Devices: Management
The Devices web interface provides comprehensive management for data collection sources through an intuitive card-based dashboard.
Accessing Devices Dashboard
Navigate to the Devices management interface:
- Go to Home > Fleet Management > Devices
-or-
- Click the hamburger menu on the top left
- Select Fleet Management > Devices
Devices Overview
The Devices dashboard is where you manage all data collection sources for DataStream. Devices are data listeners that receive telemetry from external sources and convert it to standardized pipeline input format.
Device Categories
DataStream organizes devices into two fundamental categories:
Push Devices:
- Receive data pushed from external sources
- Network-based listeners on Director
- Examples: Syslog servers, HTTP endpoints, TCP/UDP listeners
- Director opens ports and waits for incoming data
Pull Devices:
- Actively collect data from remote sources
- Agent-based or cloud-based collection
- Examples: Windows/Linux Agents, Azure Event Hubs, Azure Blob Storage
- Director or Agent connects to remote sources to retrieve data
Dashboard Interface
The overview page displays all available device types as cards organized by category.
Search and Filter:
- Search devices - Filter device types by name in the search field
- Category Filter - ButtonGroup with device counts:
- All - Show all device types
- Push - Show only Push device types
- Pull - Show only Pull device types
- Card count display shows "Viewing X devices" or "No devices found"
Device Cards:
Each device type displays as a card showing:
- Icon - Visual identifier for the device type
- Title - Device type name
- Description - Brief explanation of device purpose
- Enabled Count - Number of active instances
- Disabled Count - Number of inactive instances
- Coming Soon Tag - For unavailable device types
Clicking a device card navigates to that device type's management page.
Available Device Types
Push Devices (5 types):
- Syslog - RFC-compliant syslog message receiver
- HTTP - REST endpoint for HTTP/HTTPS ingestion
- UDP - UDP datagram listener
- TCP - TCP stream listener
- eStreamer - Cisco Firepower event stream receiver
Pull Devices (4 types):
- Windows - Windows Agent for log collection
- Linux - Linux Agent for log collection
- Azure Blob Storage - Azure Blob container file reader
- Azure Event Hubs - Azure Event Hubs consumer
Device List View
Clicking a device card opens the device list view showing all instances of that device type.
Device List Table
The table displays all configured devices of the selected type with the following columns:
- Name - Device instance name
- Director - Assigned Director name
- Status - Operational state (Enabled or Disabled)
- Connection Status - Real-time connectivity (Connected or Not Connected)
- Actions Menu (⋮) - Per-device operations
The ability to add a pre-processing pipeline is available for all devices.
Table Controls
Search and Filter:
- Search devices - Filter by device name
- Directors Dropdown - Filter by assigned Director
- All - Show devices from all Directors
- Specific Director - Show devices from selected Director only
- Status Dropdown - Filter by operational status
- All - Show all devices
- Enabled - Show only active devices
- Disabled - Show only inactive devices
- Connection Status Dropdown - Filter by connection state (Only Windows and Linux devices)
- All - Show all devices
- Connected - Show only connected devices
- Not Connected - Show only disconnected devices
Primary Actions:
- Create device - Launch device creation wizard
- Disabled if no Director exists
- Alert banner appears when no Directors configured
Director Requirement Alert
For Push devices, if no Directors exist, an info alert displays:
- Title - "Directors not found"
- Subtitle - Explanation that Director is required for Push device creation
- Action Button - "Create director" navigates to Director creation wizard
Device Actions Menu
Each device row provides an Actions menu (⋮) with device-specific operations:
View Details:
- See details - Navigate to device detail view
Status Management:
- Enable Device - Activate disabled device
- Disable Device - Deactivate enabled device
Configuration:
- Clone Device - Duplicate device configuration for quick setup
warning
Windows and Unix devices cannot be cloned
Deletion:
- Delete Device - Remove device from platform
Create Device Wizard
The device creation process varies by device type and category (Push vs Pull).
Device wizards have 3 steps, though the specific steps vary by device category. Each step is labeled with its specific name rather than a generic step number.
