Skip to main content

Devices: Management

The Devices web interface provides comprehensive management for data collection sources through an intuitive card-based dashboard.

Access

Navigate to Home > Fleet Management > Devices, or use the hamburger menu and select Fleet Management > Devices.

Overview

The Devices dashboard is where you manage all data collection sources for DataStream. Devices are data listeners that receive telemetry from external sources and convert it to standardized pipeline input format.

Categories

DataStream organizes devices into two fundamental categories:

AspectPush DevicesPull Devices
Data flowReceive data pushed from external sourcesActively collect data from remote sources
ArchitectureNetwork-based listeners on DirectorAgent-based or cloud-based collection
ExamplesSyslog servers, HTTP endpoints, TCP/UDP listenersWindows/Linux Agents, Azure Event Hubs, Azure Blob Storage
ConnectionDirector opens ports and waits for incoming dataDirector or Agent connects to remote sources to retrieve data

Dashboard Interface

The overview page displays all available device types as cards organized by category.

The interface provides a Search devices field to filter by name, and a Category Filter button group (All, Push, Pull) showing device counts. A card count displays "Viewing X devices" or "No devices found".

Each device type displays as a card showing Icon, Title, Description, Enabled Count, Disabled Count, and optionally a Coming Soon Tag for unavailable types. Clicking a card navigates to that device type's management page.

Available Types

CategoryDeviceDescription
PushSyslogRFC-compliant syslog message receiver
PushHTTPREST endpoint for HTTP/HTTPS ingestion
PushUDPUDP datagram listener
PushTCPTCP stream listener
PusheStreamerCisco Firepower event stream receiver
PullWindowsWindows Agent for log collection
PullLinuxLinux Agent for log collection
PullAzure Blob StorageAzure Blob container file reader
PullAzure Event HubsAzure Event Hubs consumer

List View

Clicking a device card opens the device list view showing all instances of that device type.

Table

The table displays Name, Director, Status (Enabled/Disabled), Connection Status (Connected/Not Connected), and an Actions menu (⋮) for each device.

info

The ability to add a pre-processing pipeline is available for all devices.

Table Controls

Filter devices using Search devices (by name), Directors dropdown (All or specific Director), Status dropdown (All, Enabled, Disabled), and Connection Status dropdown (All, Connected, Not Connected - Windows/Linux devices only).

The Create device button launches the creation wizard. This button is disabled if no Director exists, and an alert banner prompts you to create one first.

Director Requirement

For Push devices, if no Directors exist, an info alert displays "Directors not found" with explanation and a Create director button that navigates to the Director creation wizard.

Actions

Each device row provides an Actions menu (⋮) with the following operations:

View Details:

  • See details - Navigate to device detail view

Status Management:

  • Enable Device - Activate disabled device
  • Disable Device - Deactivate enabled device

Configuration:

  • Clone Device - Duplicate device configuration for quick setup
    warning

    Windows and Unix devices cannot be cloned

Deletion:

  • Delete Device - Remove device from platform

Creation Wizard

The device creation process varies by device type and category (Push vs Pull).

Device wizards have 3 steps, though the specific steps vary by device category. Each step is labeled with its specific name rather than a generic step number.

General Settings

Applies to: Syslog, HTTP, UDP, TCP, Estreamer, AzureBlobStorage, AzureEventHubs

Basic device configuration including name and Director assignment:

  • Name - Unique device identifier
  • Device Status - Enable or disable device
  • Directors - Assign device to one or more Directors
  • Pre-processing Pipeline - Optional pipeline for input normalization

Protocol Settings

Applies to: Syslog, HTTP, UDP, TCP, Estreamer

Network protocol configuration for Push devices:

  • Protocol - Communication protocol (UDP, TCP, HTTP, etc.)
  • IP Address - Network address to bind (0.0.0.0 for all interfaces)
  • Port - Network port number for listening
  • Framing - Message framing mode (delimiter, RFC6587, etc.)
  • TLS Encryption - Optional TLS/SSL configuration
  • Certificate and Key - TLS certificate files when encryption enabled

Advanced Configuration

Applies to: Syslog, HTTP, UDP, TCP, Estreamer, AzureEventHubs

Performance tuning and advanced settings:

  • Socket Address Reuse - Enable SO_REUSEADDR for port sharing
  • Workers - Number of concurrent processing workers
  • Max Connections - Maximum concurrent connections limit
  • Max Message Size - Maximum message size in bytes
  • Timeout - Connection and read timeout settings
  • Buffer Size - Input buffer size for data reception
  • Batch Size - Number of messages per batch
  • Queue Interval - Queue processing interval
  • Forwarding - Optional forwarding to another destination

Setup

Applies to: Windows, Linux

Initial device configuration and deployment type selection:

