Heartbeat
Analyzers use Heartbeat messages to indicate their current status to managers. Heartbeats are intended to be sent in a regular period, say, every ten minutes or every hour. The receipt of a Heartbeat message from an analyzer indicates to the manager that the analyzer is up and running; lack of a Heartbeat message (or more likely, lack of some number of consecutive Heartbeat messages) indicates that the analyzer or its network connection has failed.
digraph Heartbeat { graph [bb="0,0,1015,485.5", rankdir=LR ]; node [label="\N"]; Heartbeat [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#597700" HREF="/idmef_parser/IDMEF/Heartbeat.html" TITLE="Analyzers use Heartbeat messages to indicate their current status to managers. Heartbeats are intended to be sent in a regular period, say, every ten minutes or every hour. The receipt of a Heartbeat message from an analyzer indicates to the manager that the analyzer is up and running; lack of a Heartbeat message (or more likely, lack of some number of consecutive Heartbeat messages) indicates that the analyzer or its network connection has failed. ">Heartbeat</td> </tr>" %<tr><td BGCOLOR="#94C600" HREF="/idmef_parser/IDMEF/Heartbeat.html" TITLE="The interval in seconds at which heartbeats are generated.">[INTEGER] HeartbeatInterval (0..1) </td></tr>%<tr><td BGCOLOR="#94C600" HREF="/idmef_parser/IDMEF/Heartbeat.html" TITLE="A unique identifier for the heartbeat; see Section 3.2.9.">[STRING] messageid (Optional) </td></tr>%</table>>, pos="112.5,113", shape=plaintext, width=3.125]; Analyzer [height=2.7361, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#99993d" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. Only one analyzer may be encoded for each alert or heartbeat, and that MUST be the analyzer at which the alert or heartbeat originated. Although the IDMEF data model does not prevent the use of hierarchical intrusion detection systems (where alerts get relayed up the tree), it does not provide any way to record the identity of the "relay" analyzers along the path from the originating analyzer to the manager that ultimately receives the alert. ">Analyzer</td> </tr>" %<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="(but see below). A unique identifier for the analyzer; see Section 3.2.9.">[STRING] analyzerid (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="An explicit name for the analyzer that may be easier to understand than the analyzerid.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The manufacturer of the analyzer software and/or hardware.">[STRING] manufacturer (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The model name/number of the analyzer software and/or hardware.">[STRING] model (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The version number of the analyzer software and/or hardware.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The class of analyzer software and/or hardware.">[STRING] class (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="Operating system name. On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the "uname -s" command.">[STRING] ostype (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="Operating system version. On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the "uname -r" command.">[STRING] osversion (Optional) </td></tr>%</table>>, pos="393.5,275", shape=plaintext, width=3.0694]; Heartbeat -> Analyzer [label=1, lp="254,206.5", pos="e,282.8,211.3 174.73,148.55 203.93,165.51 239.91,186.4 274.14,206.27"]; CreateTime [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c5c99" HREF="/idmef_parser/IDMEF/CreateTime.html" TITLE="The CreateTime class is used to indicate the date and time the alert or heartbeat was created by the analyzer. ">CreateTime</td> </tr>" %</table>>, pos="393.5,140", shape=plaintext, width=1.2083]; Heartbeat -> CreateTime [label=1, lp="254,135.5", pos="e,349.94,135.88 225.37,123.83 264.91,127.65 307.52,131.78 339.83,134.9"]; AnalyzerTime [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c5c99" HREF="/idmef_parser/IDMEF/AnalyzerTime.html" TITLE="The AnalyzerTime class is used to indicate the current date and time on the analyzer. Its values should be filled in as late as possible in the message transmission process, ideally immediately before placing the message "on the wire". ">AnalyzerTime</td> </tr>" %</table>>, pos="393.5,86", shape=plaintext, width=1.4028]; Heartbeat -> AnalyzerTime [label="0..1", lp="254,108.5", pos="e,342.85,90.804 225.37,102.17 262.01,98.628 301.3,94.826 332.57,91.8"]; AdditionalData [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#431d60" HREF="/idmef_parser/IDMEF/AdditionalData.html" TITLE="The AdditionalData class is used to provide information that cannot be represented by the data model. AdditionalData can be used to provide atomic data (integers, strings, etc.) in cases where only small amounts of additional information need to be sent; it can also be used to extend the data model and the DTD to support the transmission of complex data (such as packet headers). Detailed instructions for extending the data model and the DTD are provided in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#7030A0" HREF="/idmef_parser/IDMEF/AdditionalData.html" TITLE="A string describing the meaning of the element content. These values will be vendor/implementation dependent; the method for ensuring that managers understand the strings sent by analyzers is outside the scope of this specification. A list of acceptable meaning keywords is not within the scope of the document, although later versions may undertake to establish such a list.">[STRING] meaning (Optional) </td></tr>%</table>>, pos="393.5,25", shape=plaintext, width=2.7083]; Heartbeat -> AdditionalData [label="0..*", lp="254,78.5", pos="e,311.45,50.092 224.7,77.446 244.12,71.271 264.14,64.931 283,59 289.04,57.099 295.28,55.145 301.56,53.181"]; Analyzer -> Analyzer [label="0..1", lp="393.5,399", pos="e,415.27,373.59 371.73,373.59 375.87,384.47 383.12,391.5 393.5,391.5 400.63,391.5 406.29,388.18 410.48,382.57"]; "Node" [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#007a00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The Node class is used to identify hosts and other network devices (routers, switches, etc.). ">Node</td> </tr>" %<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The location of the equipment.">[STRING] location (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The name of the equipment. This information MUST be provided if no Address information is given.">[STRING] name (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="A unique identifier for the node; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown". (See also Section 10 for extensions to the table.)">[ENUM] category (Optional) </td></tr>%</table>>, pos="655,408", shape=plaintext, width=2.5833]; Analyzer -> "Node" [label="0..1", lp="533,357.5", pos="e,561.92,360.81 504.18,331.21 520.25,339.45 536.74,347.9 552.64,356.05"]; Process [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The Process class is used to describe processes being executed on sources, targets, and analyzers. ">Process</td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The name of the program being executed. This is a short name; path and argument information are provided elsewhere.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The process identifier of the process.">[INTEGER] pid (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The full path of the program being executed.">[STRING] path (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg.">[STRING] arg (0..*) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="An environment string associated with the process; generally of the format "VARIABLE=value". Multiple environment strings may be specified with multiple uses of env.">[STRING] env (0..*) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="A unique identifier for the process; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%</table>>, pos="655,256", shape=plaintext, width=2.4306]; Analyzer -> Process [label="0..1", lp="533,273.5", pos="e,567.13,262.36 504.18,266.97 521.75,265.68 539.83,264.36 557.08,263.1"]; Address [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#007a00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The Address class is used to represent network, hardware, and application addresses. ">Address</td> </tr>" %<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The address information. The format of this data is governed by the category attribute.">[STRING] address (1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The network mask for the address, if appropriate.">[STRING] netmask (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="A unique identifier for the address; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.)">[ENUM] category (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[INTEGER] vlan-num (Optional) </td></tr>%</table>>, pos="910.5,408", shape=plaintext, width=2.9028]; "Node" -> Address [label="0..*", lp="777,415.5", pos="e,805.75,408 748.24,408 763.57,408 779.62,408 795.42,408"]; }
Aggregates
Analyzer (1)
Identification information for the analyzer that originated the heartbeat.
CreateTime (1)
The time the heartbeat was created.
HeartbeatInterval (0..1)
The interval in seconds at which heartbeats are generated.
AnalyzerTime (0..1)
The current time on the analyzer (see Section 6.3).
AdditionalData (0..*)
Information included by the analyzer that does not fit into the data model. This may be an atomic piece of data or a large amount of data provided through an extension to the IDMEF (see Section 5).
Attributes
messageid (Optional)
A unique identifier for the heartbeat; see Section 3.2.9.