Vendors

• 1: A10 Networks
• 1.1: vThunder
• 2: Amazon
• 2.1: CloudWatch
• 3: Axoflow
• 3.1: AxoSyslog
• 4: Broadcom
• 4.1: Edge Secure Web Gateway (Edge SWG)
• 4.2: NSX
• 5: Check Point
• 5.1: Anti-Bot
• 5.2: Anti-Malware
• 5.3: Anti-Phishing
• 5.4: Anti-Spam and Email Security
• 5.5: CPMI Client
• 5.6: cpmidu_update_tool
• 5.7: Database Tool
• 5.8: Edge Secure Web Gateway (Edge SWG)
• 5.9: Endpoint Compliance
• 5.10: Endpoint Management
• 5.11: Forensics
• 5.12: GO Password Reset
• 5.13: HTTPS Inspection
• 5.14: IPS
• 5.15: MDS Query Tool
• 5.16: Media Encryption & Port Protection
• 5.17: Mobile Access
• 5.18: Next-Generation Firewall (NGFW)
• 5.19: QoS
• 5.20: Quantum
• 5.21: Query Database
• 5.22: SmartConsole
• 5.23: SmartUpdate
• 5.24: Threat Emulation and Anti-Exploit
• 5.25: URL Filtering
• 5.26: Web API
• 6: Cisco
• 6.1: Access Control System (ACS)
• 6.2: Adaptive Security Appliance (ASA)
• 6.3: Application Control Engine (ACE)
• 6.4: Cisco IOS
• 6.5: Digital Network Architecture (DNA)
• 6.6: Email Security Appliance (ESA)
• 6.7: Firepower
• 6.8: Firepower Threat Defence (FTD)
• 6.9: Firewall Services Module (FWSM)
• 6.10: HyperFlex (HX, UCSH)
• 6.11: Identity Services Engine (ISE)
• 6.12: Integrated Management Controller (IMC)
• 6.13: IOS XR
• 6.14: Meraki MX
• 6.15: Private Internet eXchange (PIX)
• 6.16: TelePresence Video Communication Server (VCS)
• 6.17: Unified Computing System Manager (UCSM)
• 6.18: Unified Communications Manager (UCM)
• 6.19: Viptela
• 7: Citrix
• 7.1: Netscaler
• 8: Corelight
• 8.1: Open Network Detection & Response (NDR)
• 9: CyberArk
• 9.1: Privileged Threat Analytics (PTA)
• 9.2: Vault
• 10: F5 Networks
• 10.1: BIG-IP
• 11: FireEye
• 12: Forcepoint
• 12.1: Email Security
• 12.2: Next-Generation Firewall (NGFW)
• 12.3: WebProtect
• 13: Fortinet
• 13.1: FortiGate firewalls
• 13.2: FortiMail
• 13.3: FortiWeb
• 14: Fortra
• 14.1: Powertech SIEM Agent for IBM i
• 15: General Unix/Linux host
• 15.1: Generic Linux services
• 16: Imperva
• 16.1: Incapsula
• 16.2: SecureSphere
• 17: Infoblox
• 17.1: NIOS
• 18: Ivanti
• 18.1: Connect secure
• 19: Juniper
• 19.1: Junos OS
• 20: Kaspersky
• 20.1: Endpoint Security
• 21: Kubernetes
• 21.1: NGINX Ingress
• 21.2: Telemetry Controller
• 22: MicroFocus
• 23: Microsoft
• 23.1: Azure Event Hubs
• 23.2: Cloud App Security (MCAS)
• 23.3: Windows hosts
• 24: MikroTik
• 24.1: RouterOS
• 25: NetFlow Logic
• 25.1: NetFlow Optimizer
• 26: Netgate
• 26.1: pfSense
• 27: Netmotion
• 27.1: Netmotion
• 28: NETSCOUT
• 28.1: Arbor Edge Defense (AED)
• 28.2: Arbor Pravail (APS)
• 29: OpenText
• 29.1: ArcSight
• 29.2: Self Service Password Reset (SSPR)
• 30: Palo Alto Networks
• 30.1: Cortex XSOAR
• 30.2: Palo Alto firewalls
• 31: Ping Identity
• 31.1: PingAccess
• 32: Powertech
• 33: Progress
• 33.1: Flowmon Anomaly Detection System (ADS)
• 34: Riverbed
• 34.1: SteelConnect
• 34.2: SteelHead
• 35: RSA
• 35.1: Authentication Manager
• 36: rsyslog
• 37: SecureAuth
• 37.1: Identity Platform
• 38: Skyhigh Security
• 38.1: Secure Web Gateway
• 39: SonicWall
• 39.1: SonicWall
• 40: Splunk
• 40.1: Heavy Forwarder
• 41: Superna
• 41.1: Eyeglass
• 42: syslog-ng
• 43: Thales
• 43.1: Vormetric Data Security Platform
• 44: Trellix
• 44.1: Central Management System (CMS)
• 44.2: Email Threat Prevention (ETP)
• 44.3: Endpoint Security (HX)
• 44.4: ePolicy Orchestrator (EPO)
• 44.5: MPS
• 45: Trend Micro
• 45.1: Deep Security Agent
• 46: Ubiquiti
• 46.1: Unifi
• 47: Varonis
• 47.1: DatAdvantage
• 48: Vectra AI
• 48.1: X-Series
• 49: Zscaler appliances
• 49.1: Zscaler Nanolog Streaming Service
• 49.2: Zscaler Log Streaming Service