General Settings
Applies to: Syslog, HTTP, UDP, TCP, Estreamer, AzureBlobStorage, AzureEventHubs
Basic device configuration including name and Director assignment:
- Name - Unique device identifier
- Device Status - Enable or disable device
- Directors - Assign device to one or more Directors
- Pre-processing Pipeline - Optional pipeline for input normalization
Protocol Settings
Applies to: Syslog, HTTP, UDP, TCP, Estreamer
Network protocol configuration for Push devices:
- Protocol - Communication protocol (UDP, TCP, HTTP, etc.)
- IP Address - Network address to bind (0.0.0.0 for all interfaces)
- Port - Network port number for listening
- Framing - Message framing mode (delimiter, RFC6587, etc.)
- TLS Encryption - Optional TLS/SSL configuration
- Certificate and Key - TLS certificate files when encryption enabled
Advanced Configuration
Applies to: Syslog, HTTP, UDP, TCP, Estreamer, AzureEventHubs
Performance tuning and advanced settings:
- Socket Address Reuse - Enable SO_REUSEADDR for port sharing
- Workers - Number of concurrent processing workers
- Max Connections - Maximum concurrent connections limit
- Max Message Size - Maximum message size in bytes
- Timeout - Connection and read timeout settings
- Buffer Size - Input buffer size for data reception
- Batch Size - Number of messages per batch
- Queue Interval - Queue processing interval
- Forwarding - Optional forwarding to another destination
Setup Device
Applies to: Windows, Linux
Initial device configuration and deployment type selection:
- Name - Device identifier
- Director - Director assignment for Agent coordination
- Deployment Type - Choose between Agent-based or Agentless connection
- Agent - Install VirtualMetric Agent on target system
- Agentless - Connect remotely without installing Agent
Install and Connect
Applies to: Windows, Linux
Agent installation or agentless connection configuration (varies by deployment type):
For Agent Deployment:
- Installation Command - Platform-specific PowerShell/Bash script
- Copy Button - One-click copy installation command
- Connection Verification - Verify Agent successfully connected to Director
- Connection Status - Real-time connection state display
For Agentless Deployment:
- IP Address - Target server address
- Port - WinRM or SSH connection port
- Authentication - Username/password or Active Directory
- Username / Password - Credentials for remote access
- Domain - Windows domain for Active Directory authentication
- Connection Verification - Test remote connection before proceeding
Review and Configure
Applies to: Windows, Linux
Log type selection and configuration review:
- Log Categories - Accordion-based log type selection with predefined definitions
- Windows Log Types:
- Event Logs (Basic/Custom modes with XML editor)
- Security Events (with log level filtering)
- DNS Logs (with include/exclude filters)
- Firewall Logs (with event type selection)
- Linux Log Types:
- System Events (with file path configuration)
- Audit Events (with file path configuration)
- Firewall Events (with file path configuration)
- Pre-processing Pipeline - Optional pipeline assignment per log type
- Configuration Summary - Review all settings before creation
Azure Properties
Applies to: AzureBlobStorage, AzureEventHubs
Azure-specific authentication and resource configuration:
- Managed Identities - Toggle for Azure Managed Identity authentication
- Authentication Method - Service Principal or Connection String
- Tenant ID / Client ID / Client Secret - Service Principal credentials
- Account / Container / Namespace - Azure resource identifiers
- Connection String - Alternative authentication method
File Properties
Applies to: AzureBlobStorage
File reading and processing configuration:
- Path Prefix - Blob path prefix filter
- File Format - Expected file format (JSON, Parquet, Avro, etc.)
- Batch Size - Number of files to process per batch
- Poll Interval - Frequency to check for new files
- Max Concurrent Files - Maximum parallel file processing
- Delete After Read - Remove files after successful processing
Wizard Navigation
Progress Indicator:
- Visual step progress at top of wizard
- Click steps to navigate (after validation)
- Current step highlighted
- Completed steps marked with checkmark
Navigation Buttons:
- Cancel - Exit wizard without creating device
- Back - Return to previous step
- Next - Advance to next step with validation
- Create device - Finalize device creation (final step)
Device Detail View
Clicking a device from the list opens the detailed management interface with tabbed panels.
