🚨 Why CISOs Are Rethinking The Pipeline? We Asked 7 Of Them & Here Are The Results >>>
Discover Axoflow’s storage solutions for the Security Data Layer. From edge storage and cost-efficient data lakes to stream processing and air-gapped deployments, learn how Axoflow powers scalable, flexible, and reliable security data pipelines.
Sándor Guba - Axoflow
by 
Sándor Guba
September 30, 2025
and
No items found.
axoflow

Axoflow’s Storage Strategy: Building the Security Data Layer

Axoflow’s goal is to build the “ultimate” Security Data Layer - the foundation for any security operation. The first step is creating a stable, reliable, and effective pipeline. The next step is giving that pipeline memory so it can store and retrieve data.

A common debate arises: should you centralize logs before processing, or work right at the edge? The answer is the same as in all fields: it depends. Some workloads can be processed at the edge and add little value if centralized (especially for real-time detection). Others require complex correlation, thus centralization, and many fall somewhere in between. That’s why Axoflow covers all scenarios. We’ll look at three key use cases:

  • Storage at the Edge (with federated search)
  • Low-cost centralized collection
  • Aggregated stream processing

And for more specialized deployments: AxoStore, the standalone Platform-in-a-Box solution.

Storage at the Edge

Scaling storage with data is never trivial. Sometimes you don’t need centralized storage at all - you just need quick, local access to logs. This is especially valuable for operations teams during troubleshooting or debugging.

AxoRouter Storage makes this possible by offering low-footprint, queryable storage directly on the node where the data is processed. This opens new possibilities:

  • Store debug-level logs for a short window (e.g., 24h) to support “what if something happens” scenarios.
  • Collect data ad hoc for maintenance or debugging tasks.
  • Keep a lightweight local backup.

Traditionally, these needs were solved with hacks - like spinning up temporary storage or piping debug logs into a SIEM. Now, you can run federated queries from the Axoflow Console that fan out across all AxoRouter Storage instances and return results seamlessly.

AxoLake: Low-cost Centralized Collection

Centralized log collection is still critical. Security data lakes are increasingly used as external sources for SIEMs and other security tools. A tiered security lake serves two main purposes:

  1. Providing cheap, long-term archive storage.
  2. Delivering accessible hot data for detection and analytics.

AxoLake was built to do both. It combines:

  • A scalable hot tier for fast queries.
  • A cost-efficient cold tier based on S3-compatible object storage.

This gives you the best of both worlds: open formats, cloud-native scalability, and long-term retention without breaking the budget.

Stream Processing with Aggregation

Sometimes workloads (e.g., login events) need to be aggregated in one place, enriched with external threat intelligence, and analyzed in real time. But that shouldn’t mean all data has to flow into the SIEM.

AxoRouter supports advanced stream processing at the edge. With policy-based routing, you can create specialized routers that:

  • Aggregate data locally.
  • Enrich it with threat intelligence.
  • Run real-time detection or AI.

Temporary storage ensures consistent time windows for analytics and reduces volatility. The result? Faster detection, less noise in your SOC, and more efficient use of SIEM storage.

AxoStore: The Platform-in-a-Box

Some environments demand a self-contained solution. Limited connectivity, on-premise restrictions, or air-gapped deployments make it hard to rely on centralized infrastructure.

AxoStore is designed for exactly these cases. It’s a single VM appliance that includes all Axoflow features—collection, storage, and analytics—in one package. With AxoStore you can:

  • Operate locally even when disconnected from a central hub.
  • Store smaller volumes of data long term.
  • Plug into a larger deployment later, without rework.

This makes AxoStore perfect for remote sites, highly regulated environments, or where simplicity and reliability matter most.

Final Thoughts

Whether you need:

  • Temporary operational storage,
  • A cost-effective data lake, or
  • A special-purpose air-gapped deployment

Axoflow has you covered. With Pipeline, Storage, and AI all integrated, Axoflow provides the foundation of a true Security Data Layer.

AxoRouter Storage: A lightweight, queryable storage option built into the AxoRouter processing engine. It lets you temporarily store data locally and search from the Axoflow Console, with federated queries across all AxoRouter nodes.

AxoLake: A scalable, tiered security data lake combining a fast hot tier with low-cost, S3-compatible cold storage. Designed for long-term retention, open access, and integration with SIEMs and security analytics.

AxoStore: A self-contained “platform-in-a-box” virtual appliance that brings the full Axoflow stack - collection, storage, and analytics - into a single deployable unit. Ideal for air-gapped, remote, or limited-connectivity environments.

Follow Our Progress!

We are excited to be realizing our vision above with a full Axoflow product suite.

Sign Me Up
This button is added to each code block on the live site, then its parent is removed from here.
Request a demo

Fighting data Loss?

Balázs Scheidler

Book a free 30-min consultation with syslog-ng creator Balázs Scheidler

Book a Call

Recent Posts

Splunk .conf25 - The Role of the Pipeline
From API Calls to True Pipeline Integrations
What's New in AxoSyslog Versions 4.13–4.17