1 - A10 Networks

1.1 - vThunder

vThunder: Delivers application load balancing, traffic management, and DDoS protection for enterprise networks.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: A10_LOAD_BALANCER.

2 - Amazon

2.1 - CloudWatch

CloudWatch: Monitors AWS resources and applications by collecting metrics, logs, and setting alarms.

Axoflow can collect data from your Amazon CloudWatch. At a high level, the process looks like this:

• Deploy an Axoflow Cloud Connector that will collect the data from your CloudWatch. Axoflow Cloud Connector is a simple container that you can deploy into AWS, another cloud provider, or on-prem.
• The connector forwards the collected data to the OpenTelemetry connector of an AxoRouter instance. This AxoRouter can be deployed within AWS, another cloud provider, or on-prem.
• Configure a Flow on AxoConsole that processes and routes the collected data to your destination (for example, Splunk or another SIEM).

Prerequisites

• An AWS account with an active subscription.
• A virtual machine or Kubernetes node running to deploy Axoflow Cloud Connector on.
• An AxoRouter instance that can receive data from the connector. Verify that it has an OpenTelemetry Connector (it’s enabled by default).

• You know the IP address the AxoRouter. To find it:

  1. Open the AxoConsole.
  2. Select the Routers or the Topology page.
  3. Select on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.
• The Axoflow Cloud Connector must be able to access the AxoRouter on the port the OpenTelemetry Connector is listening on (by default, port 4317). Depending on where the Axoflow Cloud Connector and AxoRouter are deployed, you might need to adjust firewall and ingress/egress rules in your environment.
• Depending on how you want to authenticate Axoflow Cloud Connector, you’ll need an AWS_PROFILE or AWS access keys.

Steps

To collect data from AWS CloudWatch, complete the following steps.

1. Deploy an Axoflow Cloud Connector.

   1. Access the Kubernetes node or virtual machine where you want to deploy Axoflow Cloud Connector.

   2. Set the following environment variable to the IP address of the AxoRouter where you want to forward the data from CloudWatch. This IP address must be accessible from the connector. You can find the IP address of AxoRouter on the Routers > AxoRouter > Overview page.

      export AXOROUTER_ENDPOINT=<AxoRouter-IP-address>
      

   3. (Optional) By default, the connector stores positional and other persistence-related data in the /etc/axoflow-otel-collector/storage directory. In case you want to use a different directory, set the STORAGE_DIRECTORY environment variable.

   4. Run the following command to generate a UUID for the connector. AxoConsole will use this ID to identify the connector.

      UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
      export AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
      

   5. Set TLS encryption to secure the communication between Axoflow Cloud Connector and AxoRouter.

      Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

      Variable	Required	Default	Description
      AXOROUTER_TLS_INSECURE	No	false	Disables TLS encryption if set to true
      AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL	No	false	Set to true to use the system CA certificates
      AXOROUTER_TLS_CA_FILE	No	-	Path to the CA certificate file used to validate the certificate of AxoRouter
      AXOROUTER_TLS_CA_PEM	No	-	PEM-encoded CA certificate
      AXOROUTER_TLS_INSECURE_SKIP_VERIFY	No	false	Set to true to disable TLS certificate verification of AxoRouter
      AXOROUTER_TLS_CERT_FILE	No	-	Path to the certificate file of Axoflow Cloud Connector
      AXOROUTER_TLS_CERT_PEM	No	-	PEM-encoded client certificate
      AXOROUTER_TLS_KEY_FILE	No	-	Path to the client private key file of Axoflow Cloud Connector
      AXOROUTER_TLS_KEY_PEM	No	-	PEM-encoded client private key
      AXOROUTER_TLS_MIN_VERSION	No	1.2	Minimum TLS version to use
      AXOROUTER_TLS_MAX_VERSION	No	-	Maximum TLS version to use

      Note You’ll have to include the TLS-related environment variables you set in the docker command used to deploy Axoflow Cloud Connector.

   6. Configure the authentication that the Axoflow Cloud Connector will use to access CloudWatch. Set the environment variables for the authentication method you want to use.