  • Name - Device identifier
  • Director - Director assignment for Agent coordination
  • Deployment Type - Choose between Agent-based or Agentless connection
    • Agent - Install VirtualMetric Agent on target system
    • Agentless - Connect remotely without installing Agent

Install and Connect

Applies to: Windows, Linux

Agent installation or agentless connection configuration (varies by deployment type):

For Agent Deployment:

  • Installation Command - Platform-specific PowerShell/Bash script
  • Copy Button - One-click copy installation command
  • Connection Verification - Verify Agent successfully connected to Director
  • Connection Status - Real-time connection state display

For Agentless Deployment:

  • IP Address - Target server address
  • Port - WinRM or SSH connection port
  • Timeout - Connection timeout in seconds (default: 30)
  • Username - Authentication username
  • Password - Authentication password (or use SSH Key for Linux)
  • SSH Key - Private key content and optional passphrase (Linux only, replaces password)
  • Domain - Windows domain for Active Directory authentication (optional)
  • Connection Verification - Test remote connection before proceeding

Review and Configure

Applies to: Windows, Linux

Log type selection and configuration review:

  • Log Categories - Accordion-based log type selection with predefined definitions
  • Windows Log Types:
    • Event Logs (Basic/Custom modes with XML editor)
    • Security Events (with log level filtering)
    • DNS Logs (with include/exclude filters)
    • Firewall Logs (with event type selection)
  • Linux Log Types:
    • System Events (with file path configuration)
    • Audit Events (with file path configuration)
    • Firewall Events (with file path configuration)
  • Pre-processing Pipeline - Optional pipeline assignment per log type
  • Configuration Summary - Review all settings before creation

Azure Properties

Applies to: AzureBlobStorage, AzureEventHubs

Azure-specific authentication and resource configuration:

  • Managed Identities - Toggle for Azure Managed Identity authentication
  • Authentication Method - Service Principal or Connection String
  • Tenant ID / Client ID / Client Secret - Service Principal credentials
  • Account / Container / Namespace - Azure resource identifiers
  • Connection String - Alternative authentication method

File Properties

Applies to: AzureBlobStorage

File reading and processing configuration:

  • Path Prefix - Blob path prefix filter
  • File Format - Expected file format (JSON, Parquet, Avro, etc.)
  • Batch Size - Number of files to process per batch
  • Poll Interval - Frequency to check for new files
  • Max Concurrent Files - Maximum parallel file processing
  • Delete After Read - Remove files after successful processing

Wizard Navigation

Progress Indicator:

  • Visual step progress at top of wizard
  • Click steps to navigate (after validation)
  • Current step highlighted
  • Completed steps marked with checkmark

Navigation Buttons:

  • Cancel - Exit wizard without creating device
  • Back - Return to previous step
  • Next - Advance to next step with validation
  • Create device - Finalize device creation (final step)

Detail View

Clicking a device from the list opens the detailed management interface with tabbed panels.

Push Devices

Push devices (Syslog, HTTP, UDP, TCP, eStreamer) display three tabs:

General Settings Tab:

  • Name - Editable device name
  • Description - Editable device description
  • Director - Assigned Director (read-only)
  • Tags - Editable device tags
  • Status - Current operational state
  • Edit Mode - Click edit to modify general settings
  • Save/Cancel Buttons - Commit or discard changes

Protocol Settings Tab:

  • Device-specific network configuration
  • Address and port settings
  • Protocol parameters
  • Read-only display with configuration details

Advanced Configuration Tab:

  • TLS/SSL settings
  • Buffer and queue configuration
  • Performance tuning parameters
  • Read-only display with configuration details

Pull Devices

Pull devices (Windows, Linux, Azure) have different tab structures based on deployment type:

Agent-Based Devices (3-4 tabs):

Device Configuration Tab:

  • Name - Editable device name
  • Director - Assigned Director
  • Deployment Type - Agent-based or Agentless
  • Edit Mode - Modify device settings
  • Save/Cancel - Commit or discard changes

Access Configuration Tab:

  • For Agent devices - Token assignment; view current token or change to a different valid token
  • For Agentless devices - Remote connection credentials (IP Address, Port, Username, Password/SSH Key, Domain)
  • Edit Mode - Modify access settings

Agent Deployment Tab (Agent-based only):

  • Deployment Type - Agent or Agentless indicator
  • Token - Authentication token in use
  • Connection Status - Connected or Not Connected
  • Connection History - Link to activity logs
  • Installation Command - Platform-specific script with copy button
  • Re-Install Agent - Click to reinstall; select token, copy new installation script, verify connection

Data Configuration Tab:

On this tab, you select which log types to collect from the Windows device. The interface provides accordion-based sections for different log categories.

