Axoflow architecture

The Axoflow provides an end-to-end pipeline automating the collection, management and loading of your security data in a vendor-agnostic way. The following figure highlights the Axoflow data flow:

Axoflow Platform Architecture

Axoflow architecture

The architecture of Axoflow is comprised of two main elements: the AxoConsole and the Data Plane.

The AxoConsole is primarily concerned with highlighting the metadata of each event. This includes the source from which it originated, the size in bytes (and event count over time), its destination, and any other element which describes the data.
The Data Plane includes collector agents and processing engines (like AxoRouter) that collect, classify, filter, transform, and deliver telemetry data to its proper destinations (SIEMs, storage), and provide metrics to the AxoConsole. The components of the Data Plane can be managed from the AxoConsole, or can be independent.

Pipeline components

A telemetry pipeline consists of the following high-level components:

Data Sources: Data sources are the endpoints of the pipeline that generate the logs and other telemetry data you want to collect. For example, firewalls and other appliances, Kubernetes clusters, application servers, and so on can all be data sources. Data sources send their data either directly to a destination, or to a router.

Axoflow provides several log collecting agents and solutions to collect data in different environments, including connectors for cloud services, Kubernetes clusters, Linux servers, and Windows servers.
Routers: Router (also called relays or aggregators) collect the data from a set of data sources and transport them to the destinations.

AxoRouter can collect, curate, and enrich the data: it automatically identifies your log sources and fixes common errors in the incoming data. It also converts the data into a format that best suits the destination to optimize ingestion speed and data quality.
Destinations: Destinations are your SIEM and storage solutions where the telemetry pipeline delivers your security data.

Axoflow as SaaS deployment

Your telemetry pipeline can consist of managed and unmanaged components. You can deploy and configure managed components from the AxoConsole. Axoflow provides several managed Axoflow agent components that help you collect or fetch data from your various data sources, or act as routers.

AxoConsole

AxoConsole (formerly Axoflow Console) is the data visualization and management UI of Axoflow. Available both as a SaaS and an on-premises solution, it collects and visualizes the metrics received from the pipeline components to provide insight into the details of your telemetry pipeline and the data it processes. It also allows you to:

deploy managed components (like Axoflow agent and AxoRouter),
configure data routing and processing flows that the AxoConsole automatically translates into specific configuration and deploys to the managed pipeline components, and
troubleshoot your pipeline by tapping real-time into the various data flows and agent logs.

Security data pipeline topology on the AxoConsole

AxoRouter

AxoRouter is a router (aggregator) and data curation engine: it collects all kinds of telemetry and security data and has all the low-level functions you would expect of log-forwarding agents and routers. AxoRouter can also curate and enrich the collected data, it:

automatically identifies your log sources, recognizing the product that is sending it, for example, switches, firewalls, and web gateways
fixes common errors in the incoming data: for example, it corrects missing hostnames, invalid timestamps, formatting errors, and so on
automatically parses the logs of hundreds of COTS devices
performs data reduction and normalization to reduce noise and improve data quality.

Before sending your data to its destination, AxoRouter automatically converts the data into a format that best suits the destination to optimize ingestion speed and data quality. For example, when sending data to Splunk, setting the proper sourcetype and index is essential.

Note Note that AxoRouter and Axoflow agent collects detailed, real-time metrics about the data-flows – giving you observability over the health of the security data pipeline and its components. Your security data remains in your self-managed cloud or in your on-prem instance where your sources, destinations, Axoflow agents, and AxoRouters are running, only metrics are forwarded to AxoConsole.

Axoflow Platform Architecture

Axolet

Axolet is a monitoring and management agent that integrates with the local log collector (like AxoSyslog, Splunk Connect for Syslog, or syslog-ng) that runs on the data source and provides detailed metrics about the host and its data traffic to the AxoConsole. AxoRouter deployments automatically include Axolet.

Storage solutions

In addition to being able to route your data to various storage and SIEM solutions, Axoflow provides a range of storage solutions for your use cases, from small, temporal storage to petabyte-scale long-term data retention.

Storage architecture overview

AxoStore

AxoStore is a lightweight, queryable, temporary storage option that stores data locally on the AxoRouter host. AxoConsole provides federated search for every AxoRouter that has AxoStore deployed, so you can simultaneously run queries on every AxoStore.

AxoStore is automatically available for all Axoflow customers, for each AxoRouter node, with 7 days retention, and up to 1TB of storage. For longer retention time or bigger storage, you need an extended AxoStore subscription. Contact us for the details.

For example, AxoStore allows you to:

Store debug-level logs for a short time (for example, 24h) to support “what if something happens” scenarios.
Collect data ad-hoc for maintenance or debugging tasks.
Keep a lightweight local backup of your security data.

For details, see Storage.

Axoflow Locker

Axoflow Locker is a self-contained “platform-in-a-box” virtual appliance that brings the full Axoflow stack - collection, storage, and analytics - into a single deployable unit. Ideal for air-gapped, remote, or limited-connectivity environments. With Axoflow Locker you can store smaller volumes of data long term, and operate locally even when disconnected from a central hub.

Axoflow Locker provides fast queries to the stored data, and comes with optional high availability with multi-node data replication. For details and pricing, see the Axoflow Locker product page, or contact us.

Axoflow Locker

AxoLake

AxoLake is a tiered SaaS security lake with a scalable hot tier for fast queries, and cost-efficient, S3-compatible cloud-based cold tier. You can use high-level, policy-based routing to decide which data goes to cold storage, hot storage, or your SIEM. If you need to work with data from cold storage, you can rehydrate it into hot storage, or even replay it to send it into your SIEM. Designed for long-term retention, open access, and integration with SIEMs and security analytics.

AxoLake provides cheap, long-term archive storage, while delivering accessible hot data for detection and analytics.

For details and pricing, see the AxoLake product page, or contact us.

AxoLake

Axoflow agent

Axoflow agent is a collection of managed agents for Linux, Kubernetes, and Microsoft Windows. They collect local data from the host they’re deployed on, send it to an AxoRouter instance, and provide metadata for AxoConsole.