      • AWS Profile with a configuration file: Set the region and the AWS_PROFILE

        export AWS_PROFILE=""
        export AWS_REGION=""
        

      • AWS Credentials: To use AWS access keys, set an access key and a matching secret.

        export AWS_ACCESS_KEY_ID=""
        export AWS_SECRET_ACCESS_KEY=""
        export AWS_REGION=""
        

      • EC2 instance profile:

        export AWS_REGION=""
        

   7. Deploy the Axoflow Cloud Connector. The exact command depends on the authentication method and the TLS settings you want to configure.

      • AWS Profile with a configuration file: Set the region and the AWS_PROFILE. Also, pass the TLS-related settings you’ve set earlier.

        docker run --rm \
        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
        -e AWS_PROFILE="${AWS_PROFILE}" \
        -e AWS_REGION="${AWS_REGION}" \
        -e AWS_SDK_LOAD_CONFIG=1 \
        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
        -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
        -v "${HOME}/.aws:/cloudconnectors/.aws:ro" \
        ghcr.io/axoflow/axocloudconnectors:latest
        

      • AWS Credentials: To use AWS access keys, set an access key and a matching secret. Also, pass the TLS-related settings you’ve set earlier.

        docker run --rm \
        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
        -e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
        -e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
        -e AWS_REGION="${AWS_REGION}" \
        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
        -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
        ghcr.io/axoflow/axocloudconnectors:latest
        

      • EC2 instance profile: Also, pass the TLS-related settings you’ve set earlier.

        docker run --rm \
        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
        -e AWS_REGION="${AWS_REGION}" \
        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
        -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
        ghcr.io/axoflow/axocloudconnectors:latest
        

      The Axoflow Cloud Connector starts forwarding logs to the AxoRouter instance.

2. Add the appliance to AxoConsole.

   1. Open the AxoConsole and select Topology.
   2. Select Add Item > Source.
   3. Select AWS CloudWatch.
   4. Enter the IP address and the FQDN of the Axoflow Cloud Connector instance.
   5. Select Add.

3. Create a Flow to route the data from the AxoRouter instance to a destination. You can use the Labels of this source to select messages from this source.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: AWS_CLOUDWATCH.

3 - Axoflow

3.1 - AxoSyslog

AxoSyslog: High-performance, configurable syslog service for collecting, processing, and forwarding log data.

Configure AxoSyslog to send data to an OpenTelemetry Connector of an AxoRouter instance using its syslog-ng-otlp destination. If that’s not possible for some reason, use the syslog-ng destination with a Syslog Connector of an AxoRouter instance.

For the best integration of your AxoSyslog instances with AxoConsole, see AxoSyslog.

Labels

Enable classification and parsing in the connector rule that receives data from this source. Axoflow will identify the messages and add labels accordingly.

4 - Broadcom

4.1 - Edge Secure Web Gateway (Edge SWG)

Edge Secure Web Gateway (Edge SWG): Secures web traffic through policy enforcement, SSL inspection, and real-time threat protection.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: BROADCOM_EDGE_SWG.

Earlier name/vendor

• Blue Coat Proxy
• Blue Coat ProxySG
• Symantec ProxySG
• Symantec Edge Secure Web Gateway
• Symantec Edge SWG

4.2 - NSX

NSX: Provides network virtualization, micro-segmentation, and security for software-defined data centers.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Configure your NSX appliances, NSX Edges, and hypervisors to send their logs to the Syslog (autodetect and classify) connector of an AxoRouter instance. Use either:

• The TCP protocol (port 601 when using the default connector), or
• TLS-encrypted TCP protocol (port 6514 when using the default connector)

For details on configuring NSX, see Configure Remote Logging in the NSX Administration Guide.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: VMWARE_NSX.

Earlier name/vendor

• VMware NSX
• NSX-T Data Center

5 - Check Point

5.1 - Anti-Bot

Anti-Bot: Detects and blocks botnet communications and command-and-control traffic to prevent malware infections.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

5.2 - Anti-Malware

Anti-Malware: Protects endpoints from viruses, ransomware, and other malware using signature and behavior analysis.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

5.3 - Anti-Phishing

Anti-Phishing: Prevents phishing attacks by analyzing email content and links to block credential theft attempts.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EMAIL.

5.4 - Anti-Spam and Email Security

Anti-Spam and Email Security: Blocks spam and malicious email content using reputation checks and email filtering techniques.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EMAIL.

5.5 - CPMI Client

CPMI Client: Legacy Check Point management client used to interface with security policies and logs.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

5.6 - cpmidu_update_tool

cpmidu_update_tool: Utility used to update configuration and database files for Check Point Multi-Domain environments.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

5.7 - Database Tool

Database Tool: Command-line tool to extract, query, or update Check Point configuration and policy databases.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.8 - Edge Secure Web Gateway (Edge SWG)

Edge Secure Web Gateway (Edge SWG): Provides configuration profiles for secure mobile access and web filtering on iOS devices.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_HARMONY.

