDefaultDescription
addressN"0.0.0.0"Server address to connect to
portN8302Server port

TLS

FieldRequiredDefaultDescription
tls.statusYtrueEnable TLS encryption (always required)
tls.cert_nameYClient certificate file path
tls.key_nameYClient private key file path
tls.non_secureNfalseAllow less secure TLS versions
note

The client certificate and private key files must be placed in the service root directory.

Advanced Configuration

To enhance performance and achieve better event handling, the following settings are used.

Events

The following settings are used for event processing:

FieldRequiredDefaultDescription
batch_sizeN1000Number of events to batch before processing
flush_intervalN60Event flush interval in seconds

The event types are specified with:

FieldRequiredDefaultDescription
inputs[].idN-Event type ID to process
inputs[].statusNtrueEnable/disable specific event type. Available options: 102 (Connection), 103 (File), 104 (Malware), 106 (Intrusion)

Examples

The following are commonly used configuration types.

Basic

For a basic client, enable TLS encryption and use default event types and settings.

Creating a simple eStreamer client...

- id: 1
  name: basic_estreamer
  type: estreamer
  properties:
    address: "192.168.1.100"
    port: 8302
    tls:
      cert_name: "client.crt"
      key_name: "client.key"

High-Volume

To enhance performance, make sure that the batch size is larger, the flush interval is smaller, and multiple workers are used.

Optimizing for high event volumes...

- id: 2
  name: performant_estreamer
  type: estreamer
  properties:
    address: "192.168.1.100"
    port: 8302
    tls:
      cert_name: "client.crt"
      key_name: "client.key"
    batch_size: 5000
    flush_interval: 30
    reuse: true
    workers: 4

Events

For selective event processing, enable connection and intrusion events, and disable file and malware events.

Collecting specific event types...

- id: 3
  name: filtered_estreamer
  type: estreamer
  properties:
    address: "192.168.1.100"
    port: 8302
    tls:
      cert_name: "client.crt"
      key_name: "client.key"
    inputs:
      - id: 102
        status: true
      - id: 106
        status: true

Legacy Systems

Compatibility with legacy systems allows use of older TLS versions, standard event processing, and default security events.

Connecting to older eStreamer servers...

- id: 4
  name: legacy_estreamer
  type: estreamer
  properties:
    address: "192.168.1.100"
    port: 8302
    tls:
      cert_name: "client.crt"
      key_name: "client.key"
      non_secure: true
warning

For improved security, unless you are connecting to legacy systems that require older TLS versions, set tls.non_secure: false.