Axoflow is a security data curation pipeline that reduces complexity and costs by 50% and improves SIEM accuracy for carrier-grade data.
Thanks to its flexible deployment modes, you can quickly insert an Axoflow processing node (called AxoRouter) transparently into your pipeline and gain instant benefits:
- Data reduction
- Improved SIEM accuracy
- Configuration UI for routing data
- Automatic data classification
- Metrics about log ingestion, processing, and data drops
- Analytics about the transported data
- Health check, highlighting anomalies
After the first step, you can further integrate your pipeline, by deploying Axoflow agents to collect and manage your security data, or onboarding your existing log collector agents (for example, syslog-ng). Let’s see what these scenarios look like in detail.
This is a somewhat simplified layout of a segment of your topology that shows a few data sources, and a syslog server (or relay) that forwards the collected data to a SIEM (Splunk).
Transparent router deployment
In transparent mode, you deploy an AxoRouter in front of your SIEM and—if needed—configure the syslog server to send the logs to AxoRouter instead of the SIEM. AxoRouter receives the data and:
- automatically identifies the sending device or application,
- applies device-specific, zero-maintenance parsers to the incoming data, and
- enriches metadata to the incoming messages.
You can use Axoflow console as a SaaS solution:
or deploy it on-premises.
This low-level classification also allows AxoRouter to fix errors in the incoming data (for example, formatting errors and invalid data), improving the data quality in your SIEM. It also allows for SIEM-specific fixes, like adding the missing sourcetype for Splunk. The transparent deployment method is a quick, minimally invasive way to get instant benefits and value of Axoflow:
- Data fixup and processing is usually a manual process, performed in the SIEM (for example, using Technical Add-ons in Splunk). Replacing this with processing in the pipeline allows automatic data reduction (removing noise, redundancies, and empty fields) before your data reaches the SIEM, cutting ingestion costs by up to 50%.
- Multi-SIEM scenarios are on the rise. Axoflow allows you to selectively filter and route your data between multiple destinations and apply destination-specific formatting and optimization, whether you’re migrating between SIEMs (for example,from QRadar to Elasticsearch or Microsoft Sentinel), or optimizing data between destinations (for example, routing only security data to the SIEM, and everything else to low-cost object storage like S3).
- Metrics from AxoRouter are automatically available on the Axoflow Console (SaaS or on-prem), giving you insight into the transported data volume and data drops, and the ability to drill down and analyze the data flow based on metadata and content as well. (Deploying AxoRouter provides you with a single data node, further integration steps described in the subsequent sections give you access to even more detailed metrics, as more pipeline elements provide data.)
Router and edge deployment
Axoflow provides agents to collect data from all kinds of sources: Kubernetes clusters, cloud sources, security appliances, as well as regular Windows or Linux-based servers. (If you’d prefer to keep using your existing syslog infrastructure instead of the Axoflow agents, check the next section.)
Using Axoflow’s own collector agents has several benefits:
- Reliable transport: Between its components, Axoflow transports security data using the reliable OpenTelemetry protocol (OTLP) for high performance, and to avoid losing messages.
- Managed components: You can configure, manage, monitor, and troubleshoot all these components from the Axoflow Console. For example, you can sample the data flowing through each component.
Metrics: Detailed metrics from every collector provide unprecedented insight into the status of your telemetry pipeline.
Onboard an existing syslog infrastructure
Most organizations already have a syslog architecture in place, and Axoflow provides ways to reuse it. This allows you to integrate your existing infrastructure with Axoflow, and optionally – in a later phase – replace your log collectors with the agents provided by Axoflow.
Read-only mode
You install Axolet on the data source. Axolet is a monitoring (and management agent) that integrates with the local log collector, like AxoSyslog, Splunk Connect for Syslog, or syslog-ng, and sends detailed metrics about the host and its data traffic to the Axoflow Console. This allows you to use the Axoflow Console to:
- Check the metrics about the log ingestion, processing, and data drops
- Browse data analytics and health checks
- Get notifications about alerts and anomalies
Unmanaged AxoRouter deployments
In this mode, you install AxoRouter on the data source and manage it manually. That way you get the functional benefits of using AxoRouter (our aggregator and data curation engine) to collect and classify your data but can manage its configuration as you see fit. This gives you all the benefits of the read-only mode (since AxoRouter includes Axolet as well), and in addition, it provides:
- Advanced and more detailed metrics about the log ingestion, processing, data drops, delays
- More detailed analytics about the transported data
- Access to the FilterX processing engine
- Ability to receive OpenTelemetry data
- Acts as a Windows Event Collector server, allowing you to collect Windows events
- Optimized output for the specific SIEMs
- Data reduction
Managed AxoRouter deployments
This deployment mode is similar to the previous one, but instead of writing configurations manually, you use the centralized management UI of Axoflow Console to manage your AxoRouter instances. This provides the tightest integration and the most benefits. In addition to the unmanaged use case, it gives you:
- Configuration management from UI
- Automatic host inventory and host attribution
- Automatic classification and enrichment of incoming data
- Advanced routing based on labels
Summary
Axoflow is an innovative security data curation pipeline designed to streamline data management, cutting costs by 50% and significantly boosting SIEM accuracy, even for complex, carrier-grade data environments. At its core, Axoflow simplifies data handling through AxoRouter, a versatile processing node that can be seamlessly integrated into your data pipeline to deliver instant improvements, including data reduction, automated data classification, and insightful metrics on data flow and system health.
Axoflow offers an adaptable, low-maintenance solution for organizations looking to optimize data processing, reduce SIEM costs, and gain deeper insight into their security data flow—all with a minimal footprint and flexible deployment to meet specific infrastructure needs.
On-deman Webinar
Parsing
sucks!
What can you do
about it?
56 minutes
Balázs SCHEIDLER
Founder syslog-ng™
Mark BONSACK
Co-creator SC4S
Sándor GUBA
Founder Logging Operator
Neil BOYD
Moderator
On-demand Webinar
Parsing
sucks!
What can you do about it?
56 minutes
Follow Our Progress!
We are excited to be realizing our vision above with a full Axoflow product suite.