5.9 - Endpoint Compliance

Endpoint Compliance: Checks endpoint status and posture before granting network access, enforcing security policies.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

5.10 - Endpoint Management

Endpoint Management: Centralized platform for managing endpoint protection, updates, and policy enforcement.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.11 - Forensics

Forensics: Analyzes security incidents on endpoints to uncover attack vectors and malicious activity.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

5.12 - GO Password Reset

GO Password Reset: Facilitates secure password reset processes for users across integrated environments.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_AUDIT.

5.13 - HTTPS Inspection

HTTPS Inspection: Decrypts and inspects HTTPS traffic to detect hidden threats within encrypted web sessions.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

5.14 - IPS

IPS: Detects and blocks known and unknown exploits, malware, and vulnerabilities in network traffic.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

5.15 - MDS Query Tool

MDS Query Tool: CLI tool for querying multi-domain configurations and policies in Check Point environments.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.16 - Media Encryption & Port Protection

Media Encryption & Port Protection: Secures USB ports and encrypts removable media to protect sensitive data on endpoints.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

5.17 - Mobile Access

Mobile Access: Enables secure remote access to corporate apps and data from mobile devices.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.18 - Next-Generation Firewall (NGFW)

Next-Generation Firewall (NGFW): Next-generation firewall providing intrusion prevention, application control, and threat protection.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

5.19 - QoS

QoS: Implements bandwidth control and traffic prioritization policies for optimized network usage.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

5.20 - Quantum

Quantum: Unified threat prevention platform delivering firewall, VPN, and intrusion prevention capabilities.

If you’d like to send data from this source to AxoRouter, contact our support team for details.

5.21 - Query Database

Query Database: Accesses and queries internal policy or object databases in Check Point systems.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.22 - SmartConsole

SmartConsole: Graphical interface for managing Check Point security policies, logs, and monitoring.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.23 - SmartUpdate

SmartUpdate: Tool for updating and managing licenses, software, and hotfixes in Check Point environments.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.24 - Threat Emulation and Anti-Exploit

Threat Emulation and Anti-Exploit: Emulates files in a virtual environment to detect and block advanced persistent threats and exploits.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

5.25 - URL Filtering

URL Filtering: Controls and logs web access based on URL categories and custom site rules to enforce policy.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

5.26 - Web API

Web API: Provides programmatic access to Check Point security management through RESTful API endpoints.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

6 - Cisco

6.1 - Access Control System (ACS)

Access Control System (ACS): Centralizes network access control with RADIUS and TACACS+ for authentication and authorization.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ACS.

6.2 - Adaptive Security Appliance (ASA)

Adaptive Security Appliance (ASA): Provides stateful firewall, VPN support, and advanced threat protection for secure network perimeters.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ASA_FIREWALL.

6.3 - Application Control Engine (ACE)

Application Control Engine (ACE): Provides application-aware load balancing, SSL offload, and traffic control for Cisco networks.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ACE.

6.4 - Cisco IOS

Cisco IOS: Network operating system for Cisco routers and switches, enabling routing, switching, and security.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_IOS.

6.5 - Digital Network Architecture (DNA)

Digital Network Architecture (DNA): Provides software-defined networking, policy automation, and analytics for enterprise infrastructure.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_DNAC.

6.6 - Email Security Appliance (ESA)

Email Security Appliance (ESA): Protects email systems from spam, phishing, malware, and data loss with advanced threat filtering.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Note that the device can be configured to send plain-text syslog or CEF-formatted logs. AxoRouter can automatically parse all flavors.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, index, and source settings:

Tested with: Splunk Add-on for Cisco ESA

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_EMAIL_SECURITY.

6.7 - Firepower

Firepower: Provides next-gen firewall features including intrusion prevention, app control, and malware protection.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_FIREPOWER_FIREWALL.

6.8 - Firepower Threat Defence (FTD)

Firepower Threat Defence (FTD): Unifies firewall, VPN, and intrusion prevention into a single software for comprehensive threat defense.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

6.9 - Firewall Services Module (FWSM)

Firewall Services Module (FWSM): Delivers multi-context, high-performance firewall services integrated into Cisco Catalyst switches.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_FWSM.

6.10 - HyperFlex (HX, UCSH)

HyperFlex (HX, UCSH): Infrastructure solution combining compute, storage, and networking in a single system.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_UCS.

6.11 - Identity Services Engine (ISE)

Identity Services Engine (ISE): Manages network access control and enforces policies with user and device authentication capabilities.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

For details on configuring your Identity Services Engine to forward its logs to an AxoRouter instance, see Configure Remote Syslog Collection Locations in Cisco Identity Services Engine (ISE) Administrator Guide.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ISE.

