IBM Support

QRadar: Cisco FireSIGHT Management Center and eStreamer Extended Requests

Question & Answer


What is the purpose of the Cisco FireSIGHT Managment Center 'Extended Request' check box and should I use this feature?


Yes, administrators should always use the 'Extended Request' option for collecting data from Cisco FireSIGHT Management Center log sources. Selecting the 'Extended Requests' check box provides more detailed event data that might not be collected when using Streaming Requests.

Extended requests were added to support version 5.x of the eStreamer protocol for the Cisco FireSIGHT Management Center DSM. QRadar has supported extended data requests as a user interface option for administrators. When configuring a Cisco FireSIGHT Management Center log source, it is recommended that administrators enable Extended Requests.

There are two methods by which eStreamer protocol for QRadar can retrieve event data:

  • Streaming requests
    Streaming requests are an old method of retrieving data using the eStreamer protocol, which is not as efficient as using Extended Requests. When using streaming requests, the QRadar appliance receives a record, then asks for the next record by sending a null. This requires a lot of send and receive traffic for a single record, which is why it is inefficient. If you uncheck the 'Use Extended Requests', then the log source defaults to communicating with streaming requests.
  • Extended requests
    Extended requests provide message bundles that contain multiple records. When done processing the message bundle, QRadar writes a null back to eStreamer protocol. Since the eStreamer protocol version is unknown to QRadar, we do not select 'Use Extended Requests' for administrators by default as this feature requires the eStreamer protocol v5.0 or later.

Why use Extended Requests with Cisco FireSIGHT?
The reason using extended requests are recommended is that it allows clients to retrieve latest version of records. For example, an intrusion event data record has multiple versions or different versions added in different releases. Using extended requests allows QRadar to ask for specific versions or as with the case of eStreamer protocol QRadar always requests the latest version when extended requests are enabled. The latest versions have new fields that contain more data for administrators and some older records do not show up at all when using streaming requests. QRadar does not force customers to use extended requests, but recommend using them as without using extended requests, administrators are potentially missing some useful data that could be collected.

Where is this check box in the user interface?
The 'Use Extended Requests' check box can be found in the Cisco FireSIGHT Management Center log source configuration.

Figure 1: Location of 'Use Extended Requests' check box for Cisco FireSIGHT log sources.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
20 September 2022