Overview
Data Streamer is Trio’s outbound data pipeline for exporting operational, security, and activity telemetry from the Trio platform to external systems in near real time. It acts as a controlled, policy-aware egress layer that collects normalized events generated across Trio (devices, users, agents, policies, integrations) and delivers them to downstream analyzers such as SIEMs, log management platforms, observability stacks, or custom ingestion endpoints.
From an architectural standpoint, Data Streamer sits between Trio’s internal event fabric and external analytics infrastructure, providing transport abstraction, security controls, filtering, routing, and delivery health monitoring.
What Data Streamer Does Technically
At runtime, Data Streamer performs four core functions:
Event collection and normalization
Events generated by Trio subsystems (device agents, OS integrations, admin actions, policy engines, and security modules) are emitted into Trio’s internal event pipeline. Data Streamer consumes these events after they are:Structured into well-defined schemas
Enriched with contextual metadata (organization, device, ownership, assignment, timestamps)
Classified by namespace, severity, and stream type
Stream selection and scoping
Each Data Streamer connection explicitly declares which streams it receives (for example, OS/System logs, mobile agent logs, inventory deltas). This ensures that only intended data classes are exported, preventing over-collection and unnecessary downstream cost.Secure transport and delivery
Events are serialized into the configured payload format and transmitted over authenticated and encrypted channels using industry-standard protocols such as:Syslog over TLS
HTTPS (JSON)
OTLP (HTTP/Protobuf)
Delivery includes retry logic, backoff handling, and health tracking to ensure reliable transmission even during transient failures.
Filtering, rate control, and observability
Before egress, events pass through configurable filters (severity thresholds, namespace allow/deny lists) and budget enforcement (events per day). This protects external systems from noise, overload, and unexpected volume spikes while preserving high-value signals.
Data Streamer Architecture in Trio
Within the Trio interface, Data Streamer is organized into three primary layers, reflected directly in the UI:
1. Connections
A connection defines where and how data is sent. It encapsulates destination configuration, security settings, and protocol details. Each row in the Connections table represents an independent delivery pipeline with its own lifecycle and health state.
A connection includes:
Destination type (Syslog, HTTP, OTLP)
Authentication and TLS configuration
Selected streams
Filters and event budget
Delivery status and error metrics
Connections are isolated from each other, allowing multiple parallel exports (for example, one SIEM, one archive endpoint, one analytics pipeline) without cross-impact.
2. Routing
Routing determines which events go to which connections. Internally, events are tagged with namespaces and stream identifiers. Routing rules map those identifiers to one or more active connections.
This design allows:
Fan-out delivery (the same event sent to multiple destinations)
Segmentation of data by purpose (security vs. operations vs. compliance)
Incremental rollout of new destinations without reconfiguring event sources
3. Data Catalog
The Data Catalog provides a canonical view of all event types that Data Streamer can export. It documents:
Stream names and namespaces
Payload structure and schema version
Expected volume characteristics
Applicable platforms and agents
This serves as a contract between Trio and downstream consumers, enabling predictable parsing and long-term compatibility.
Supported Data Streams (Conceptual)
Data Streamer exports structured telemetry across multiple domains, including but not limited to:
OS / System Logs
Endpoint-level runtime and agent service events used for operational visibility and troubleshooting.Mobile Agent / App Logs
Logs generated by mobile device agents, including lifecycle events, enforcement outcomes, and client-side errors.Inventory and State Changes
Delta-based updates for device attributes, ownership, enrollment state, and configuration drift.
Each stream is independently selectable and labeled with volume characteristics to help operators balance fidelity and cost.
Delivery Health and Status Monitoring
For each connection, Trio continuously evaluates delivery health and exposes it directly in the Connections table. This includes:
Status (Healthy, Degraded, Paused, Error)
Streams count currently routed
Error rate, calculated from recent delivery attempts
Last delivery timestamp
This telemetry allows administrators to quickly identify misconfigurations, downstream outages, or authentication failures without inspecting raw logs.
Security Model
Data Streamer is designed with a strict outbound-only security posture.
Key characteristics include:
No inbound access from external systems into Trio
Mandatory encryption (TLS/mTLS) for supported transports
Credential scoping per connection to prevent lateral exposure
Explicit permission requirements for accessing event classes
Access to Data Streamer itself is governed by Trio’s role-based access control, ensuring only authorized admins can create, modify, or activate connections.
Permissions and Data Access
To function correctly, Data Streamer requires permission to:
Read device, user, and security event logs
Export selected event streams to configured destinations
Monitor delivery outcomes and failure states
These permissions are limited to streaming purposes and do not grant broader administrative control.
When to Use Data Streamer
Data Streamer is intended for organizations that need:
Centralized security monitoring via SIEM
Long-term log retention outside Trio
Correlation of Trio events with infrastructure, identity, or network data
Real-time operational observability and alerting
It is not a reporting feature or an interactive query system; it is a continuous, structured event export pipeline optimized for downstream analysis.