6.12 - Integrated Management Controller (IMC)

Integrated Management Controller (IMC): Provides out-of-band server management for Cisco UCS, enabling hardware monitoring and configuration.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

6.13 - IOS XR

IOS XR: High-performance, modular network operating system for carrier-grade routing and scalability.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

6.14 - Meraki MX

Meraki MX: Cloud-managed network appliance offering firewall, VPN, SD-WAN, and security in a single platform.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: TA-meraki

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_MERAKI.

6.15 - Private Internet eXchange (PIX)

Private Internet eXchange (PIX): Legacy firewall appliance delivering stateful inspection and secure network access control.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_PIX_FIREWALL.

6.16 - TelePresence Video Communication Server (VCS)

TelePresence Video Communication Server (VCS): Enables video conferencing control and call routing for Cisco TelePresence systems and endpoints.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

6.17 - Unified Computing System Manager (UCSM)

Unified Computing System Manager (UCSM): Centralized management platform for Cisco Unified Computing System (UCS) servers and resources.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_UCS.

6.18 - Unified Communications Manager (UCM)

Unified Communications Manager (UCM): Delivers unified voice, video, messaging, and mobility services in enterprise IP telephony systems.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_UCM.

6.19 - Viptela

Viptela: Software-defined WAN solution providing secure connectivity, centralized control, and traffic optimization.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_VIPTELA.

7 - Citrix

7.1 - Netscaler

Netscaler: Offers application delivery, load balancing, and security features for optimized app performance.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CITRIX_NETSCALER_WEB_LOGS.

8 - Corelight

8.1 - Open Network Detection & Response (NDR)

Open Network Detection & Response (NDR): Provides network detection and response by analyzing traffic for advanced threats and anomalous behavior.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CORELIGHT.

9 - CyberArk

9.1 - Privileged Threat Analytics (PTA)

Privileged Threat Analytics (PTA): Analyzes privileged account behavior to detect threats and suspicious activity in real time.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CYBERARK_PTA.

9.2 - Vault

Vault: Stores and manages privileged credentials, session recordings, and access control policies securely.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CYBERARK.

10 - F5 Networks

10.1 - BIG-IP

BIG-IP: Provides load balancing, traffic management, and application security for optimized service delivery.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Note that the device can be configured to send logs formatted as plain-text syslog, JSON, or key-value pairs. AxoRouter can automatically parse all flavors.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for F5 BIG-IP

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: F5_BIGIP_APM.

11 - FireEye

12 - Forcepoint

12.1 - Email Security

Email Security: Protects email systems from spam, phishing, malware, and data exfiltration using advanced threat defense.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORCEPOINT_EMAILSECURITY.

Earlier name/vendor

• Websense Email Security

12.2 - Next-Generation Firewall (NGFW)

Next-Generation Firewall (NGFW): Next-gen firewall with deep packet inspection, policy enforcement, and integrated intrusion prevention.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORCEPOINT_FIREWALL.

Earlier name/vendor

• Websense Webprotect
• Forcepoint Webprotect
• Forcepoint Secure Web Gateway

12.3 - WebProtect

WebProtect: Provides web traffic filtering, malware protection, and data loss prevention for secure internet access.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Earlier name/vendor

• Websense Firewall

13 - Fortinet

13.1 - FortiGate firewalls

FortiGate firewalls: Enterprise firewall platform offering threat protection, VPN, and traffic filtering for secure networking.

The following sections show you how to configure FortiGate Next-Generation Firewall (NGFW) to send their log data to Axoflow.

Prerequisites

• You have administrative access to the firewall.
• The date, time, and time zone are correctly set on the firewall.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the firewall.

• You know the IP address the AxoRouter. To find it:

  1. Open the AxoConsole.
  2. Select the Routers or the Topology page.
  3. Select on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the FortiGate user interface are just for your convenience, for details, see the official FortiGate documentation.

1. Log in to your FortiGate device. You need administrator privileges to perform the configuration.

2. Register the address of your AxoRouter as an Address Object.

   1. Select Log & Report > Log Settings > Global Settings.

   2. Configure the following settings:

      • Event Logging: Click All.
      • Local traffic logging: Click All.
      • Syslog logging: Enable this option.
      • IP address/FQDN: Enter the address of your AxoRouter: %axorouter-ip%

   3. Click Apply.

3. Add the source to AxoConsole.

   1. Open the AxoConsole and select Topology.

   2. Select Add Item > Source.

      

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.

      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.

        

      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Add.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Fortinet FortiGate Add-On for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTINET_FIREWALL.

13.2 - FortiMail

FortiMail: Secures inbound and outbound email with spam filtering, malware protection, and advanced threat detection.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: FortiMail Add-on for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTINET_FORTIMAIL.

