Question & Answer
Extended requests were added to support version 5.x of the eStreamer protocol for the Cisco FireSIGHT Management Center DSM. QRadar has supported extended data requests as a user interface option for administrators. When configuring a Cisco FireSIGHT Management Center log source, it is recommended that administrators enable Extended Requests.
There are two methods by which eStreamer protocol for QRadar can retrieve event data:
- Streaming requests
Streaming requests are an old method of retrieving data using the eStreamer protocol, which is not as efficient as using Extended Requests. When using streaming requests, the QRadar appliance receives a record, then asks for the next record by sending a null. This requires a lot of send and receive traffic for a single record, which is why it is inefficient. If you uncheck the 'Use Extended Requests', then the log source defaults to communicating with streaming requests.
- Extended requests
Extended requests provide message bundles that contain multiple records. When done processing the message bundle, QRadar writes a null back to eStreamer protocol. Since the eStreamer protocol version is unknown to QRadar, we do not select 'Use Extended Requests' for administrators by default as this feature requires the eStreamer protocol v5.0 or later.
Why use Extended Requests with Cisco FireSIGHT?
The reason using extended requests are recommended is that it allows clients to retrieve latest version of records. For example, an intrusion event data record has multiple versions or different versions added in different releases. Using extended requests allows QRadar to ask for specific versions or as with the case of eStreamer protocol QRadar always requests the latest version when extended requests are enabled. The latest versions have new fields that contain more data for administrators and some older records do not show up at all when using streaming requests. QRadar does not force customers to use extended requests, but recommend using them as without using extended requests, administrators are potentially missing some useful data that could be collected.
Where is this check box in the user interface?
The 'Use Extended Requests' check box can be found in the Cisco FireSIGHT Management Center log source configuration.
Figure 1: Location of 'Use Extended Requests' check box for Cisco FireSIGHT log sources.
Was this topic helpful?
20 September 2022