Push Device Detail View
Push devices (Syslog, HTTP, UDP, TCP, eStreamer) display three tabs:
General Settings Tab:
- Name - Editable device name
- Description - Editable device description
- Director - Assigned Director (read-only)
- Tags - Editable device tags
- Status - Current operational state
- Edit Mode - Click edit to modify general settings
- Save/Cancel Buttons - Commit or discard changes
Protocol Settings Tab:
- Device-specific network configuration
- Address and port settings
- Protocol parameters
- Read-only display with configuration details
Advanced Configuration Tab:
- TLS/SSL settings
- Buffer and queue configuration
- Performance tuning parameters
- Read-only display with configuration details
Pull Device Detail View
Pull devices (Windows, Linux, Azure) have different tab structures based on deployment type:
Agent-Based Devices (3-4 tabs):
Device Configuration Tab:
- Name - Editable device name
- Director - Assigned Director
- Deployment Type - Agent-based or Agentless
- Edit Mode - Modify device settings
- Save/Cancel - Commit or discard changes
Access Configuration Tab (Agentless only):
- IP Address - Target server address
- Port - Connection port
- Authentication - Username/password or Active Directory
- Domain - Windows domain for authentication
- Edit Mode - Modify access settings
Agent Deployment Tab (Agent-based only):
- Installation Command - Platform-specific script
- Copy Button - One-click copy to clipboard
- Connection Status - Real-time Agent connection state
- Agent Information - Version, last connected time
Data Configuration Tab:
On this tab, you select which log types to collect from the Windows device. The interface provides accordion-based sections for different log categories.
Each log type supports optional pre-processing pipeline assignment - allowing you to transform or enrich data before it reaches the main processing pipeline.
Windows Security Events:
- Security audit logs from Windows Event Log
- Configurable log level filtering
- Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type
Windows Event Logs:
- Category Selection - Choose between Basic and Custom modes
- Basic Mode:
- Pre-configured log level checkboxes
- Application and System channel options
- Log level selection (Information, Warning, Error, Critical, Verbose)
- Simple checkbox-based configuration
- Custom Mode:
- XML Configuration Editor - Monaco code editor for XPath queries
- DCR Format Import - Import button to convert Azure DCR format to XML
- Import DCR Config modal with XML editor
- System converts DCR to XPath automatically
- Full custom query support for advanced scenarios
- Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type
Windows Firewall Logs:
- Multiple firewall log options with tick boxes
- Configurable firewall event types
- Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type
Windows DNS Logs:
DNS logs provide the most complex filtering with include/exclude logic:
Include Filters - Specify which DNS events to collect:
- Add New Filter button opens filter configuration
- Multiple filters can be added (treated with OR logic between filters)
Exclude Filters - Specify which DNS events to ignore:
- Same interface as Include filters
- Processed after include filters
Filter Configuration:
For each filter (include or exclude), you configure:
-
Filter Type Selection - ComboBox with options:
- Event ID
- Response Code
- Question Type
- Client IP
- Query Name
- And other DNS-specific fields
-
Filter Type Selection - ComboBox showing operators based on Filter selection:
- For Event ID, Response Code, Question Type: Only "Equals" operator (MultiSelect values)
- For text fields (Client IP, Query Name, etc.): Multiple operators available
- Equals
- Contains
- Starts With
- Ends With
- And other string comparison operators
-
Value Input:
- MultiSelect Dropdown (for Event ID, Response Code, Question Type)
- Pre-defined value list
- Select multiple values from dropdown
- TextArea Input (for text fields)
- One value per line
- Free-form text entry
- MultiSelect Dropdown (for Event ID, Response Code, Question Type)
-
Additional Filter Types (for TextArea filters only):
- "Add Another Type" button appears after selecting filter type
- Allows multiple filter types on same field
- Each additional type treated conjunctively (AND logic)
- Info alert explains: "Multiple types within a condition are treated with AND logic"
-
Multiple Conditions:
- "Add Condition" button adds another condition to the filter
- Each condition can have different Filter and Filter Type
- Multiple conditions within a filter treated conjunctively (AND logic)
- Info alert explains: "Multiple conditions are treated with AND logic"
-
Filter Management:
- Save Filter button validates and adds filter to list
- Edit button on each filter row reopens configuration
- Delete button removes filter
- Cancel button discards changes
Filter Logic Summary:
- Within a filter: Multiple conditions use AND logic
- Within a condition: Multiple additional types use AND logic
- Between filters: Multiple filters use OR logic
Pipeline Selection:
- Optional Pre-processing Pipeline - ComboBox at bottom of DNS logs section
- Applies to all DNS events collected by this log type
- Transforms or enriches DNS data before main processing
Data Configuration Edit Mode:
- Click "Manage device details" button to enter edit mode
- Accordion toggles become enabled for log type selection
- Filter configuration inputs become editable
- Save Changes button commits all modifications
- Cancel button reverts to previous configuration
Agent History Tab:
- Connection Events - Agent connection/disconnection log
- Configuration Changes - Device configuration updates
- Status Changes - Enable/disable operations
- Timestamp - Date and time of each event
Linux Device Detail View
Linux devices follow the same structure as Windows devices with platform-specific log types and configuration.