13.3 - FortiWeb

FortiWeb: Web application firewall protecting websites from attacks like XSS, SQL injection, and bot threats.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Fortinet FortiWeb Add-0n for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTINET_FORTIWEB.

14 - Fortra

14.1 - Powertech SIEM Agent for IBM i

Powertech SIEM Agent for IBM i: Monitors IBM i system activity and forwards security events for centralized analysis in SIEM platforms.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Note that the device can be configured to send logs formatted as CEF or LEEF. AxoRouter can automatically parse all flavors.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTRA_POWERTECH_SIEM_AGENT.

Earlier name/vendor

Powertech Interact

15 - General Unix/Linux host

15.1 - Generic Linux services

Generic Linux services: A generic placeholder for program classifications

These classifications include non-vendor specific services and applications commonly found on Linux/Unix hosts.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for Infoblox

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: BIND_DNS, ISC_DHCP, NIX_SYSTEM, or OPENSSH.

16 - Imperva

16.1 - Incapsula

Incapsula: Cloud-based WAF, DDoS protection, and bot mitigation service for securing web applications and APIs.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: IMPERVA_CEF.

16.2 - SecureSphere

SecureSphere: Provides on-prem web application, database, and file security with granular activity monitoring.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: IMPERVA_SECURESPHERE.

17 - Infoblox

17.1 - NIOS

NIOS: Delivers secure DNS, DHCP, and IPAM (DDI) services with centralized network control and automation.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for Infoblox

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: INFOBLOX, INFOBLOX_DNS.

18 - Ivanti

18.1 - Connect secure

Connect secure: Provides dynamic IP address assignment and network configuration for DHCP-enabled devices.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: IVANTI_CONNECT_SECURE.

Earlier name/vendor

Pulse Connect Secure

19 - Juniper

19.1 - Junos OS

Junos OS: Junos OS is the network operating system for Juniper physical and virtual networking and security products.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for Juniper

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: JUNIPER_JUNOS.

20 - Kaspersky

20.1 - Endpoint Security

Endpoint Security: Protects endpoints from malware, ransomware, and intrusions with antivirus, firewall, and threat detection.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Note that the device can be configured to send logs formatted as plain-text syslog, CEF, or LEEF. AxoRouter can automatically parse all flavors.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Note that the device can be configured to send plain syslog text, LEEF, or CEF-formatted output.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: KASPERSKY_ENDPOINT.

21 - Kubernetes

21.1 - NGINX Ingress

NGINX Ingress: Ingress NGINX Controller

Configure your log collector (for example, Telemetry Controller) to send data to an OpenTelemetry Connector of an AxoRouter instance using the OTLP/gRPC protocol.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

21.2 - Telemetry Controller

Telemetry Controller: Telemetry Controller

Configure Telemetry Controller to send data to an OpenTelemetry Connector of an AxoRouter instance.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

22 - MicroFocus

23 - Microsoft

23.1 - Azure Event Hubs

Azure Event Hubs: Big data streaming platform to ingest and process events.

Axoflow can collect data from your Azure Event Hubs. At a high level, the process looks like this:

• Deploy an Axoflow Cloud Connector that will collect the data from your Event Hub. Axoflow Cloud Connector is a simple container that you can deploy into Azure, another cloud provider, or on-prem.
• The connector forwards the collected data to the OpenTelemetry connector of an AxoRouter instance. This AxoRouter can be deployed within Azure, another cloud provider, or on-prem.
• Configure a Flow on AxoConsole that processes and routes the collected data to your destination (for example, Splunk or another SIEM).

Prerequisites

• An Azure account with an active subscription.
• A virtual machine or Kubernetes node running to deploy Axoflow Cloud Connector on.
• An AxoRouter instance that can receive data from the connector. Verify that it has an OpenTelemetry Connector (it’s enabled by default).

• You know the IP address the AxoRouter. To find it:

  1. Open the AxoConsole.
  2. Select the Routers or the Topology page.
  3. Select on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.
• The Axoflow Cloud Connector must be able to access the AxoRouter on the port the OpenTelemetry Connector is listening on (by default, port 4317). Depending on where the Axoflow Cloud Connector and AxoRouter are deployed, you might need to adjust firewall and ingress/egress rules in your environment.
• An Event Hubs connection string.

Steps

To collect data from Azure Event Hubs, complete the following steps.

1. Deploy an Axoflow Cloud Connector into Azure.

   1. Access the Kubernetes node or virtual machine.

   2. Set the following environment variable to the IP address of the AxoRouter where you want to forward the data from Event Hubs. This IP address must be accessible from the connector. You can find the IP address of AxoRouter on the Routers > AxoRouter > Overview page.

      export AXOROUTER_ENDPOINT=<AxoRouter-IP-address>
      

   3. (Optional) By default, the connector stores positional and other persistence-related data in the /etc/axoflow-otel-collector/storage directory. In case you want to use a different directory, set the STORAGE_DIRECTORY environment variable.

