Parsing sucks! Watch our on-demand webinar and learn what you can do about it! >>

Axoflow is a security data curation pipeline that reduces complexity and costs by 50% and improves SIEM accuracy for carrier-grade data.

Thanks to its flexible deployment modes, you can quickly insert an Axoflow processing node (called AxoRouter) transparently into your pipeline and gain instant benefits:

  • Data reduction
  • Improved SIEM accuracy
  • Configuration UI for routing data
  • Automatic data classification
  • Metrics about log ingestion, processing, and data drops
  • Analytics about the transported data
  • Health check, highlighting anomalies

After the first step, you can further integrate your pipeline, by deploying Axoflow agents to collect and manage your security data, or onboarding your existing log collector agents (for example, syslog-ng). Let’s see what these scenarios look like in detail.

This is a somewhat simplified layout of a segment of your topology that shows a few data sources, and a syslog server (or relay) that forwards the collected data to a SIEM (Splunk).

A simple syslog architecture

Transparent router deployment

In transparent mode, you deploy an AxoRouter in front of your SIEM and—if needed—configure the syslog server to send the logs to AxoRouter instead of the SIEM. AxoRouter receives the data and:

You can use Axoflow console as a SaaS solution:

Axoflow SaaS integration

or deploy it on-premises.

Axoflow on-prem deployment

This low-level classification also allows AxoRouter to fix errors in the incoming data (for example, formatting errors and invalid data), improving the data quality in your SIEM. It also allows for SIEM-specific fixes, like adding the missing sourcetype for Splunk. The transparent deployment method is a quick, minimally invasive way to get instant benefits and value of Axoflow:

  • Data fixup and processing is usually a manual process, performed in the SIEM (for example, using Technical Add-ons in Splunk). Replacing this with processing in the pipeline allows automatic data reduction (removing noise, redundancies, and empty fields) before your data reaches the SIEM, cutting ingestion costs by up to 50%.
  • Multi-SIEM scenarios are on the rise. Axoflow allows you to selectively filter and route your data between multiple destinations and apply destination-specific formatting and optimization, whether you’re migrating between SIEMs (for example,from QRadar to Elasticsearch or Microsoft Sentinel), or optimizing data between destinations (for example, routing only security data to the SIEM, and everything else to low-cost object storage like S3).
  • Metrics from AxoRouter are automatically available on the Axoflow Console (SaaS or on-prem), giving you insight into the transported data volume and data drops, and the ability to drill down and analyze the data flow based on metadata and content as well. (Deploying AxoRouter provides you with a single data node, further integration steps described in the subsequent sections give you access to even more detailed metrics, as more pipeline elements provide data.)
Metrics-based Sankey diagrams in Axoflow

Router and edge deployment

Axoflow provides agents to collect data from all kinds of sources: Kubernetes clusters, cloud sources, security appliances, as well as regular Windows or Linux-based servers. (If you’d prefer to keep using your existing syslog infrastructure instead of the Axoflow agents, check the next section.)

Deploying AxoRouter and edge collectors

Using Axoflow’s own collector agents has several benefits:

  • Reliable transport: Between its components, Axoflow transports security data using the reliable OpenTelemetry protocol (OTLP) for high performance, and to avoid losing messages.
  • Managed components: You can configure, manage, monitor, and troubleshoot all these components from the Axoflow Console. For example, you can sample the data flowing through each component.

Metrics: Detailed metrics from every collector provide unprecedented insight into the status of your telemetry pipeline.

Onboard an existing syslog infrastructure

Most organizations already have a syslog architecture in place, and Axoflow provides ways to reuse it. This allows you to integrate your existing infrastructure with Axoflow, and optionally – in a later phase – replace your log collectors with the agents provided by Axoflow.

Read-only mode

You install Axolet on the data source. Axolet is a monitoring (and management agent) that integrates with the local log collector, like AxoSyslog, Splunk Connect for Syslog, or syslog-ng, and sends detailed metrics about the host and its data traffic to the Axoflow Console. This allows you to use the Axoflow Console to:

  • Check the metrics about the log ingestion, processing, and data drops
  • Browse data analytics and health checks
  • Get notifications about alerts and anomalies
    A simple syslog-ng based logging pipeline

    Unmanaged AxoRouter deployments

    In this mode, you install AxoRouter on the data source and manage it manually. That way you get the functional benefits of using AxoRouter (our aggregator and data curation engine) to collect and classify your data but can manage its configuration as you see fit. This gives you all the benefits of the read-only mode (since AxoRouter includes Axolet as well), and in addition, it provides:

    • Advanced and more detailed metrics about the log ingestion, processing, data drops, delays
    • More detailed analytics about the transported data 
    • Access to the FilterX processing engine
    • Ability to receive OpenTelemetry data
    • Acts as a Windows Event Collector server, allowing you to collect Windows events
    • Optimized output for the specific SIEMs
    • Data reduction
    User-managed AxoRouter deployment

    Managed AxoRouter deployments

    This deployment mode is similar to the previous one, but instead of writing configurations manually, you use the centralized management UI of Axoflow Console to manage your AxoRouter instances. This provides the tightest integration and the most benefits. In addition to the unmanaged use case, it gives you:

    Axoflow-managed AxoRouter deployment

    Summary

    Axoflow is an innovative security data curation pipeline designed to streamline data management, cutting costs by 50% and significantly boosting SIEM accuracy, even for complex, carrier-grade data environments. At its core, Axoflow simplifies data handling through AxoRouter, a versatile processing node that can be seamlessly integrated into your data pipeline to deliver instant improvements, including data reduction, automated data classification, and insightful metrics on data flow and system health.

    Axoflow offers an adaptable, low-maintenance solution for organizations looking to optimize data processing, reduce SIEM costs, and gain deeper insight into their security data flow—all with a minimal footprint and flexible deployment to meet specific infrastructure needs.

    On-deman Webinar

    Parsing
    sucks!

    What can you do
    about it?

    56 minutes

    Balázs SCHEIDLER

    Balázs SCHEIDLER

    Founder syslog-ng™

    Mark BONSACK

    Mark BONSACK

    Co-creator SC4S

    Sándor GUBA

    Sándor GUBA

    Founder Logging Operator

    Neil BOYD

    Neil BOYD

    Moderator

    On-demand Webinar

    Parsing
    sucks!

    What can you do about it?

    56 minutes

    Follow Our Progress!

    We are excited to be realizing our vision above with a full Axoflow product suite.

    Request a Sandbox

    Request a sandbox and try AxoRouter with your data sources.

    • It's a free trial with no commitment to buy.
    • See how it automatically identifies, reduces, and curates security data.
    • Say goodbye to manual parsing errors.

      I have read and agree to the terms & conditions.

      Request a Demo

      • A zero-commitment demo of the Axoflow Platform.
      • A chance to see how optimized telemetry can improve your observability operations and reduce costs.

        I have read and agree to the terms & conditions.

        Subscribe for Product News

        • Technology oriented content only.
        • Not more than 1-3 posts per month.
        • You can unsubscribe any time.

        By signing up you agree to receive promotional messages
        according to Axoflow's Terms of Services.