Device Configuration Tab:
- Same as Windows device (Name, Director, Deployment Type)
Access Configuration Tab (Agentless only):
- Same as Windows device (IP Address, Port, Authentication, Domain)
Agent Deployment Tab (Agent-based only):
- Same as Windows device (Installation Command, Connection Status, Agent Information)
Data Configuration Tab:
Linux devices provide three log type categories for collection. The interface is similar to Windows but with Linux-specific log sources.
Each log type supports optional pre-processing pipeline assignment - allowing you to transform or enrich data before it reaches the main processing pipeline.
Linux System Events:
- System logs from Linux syslog daemon
- File Path - Input field to specify log file location
- Tooltip with information icon explains path requirements
- Default behavior if empty:
- Ubuntu/Debian:
/var/log/syslog - Red Hat/CentOS/Fedora:
/var/log/messages
- Ubuntu/Debian:
- Custom paths can override defaults
- Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type
Linux Audit Events:
- Audit logs from Linux auditd system
- File Path - Input field to specify audit log file location
- Tooltip with information icon explains path requirements
- Default behavior if empty: System uses distribution-specific default path
- Typically
/var/log/audit/audit.logon most distributions
- Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type
Linux Firewall Events:
- Firewall logs from iptables/nftables
- File Path - Input field to specify firewall log file location
- Tooltip with information icon explains path requirements
- Default behavior if empty: System uses distribution-specific default path
- Custom paths allow collection from non-standard locations
- Optional Pre-processing Pipeline - ComboBox to select pipeline for this log type
Linux Data Configuration Edit Mode:
- Click "Manage device details" button to enter edit mode
- Accordion toggles become enabled for log type selection
- Path input fields become editable when accordion is toggled on
- Pipeline ComboBoxes become enabled for selection
- Save Changes button commits all modifications
- Cancel button reverts to previous configuration
Path Configuration Notes:
- Empty path field uses distribution-specific defaults
- Custom paths must be absolute paths (e.g.,
/custom/log/location) - Agent must have read permissions for specified paths
- Tooltip information icon provides platform-specific guidance
Azure Cloud Devices (3 tabs):
General Settings Tab - Name, description, Director, tags
Azure Properties Tab:
- Cloud-specific configuration
- Authentication details
- Connection strings
- Workspace information
- Read-only display
Advanced Configuration Tab (varies by device):
- Performance tuning
- Retry logic
- Error handling
- Read-only display
Device Actions Menu
Each device detail view provides an Actions menu with context-specific operations:
View and Configuration:
- See details - Current view (disabled in dropdown)
Status Management:
- Enable Device - Activate disabled device
- Disable Device - Deactivate enabled device
Advanced Operations:
- Clone Device - Duplicate configuration for new device
- Delete Device - Remove device from platform
Device Operations
Enable/Disable Device
Enable Device:
Activate a disabled device to resume data collection:
- Navigate to device detail view or use Actions menu from list
- Click Actions menu
- Select Enable Device
- Success notification displays confirmation
- Device status updates to "Enabled"
- Device begins receiving/collecting data
Disable Device:
Deactivate an enabled device to pause data collection:
- Navigate to device detail view or use Actions menu from list
- Click Actions menu
- Select Disable Device
- Success notification displays confirmation
- Device status updates to "Disabled"
- Stops data collection but preserves configuration
Clone Device
Duplicate an existing device configuration for quick setup:
- Navigate to device detail view or use Actions menu from list
- Click Actions menu
- Select Clone Device
- System navigates to device creation wizard
- Pre-fills form with cloned device configuration
- Modify name and other settings as needed
- Complete wizard to create new device
Delete Device
Delete Device Process:
Remove a device from the platform with dependency checking:
- Navigate to device detail view or use Actions menu from list
- Click Actions menu
- Select Delete Device
- Deletion modal appears with confirmation
Standard Deletion:
- Confirm device name matches
- Click Delete to proceed
- Success notification confirms deletion
- Redirect to device list view
Deletion with Dependencies:
If device has active dependencies, error modal displays:
Error Modal Contents:
- "Cannot delete Device" message
- Routes - List of routes using this device
- Action Required - Remove or reassign dependencies before deletion
Dependency Resolution:
- Note listed routes
- Edit routes to use different device or delete routes
- Retry device deletion after dependencies removed
Edit Mode Workflow
Device detail tabs support inline editing with unsaved changes protection:
Enter Edit Mode:
- Navigate to editable tab (General Settings, Device Configuration, etc.)
- Click Edit button in top-right of tab
- Form fields become editable
- Save and Cancel buttons appear
Make Changes:
- Modify editable fields
- Changes are not saved automatically
- Form validation occurs on save
Save Changes:
- Click Save button
- System validates changes
- Success notification displays confirmation
- Edit mode exits
- Tab displays updated values
Cancel Changes:
- Click Cancel button
- Form reverts to original values
- Edit mode exits
- No changes are saved
Tab Navigation Protection:
If you attempt to navigate to another tab while in edit mode:
- Unsaved Changes Modal appears
- Modal Contents:
- "Unsaved changes" heading
- "You have unsaved changes. Are you sure you want to leave?" message
- Discard Changes - Exit edit mode and switch tabs
- Continue Editing - Return to current tab
- Cancel - Close modal
Notifications
The Devices interface provides automatic notifications for all operations:
Success Notifications
Auto-dismissing success messages (10-second timeout):
- Device Created - New device successfully created
- Device Enabled - Device successfully activated
- Device Disabled - Device successfully deactivated
- Device Deleted - Device successfully removed from platform
- Device Updated - Device configuration successfully saved
Error Notifications
Persistent error notifications requiring user action:
- Enable Failed - Device could not be enabled
- Disable Failed - Device could not be disabled
- Delete Failed - Device deletion unsuccessful
- Update Failed - Device configuration update failed
- Director Required - Push device creation requires Director
Notification Actions
Auto-Close:
- Success notifications auto-dismiss after 10 seconds
- Hover to pause auto-close timer
- Click X to manually dismiss
Manual Dismiss:
- Error notifications require manual dismissal
- Review error details before dismissing
- Take corrective action based on error message
Best Practices
Device Organization
Naming Conventions:
- Use descriptive, meaningful device names
- Include location or purpose in name (e.g., "datacenter-syslog-01")
- Maintain consistent naming pattern across devices
- Avoid generic names like "device1" or "test"
Tag Usage:
- Apply tags for categorization (environment, datacenter, application)
- Use tags for bulk filtering and management
- Maintain consistent tag vocabulary across organization
- Document tag meanings for team reference
Status Management
Enabled Status:
- Keep devices "Enabled" for active data collection
- Monitor connection status regularly
- Investigate "Not Connected" status immediately
- Review device logs for connectivity issues
Disabled Status:
- Use "Disabled" status for maintenance windows
- Disable devices during configuration changes
- Document reason for disabling in external systems
- Re-enable after maintenance completion
Configuration Management
Push Devices:
- Verify port availability before configuration
- Test network connectivity to device ports
- Configure TLS for sensitive data streams
- Monitor buffer usage under high load
Pull Devices (Agent-Based):
- Complete Agent installation before device creation
- Verify Agent connection status in Agent Deployment tab
- Monitor Agent History for connection issues
- Update Agent definitions when log requirements change
Pull Devices (Cloud-Based):
- Validate Azure credentials before configuration
- Test connection to cloud services
- Monitor error logs for authentication issues
- Verify appropriate permissions for cloud resources
Lifecycle Management
Creation:
- Assign to appropriate Director for workload distribution
- Configure all required fields before creation
- Test device immediately after creation
- Verify data flow through associated routes
Maintenance:
- Review device detail tabs periodically
- Keep device configurations synchronized
- Monitor Agent History for patterns
- Test configuration changes in non-production first
Deletion:
- Verify no active dependencies before deletion
- Document reason for device removal
- Archive device configurations for compliance
- Update related documentation and diagrams