   4. Run the following command to generate a UUID for the connector. AxoConsole will use this ID to identify the connector.

      UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
      export AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
      

   5. Set TLS encryption to secure the communication between Axoflow Cloud Connector and AxoRouter.

      Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

      Variable	Required	Default	Description
      AXOROUTER_TLS_INSECURE	No	false	Disables TLS encryption if set to true
      AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL	No	false	Set to true to use the system CA certificates
      AXOROUTER_TLS_CA_FILE	No	-	Path to the CA certificate file used to validate the certificate of AxoRouter
      AXOROUTER_TLS_CA_PEM	No	-	PEM-encoded CA certificate
      AXOROUTER_TLS_INSECURE_SKIP_VERIFY	No	false	Set to true to disable TLS certificate verification of AxoRouter
      AXOROUTER_TLS_CERT_FILE	No	-	Path to the certificate file of Axoflow Cloud Connector
      AXOROUTER_TLS_CERT_PEM	No	-	PEM-encoded client certificate
      AXOROUTER_TLS_KEY_FILE	No	-	Path to the client private key file of Axoflow Cloud Connector
      AXOROUTER_TLS_KEY_PEM	No	-	PEM-encoded client private key
      AXOROUTER_TLS_MIN_VERSION	No	1.2	Minimum TLS version to use
      AXOROUTER_TLS_MAX_VERSION	No	-	Maximum TLS version to use

      Note You’ll have to include the TLS-related environment variables you set in the docker command used to deploy Axoflow Cloud Connector.

   6. Set the AZURE_EVENTHUB_CONNECTION_STRING environment variable.

      export AZURE_EVENTHUB_CONNECTION_STRING="Endpoint=sb://<NamespaceName>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>;EntityPath=<EventHubName>"
      

   7. Deploy the Axoflow Cloud Connector by running the following command. Also, pass the TLS-related settings you’ve set earlier.

      docker run --rm \
      -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
      -e AZURE_EVENTHUB_CONNECTION_STRING="${AZURE_EVENTHUB_CONNECTION_STRING}" \
      -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
      -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
      -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
      -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
      ghcr.io/axoflow/axocloudconnectors:latest
      

      The Axoflow Cloud Connector starts forwarding logs to the AxoRouter instance.

2. Add the appliance to AxoConsole.

   1. Open the AxoConsole and select Topology.
   2. Select Add Item > Source.
   3. Select Azure Event Hubs.
   4. Enter the IP address and the FQDN of the Axoflow Cloud Connector instance.
   5. Select Add.

3. Create a Flow to route the data from the AxoRouter instance to a destination. You can use the Labels of this source to select messages from this source.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Event Hubs Audit logs labels

Event Hubs Provisioning logs labels

Event Hubs Signin logs labels

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: AZURE_EVENTHUB.

23.2 - Cloud App Security (MCAS)

Cloud App Security (MCAS): Monitors cloud app usage, detects anomalies, and enforces security policies across SaaS services.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: MICROSOFT_DEFENDER_CLOUD_ALERTS.

23.3 - Windows hosts

Windows hosts: Event logs from core services like security, system, DNS, and DHCP for operational and forensic analysis.

To collect event logs from Microsoft Windows hosts, Axoflow supports both agent-based and agentless methods.

• For a collector agent, we recommend using the Axoflow OpenTelemetry Collector distribution. For details, see Windows host - agent based solution.
• To use an agentless solution, see Windows Event Collector (WEC).

Labels

Labels assigned to data received from Windows hosts depend on how AxoRouter receives the data. For details, see Windows host - agent based solution and Windows Event Collector (WEC).

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: WINEVTLOG, WINEVTLOG_XML, WINDOWS_DHCP, WINDOWS_DNS.

24 - MikroTik

24.1 - RouterOS

RouterOS: Router operating system providing firewall, bandwidth management, routing, and hotspot functionality.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: MIKROTIK_ROUTER.

25 - NetFlow Logic

25.1 - NetFlow Optimizer

NetFlow Optimizer: Aggregates and transforms flow data (NetFlow, IPFIX) into actionable security and performance insights.

The following sections show you how to configure NetFlow Optimizer to send their log data to Axoflow.

Prerequisites

• You have administrative access to NetFlow Optimizer.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from NetFlow Optimizer.

• You know the IP address the AxoRouter. To find it:

  1. Open the AxoConsole.
  2. Select the Routers or the Topology page.
  3. Select on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the NetFlow Optimizer user interface are just for your convenience, for details, see the official documentation.