Each log type supports optional pre-processing pipeline assignment - allowing you to transform or enrich data before it reaches the main processing pipeline.

Windows Security Events:

  • Security audit logs from Windows Event Log
  • Configurable log level filtering
  • Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type

Windows Event Logs:

  • Category Selection - Choose between Basic and Custom modes
  • Basic Mode:
    • Pre-configured log level checkboxes
    • Application and System channel options
    • Log level selection (Information, Warning, Error, Critical, Verbose)
    • Simple checkbox-based configuration
  • Custom Mode:
    • XML Configuration Editor - Monaco code editor for XPath queries
    • DCR Format Import - Import button to convert Azure DCR format to XML
    • Import DCR Config modal with XML editor
    • System converts DCR to XPath automatically
    • Full custom query support for advanced scenarios
  • Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type

Windows Firewall Logs:

  • Multiple firewall log options with tick boxes
  • Configurable firewall event types
  • Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type

Windows DNS Logs:

DNS logs provide the most complex filtering with include/exclude logic:

Include Filters - Specify which DNS events to collect:

  • Add New Filter button opens filter configuration
  • Multiple filters can be added (treated with OR logic between filters)

Exclude Filters - Specify which DNS events to ignore:

  • Same interface as Include filters
  • Processed after include filters

Filter Configuration:

For each filter (include or exclude), you configure:

  1. Filter Type Selection - ComboBox with options:

    • Event ID
    • Response Code
    • Question Type
    • Client IP
    • Query Name
    • And other DNS-specific fields

  2. Filter Type Selection - ComboBox showing operators based on Filter selection:

    • For Event ID, Response Code, Question Type: Only "Equals" operator (MultiSelect values)
    • For text fields (Client IP, Query Name, etc.): Multiple operators available
      • Equals
      • Contains
      • Starts With
      • Ends With
      • And other string comparison operators

  3. Value Input:

    • MultiSelect Dropdown (for Event ID, Response Code, Question Type)
      • Pre-defined value list
      • Select multiple values from dropdown
    • TextArea Input (for text fields)
      • One value per line
      • Free-form text entry

  4. Additional Filter Types (for TextArea filters only):

    • "Add Another Type" button appears after selecting filter type
    • Allows multiple filter types on same field
    • Each additional type treated conjunctively (AND logic)
    • Info alert explains: "Multiple types within a condition are treated with AND logic"

  5. Multiple Conditions:

    • "Add Condition" button adds another condition to the filter
    • Each condition can have different Filter and Filter Type
    • Multiple conditions within a filter treated conjunctively (AND logic)
    • Info alert explains: "Multiple conditions are treated with AND logic"

  6. Filter Management:

    • Save Filter button validates and adds filter to list
    • Edit button on each filter row reopens configuration
    • Delete button removes filter
    • Cancel button discards changes

Filter Logic Summary:

  • Within a filter: Multiple conditions use AND logic
  • Within a condition: Multiple additional types use AND logic
  • Between filters: Multiple filters use OR logic

Pipeline Selection:

  • Optional Pre-processing Pipeline - ComboBox at bottom of DNS logs section
  • Applies to all DNS events collected by this log type
  • Transforms or enriches DNS data before main processing

Data Configuration Edit Mode:

  • Click Manage device details button to enter edit mode
  • Accordion toggles become enabled for log type selection
  • Filter configuration inputs become editable
  • Save Changes button commits all modifications
  • Cancel button reverts to previous configuration

Agent History Tab:

  • Connection Events - Agent connection/disconnection log
  • Configuration Changes - Device configuration updates
  • Status Changes - Enable/disable operations
  • Timestamp - Date and time of each event

Linux Devices

Linux devices follow the same structure as Windows devices with platform-specific log types and configuration.

Device Configuration Tab:

  • Same as Windows device (Name, Director, Deployment Type)

Access Configuration Tab (Agentless only):

  • Same as Windows device (IP Address, Port, Authentication, Domain)

Agent Deployment Tab (Agent-based only):

  • Same as Windows device (Installation Command, Connection Status, Agent Information)

Data Configuration Tab:

Linux devices provide three log type categories for collection. The interface is similar to Windows but with Linux-specific log sources.

Each log type supports optional pre-processing pipeline assignment - allowing you to transform or enrich data before it reaches the main processing pipeline.

Linux System Events:

  • System logs from Linux syslog daemon
  • File Path - Input field to specify log file location
    • Tooltip with information icon explains path requirements
    • Default behavior if empty:
      • Ubuntu/Debian: /var/log/syslog
      • Red Hat/CentOS/Fedora: /var/log/messages
    • Custom paths can override defaults
  • Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type

Linux Audit Events:

  • Audit logs from Linux auditd system
  • File Path - Input field to specify audit log file location
    • Tooltip with information icon explains path requirements
    • Default behavior if empty: System uses distribution-specific default path
    • Typically /var/log/audit/audit.log on most distributions
  • Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type

Linux Firewall Events:

  • Firewall logs from iptables/nftables
  • File Path - Input field to specify firewall log file location
    • Tooltip with information icon explains path requirements
    • Default behavior if empty: System uses distribution-specific default path
    • Custom paths allow collection from non-standard locations
  • Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type

Linux Data Configuration Edit Mode:

  • Click Manage device details button to enter edit mode
  • Accordion toggles become enabled for log type selection
  • Path input fields become editable when accordion is toggled on
  • Pipeline ComboBoxes become enabled for selection
  • Save Changes button commits all modifications
  • Cancel button reverts to previous configuration

Path Configuration Notes:

  • Empty path field uses distribution-specific defaults
  • Custom paths must be absolute paths (e.g., /custom/log/location)
  • Agent must have read permissions for specified paths
  • Tooltip information icon provides platform-specific guidance

Azure Cloud Devices (3 tabs):

General Settings Tab - Name, description, Director, tags

Azure Properties Tab:

  • Cloud-specific configuration
  • Authentication details
  • Connection strings
  • Workspace information
  • Read-only display

Advanced Configuration Tab (varies by device):

  • Performance tuning
  • Retry logic
  • Error handling
  • Read-only display

Detail Actions

The detail view provides an Actions menu with context-specific operations:

View and Configuration:

  • See details - Current view (disabled in dropdown)

Status Management:

  • Enable Device - Activate disabled device
  • Disable Device - Deactivate enabled device

Advanced Operations:

  • Clone Device - Duplicate configuration for new device
  • Delete Device - Remove device from platform

Operations

Enable / Disable

To change device status:

  1. Navigate to device detail view or use the Actions menu from list
  2. Click Actions menu
  3. Select Enable Device or Disable Device
  4. Success notification confirms the status change

Enabled devices actively receive or collect data. Disabled devices preserve their configuration but stop all data collection.

Clone

Duplicate an existing device configuration for quick setup:

  1. Navigate to device detail view or use Actions menu from list
  2. Click Actions menu
  3. Select Clone Device
  4. System navigates to device creation wizard
  5. Pre-fills form with cloned device configuration
  6. Modify name and other settings as needed
  7. Complete wizard to create new device

Delete

Delete Device Process:

Remove a device from the platform with dependency checking:

  1. Navigate to device detail view or use Actions menu from list
  2. Click Actions menu
  3. Select Delete Device
  4. Deletion modal appears with confirmation

Standard Deletion:

  • Confirm device name matches
  • Click Delete to proceed
  • Success notification confirms deletion
  • Redirect to device list view

Deletion with Dependencies:

If device has active dependencies, error modal displays:

Error Modal Contents:

  • "Cannot delete Device" message
  • Routes - List of routes using this device
  • Action Required - Remove or reassign dependencies before deletion

Dependency Resolution:

  1. Note listed routes
  2. Edit routes to use different device or delete routes
  3. Retry device deletion after dependencies removed
warning

For Windows and Linux Agent devices, deleting the device does not uninstall the Agent from the endpoint. Use the Agent CLI to uninstall if needed.

Edit Mode Workflow

Device detail tabs support inline editing with unsaved changes protection:

Enter Edit Mode:

  1. Navigate to editable tab (General Settings, Device Configuration, etc.)
  2. Click Edit button in top-right of tab
  3. Form fields become editable
  4. Save and Cancel buttons appear

Make Changes:

  • Modify editable fields
  • Changes are not saved automatically
  • Form validation occurs on save

Save Changes:

  1. Click Save button
  2. System validates changes
  3. Success notification displays confirmation
  4. Edit mode exits
  5. Tab displays updated values

Cancel Changes:

  1. Click Cancel button
  2. Form reverts to original values
  3. Edit mode exits
  4. No changes are saved

Tab Navigation Protection:

If you attempt to navigate to another tab while in edit mode:

  • Unsaved Changes Modal appears
  • Modal Contents:
    • "Unsaved changes" heading
    • "You have unsaved changes. Are you sure you want to leave?" message
    • Discard Changes - Exit edit mode and switch tabs
    • Continue Editing - Return to current tab
    • Cancel - Close modal

Notifications

The Devices interface provides automatic notifications for all operations:

Success Notifications

Success messages auto-dismiss after 10 seconds. These include confirmations for device creation, enabling, disabling, deletion, and configuration updates. Hover to pause the auto-close timer, or click X to dismiss manually.

Error Notifications

Error notifications persist until manually dismissed. These include failures for enable, disable, delete, update operations, and Director requirement alerts for Push device creation. Review error details and take corrective action before dismissing.