Add Your First Device

What is a Device?

A Device represents your data source in DataStream. It defines how DataStream receives data from systems like:

• Syslog servers - Network devices, firewalls, routers, switches
• Windows Event Logs - Security events, system logs from Windows servers
• HTTP endpoints - Webhook data from applications and services
• TCP/UDP streams - Custom protocols and data feeds
• Cisco eStreamer - Real-time security intelligence from Cisco devices

Choosing Your Device Type

For this getting started guide, we'll create a Syslog Device because:

• Most network infrastructure supports syslog
• It's easy to test with common tools
• Many security devices use syslog by default
• It demonstrates the core concepts clearly

Create Your Syslog Device

1. Navigate to Devices

   • From Home dashboard: Fleet Management → Devices
   • Click the Syslog card under Push devices

2. Start Device Creation

   • Click Add new device
   • You'll see the device creation form with multiple tabs

3. Configure General Settings (First Tab)

   • Name: "My First Syslog Device"
   • Description: "Learning syslog collection"
   • Tags: Leave blank for now
   • Device Status: Ensure the toggle is set to Enabled
   • Director(s) for the Device: Select the Director you created earlier
   • Pre-processing pipeline (Optional): Leave blank for now
   • Click Next step

4. Configure Protocol Settings (Second Tab)

   • Authentication Protocol: UDP (default - most common)
   • IP Address: 0.0.0.0 (listens on all network interfaces)
   • Port: 514 (standard syslog port - you can assign any port you want)
   • Click Next step

note

The device listener runs on your Director host. The IP address 0.0.0.0 means it accepts connections on all network interfaces of that server. Configure your syslog sources to send data to your Director's IP address on port 514.

5. Advanced Configuration (Third Tab)
   • You can accept all the default values for now:
     • Socket address reuse: Enabled
     • Max Connections: 10000
     • Timeout: 300 seconds
     • Max Message Size: 20 MB
     • Buffer Size: 9000 bytes
   • Click Add device

Verify Your Device

Your device should now appear in the Syslog devices table with:

• Status: Enabled
• Port: 514
• Protocol: UDP
• Director: Your Director's name

Test Your Device (Optional)

Want to verify your device is working? You can send a test syslog message:

PowerShell

Send-SyslogMessage -Server <your-server-ip> -Message "Test message from DataStream setup" -Severity Informational -Facility User

note

Requires a syslog module such as Posh-Syslog. Install with Install-Module Posh-SYSLOG.

Bash

logger -n <your-server-ip> -P 514 "Test message from DataStream setup"

You won't see the processed data yet because we haven't set up a Target or Route, but your Director logs should show the message was received.

Alternative Device Types

Need to collect different data?

• Windows Event Logs:

  • Choose Windows under Pull devices
  • Requires installing an Agent on Windows machines
  • Great for security monitoring and system diagnostics

• HTTP Webhook Data:

  • Choose HTTP under Push devices
  • Perfect for application logs and API integrations
  • Supports JSON payloads and authentication

• Other Network Protocols:

  • TCP: For reliable, connection-based data streams
  • UDP: For high-throughput, low-latency data collection
  • eStreamer: For Cisco security appliance integration

Learn More: For detailed configuration of all device types, see our Device Configuration Guide.

What's Next?

Your device is now listening for data. Next, we need to configure where that data should go by creating a Target.

Next: Configure Your First Target to define where your processed data will be stored.