1. Log in to NetFlow Optimizer.

2. Select Outputs, then click the plus sign to add an output to NetFlow Optimizer.

3. Configure a Syslog (UDP) output:

   • Name: Enter a name for the output, for example, Axoflow.
   • Address: The IP address of the AxoRouter instance where you want to send the messages.
   • Port: Set this parameter to 514.

   

4. Click Save.

5. Add the source to AxoConsole.

   1. Open the AxoConsole and select Topology.

   2. Select Add Item > Source.

      

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.

      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.

        

      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Add.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

26 - Netgate

26.1 - pfSense

pfSense: Open-source firewall and router platform with VPN, traffic shaping, and intrusion detection capabilities.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

The pfsense:<program> variant is simply a generic linux event that is generated by the underlying OS on the appliance.

Tested with: TA-pfsense

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: PFSENSE.

27 - Netmotion

27.1 - Netmotion

Netmotion: Provides secure, optimized remote access with performance monitoring for mobile and distributed workforces.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: NETMOTION.

28 - NETSCOUT

28.1 - Arbor Edge Defense (AED)

Arbor Edge Defense (AED): Edge-based DDoS protection and threat mitigation system to block attacks before they enter the network.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ARBOR_EDGE_DEFENSE.

28.2 - Arbor Pravail (APS)

Arbor Pravail (APS): Monitors and mitigates advanced persistent threats and malware with inline packet inspection.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ARBOR_EDGE_DEFENSE.

Earlier name/vendor

• Arbor Networks Pravail (APS)

29 - OpenText

29.1 - ArcSight

ArcSight: SIEM platform for collecting, correlating, and analyzing security event data across IT environments.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ARCSIGHT_CEF.

Earlier name/vendor

MicroFocus ArcSight

29.2 - Self Service Password Reset (SSPR)

Self Service Password Reset (SSPR): Allows users to securely reset their own passwords without IT assistance, reducing helpdesk load.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Earlier name/vendor

NetIQ Self Service Password Reset

30 - Palo Alto Networks

30.1 - Cortex XSOAR

Cortex XSOAR: Security orchestration, automation, and response platform for threat detection and incident management.

To onboard such a source to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: PAN_XSOAR.

Earlier name/vendor

Threat Intelligence Management (TIM)

30.2 - Palo Alto firewalls

Palo Alto firewalls: Firewall operating system delivering network security features including traffic control and threat prevention.

The following sections show you how to configure Palo Alto Networks Next-Generation Firewall devices to send their log data to Axoflow.

Prerequisites

• You have administrative access to the firewall.
• The date, time, and time zone are correctly set on the firewall.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the firewall.

• You know the IP address the AxoRouter. To find it:

  1. Open the AxoConsole.
  2. Select the Routers or the Topology page.
  3. Select on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the Palo Alto Networks Next-Generation Firewall user interface are just for your convenience, for details, see the official PAN-OS® documentation.

1. Log in to your firewall device. You need administrator privileges to perform the configuration.

2. Configure a Syslog server profile.

   1. Select Device > Server Profiles > Syslog.

   2. Click Add and enter a Name for the profile, for example, axorouter.

   3. Configure the following settings:

      • Syslog Server: Enter the IP address of your AxoRouter: %axorouter-ip%
      • Transport: Select TCP or TLS.
      • Port: Set the port to 601. (This is needed for the recommended IETF log format. If for some reason you need to use the BSD format, set the port to 514.)
      • Format: Select IETF.
      • Syslog logging: Enable this option.

   4. Click OK.

3. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs. For details, see Configure Log Forwarding the official PAN-OS® documentation.

   1. Select Objects > Log Forwarding.
   2. Click Add.
   3. Enter a Name for the profile, for example, axoflow.
   4. For each log type, severity level, or WildFire verdict, select the Syslog server profile.
   5. Click OK.
   6. Assign the log forwarding profile to a security policy to trigger log generation and forwarding.
   7. Select Policies > Security and select a policy rule.
   8. Select Actions, then select the Log Forwarding profile you created (for example, axoflow).
   9. For Traffic logs, select one or both of the Log at Session Start and Log At Session End options.
   10. Click OK.

4. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.

   1. Select Device > Log Settings.
   2. For System and Correlation logs, select each Severity level, select the Syslog server profile, and click OK.
   3. For Config, HIP Match, and Correlation logs, edit the section, select the Syslog server profile, and click OK.

5. Click Commit.

6. Add the source to AxoConsole.

   1. Open the AxoConsole and select Topology.

   2. Select Add Item > Source.

      

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.

      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.

        

      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Add.

Labels

Axoflow automatically adds the following labels to data collected from this source:

You can use the labels as:

• Filter labels on the Analytics page,
• in the Filter By Label field during log tapping.

You can use the message fields

• in Flow Processing steps, for example, in the Query field of Select Messages steps,
• in AQL expressions in the search bars.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings: