Vendors

• 1: A10 Networks
• 1.1: vThunder
• 2: Amazon
• 2.1: CloudWatch
• 3: Broadcom
• 3.1: Edge Secure Web Gateway (Edge SWG)
• 3.2: NSX
• 4: Check Point
• 4.1: Anti-Bot
• 4.2: Anti-Malware
• 4.3: Anti-Phishing
• 4.4: Anti-Spam and Email Security
• 4.5: CPMI Client
• 4.6: cpmidu_update_tool
• 4.7: Database Tool
• 4.8: Edge Secure Web Gateway (Edge SWG)
• 4.9: Endpoint Compliance
• 4.10: Endpoint Management
• 4.11: Forensics
• 4.12: GO Password Reset
• 4.13: HTTPS Inspection
• 4.14: IPS
• 4.15: MDS Query Tool
• 4.16: Media Encryption & Port Protection
• 4.17: Mobile Access
• 4.18: Next-Generation Firewall (NGFW)
• 4.19: QoS
• 4.20: Quantum
• 4.21: Query Database
• 4.22: SmartConsole
• 4.23: SmartUpdate
• 4.24: Threat Emulation and Anti-Exploit
• 4.25: URL Filtering
• 4.26: Web API
• 5: Cisco
• 5.1: Access Control System (ACS)
• 5.2: Adaptive Security Appliance (ASA)
• 5.3: Application Control Engine (ACE)
• 5.4: Cisco IOS
• 5.5: Digital Network Architecture (DNA)
• 5.6: Email Security Appliance (ESA)
• 5.7: Firepower
• 5.8: Firepower Threat Defence (FTD)
• 5.9: Firewall Services Module (FWSM)
• 5.10: HyperFlex (HX, UCSH)
• 5.11: Identity Services Engine (ISE)
• 5.12: Integrated Management Controller (IMC)
• 5.13: IOS XR
• 5.14: Meraki MX
• 5.15: Private Internet eXchange (PIX)
• 5.16: TelePresence Video Communication Server (VCS)
• 5.17: Unified Computing System Manager (UCSM)
• 5.18: Unified Communications Manager (UCM)
• 5.19: Viptela
• 6: Citrix
• 6.1: Netscaler
• 7: Corelight
• 7.1: Open Network Detection & Response (NDR)
• 8: CyberArk
• 8.1: Privileged Threat Analytics (PTA)
• 8.2: Vault
• 9: F5 Networks
• 9.1: BIG-IP
• 10: FireEye
• 11: Forcepoint
• 11.1: Email Security
• 11.2: Next-Generation Firewall (NGFW)
• 11.3: WebProtect
• 12: Fortinet
• 12.1: FortiGate firewalls
• 12.2: FortiMail
• 12.3: FortiWeb
• 13: Fortra
• 13.1: Powertech SIEM Agent for IBM i
• 14: General Unix/Linux host
• 14.1: Generic Linux services
• 15: Imperva
• 15.1: Incapsula
• 15.2: SecureSphere
• 16: Infoblox
• 16.1: NIOS
• 17: Internet Systems Consortium (ISC)
• 17.1: DHCPd
• 18: Ivanti
• 18.1: Connect secure
• 19: Juniper
• 19.1: Junos OS
• 20: Kaspersky
• 20.1: Endpoint Security
• 21: MicroFocus
• 22: Microsoft
• 22.1: Azure Event Hubs
• 22.2: Cloud App Security (MCAS)
• 22.3: Windows hosts
• 23: MikroTik
• 23.1: RouterOS
• 24: NetFlow Logic
• 24.1: NetFlow Optimizer
• 25: Netgate
• 25.1: pfSense
• 26: Netmotion
• 26.1: Netmotion
• 27: NETSCOUT
• 27.1: Arbor Edge Defense (AED)
• 27.2: Arbor Pravail (APS)
• 28: OpenText
• 28.1: ArcSight
• 28.2: Self Service Password Reset (SSPR)
• 29: Palo Alto Networks
• 29.1: Cortex XSOAR
• 29.2: Palo Alto firewalls
• 30: Ping Identity
• 30.1: PingAccess
• 31: Powertech
• 32: Progress
• 32.1: Flowmon Anomaly Detection System (ADS)
• 33: Riverbed
• 33.1: SteelConnect
• 33.2: SteelHead
• 34: RSA
• 34.1: Authentication Manager
• 35: rsyslog
• 36: SecureAuth
• 36.1: Identity Platform
• 37: Skyhigh Security
• 37.1: Secure Web Gateway
• 38: SonicWall
• 38.1: SonicWall
• 39: Superna
• 39.1: Eyeglass
• 40: syslog-ng
• 41: Thales
• 41.1: Vormetric Data Security Platform
• 42: Trellix
• 42.1: Central Management System (CMS)
• 42.2: Email Threat Prevention (ETP)
• 42.3: Endpoint Security (HX)
• 42.4: ePolicy Orchestrator (EPO)
• 42.5: MPS
• 43: Trend Micro
• 43.1: Deep Security Agent
• 44: Ubiquiti
• 44.1: Unifi
• 45: Varonis
• 45.1: DatAdvantage
• 46: Vectra AI
• 46.1: X-Series
• 47: Zscaler appliances
• 47.1: Zscaler Nanolog Streaming Service
• 47.2: Zscaler Log Streaming Service

1 - A10 Networks

1.1 - vThunder

vThunder: Delivers application load balancing, traffic management, and DDoS protection for enterprise networks.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: A10_LOAD_BALANCER.

2 - Amazon

2.1 - CloudWatch

CloudWatch: Monitors AWS resources and applications by collecting metrics, logs, and setting alarms.

Axoflow can collect data from your Amazon CloudWatch. At a high level, the process looks like this:

• Deploy an Axoflow Cloud Connector that will collect the data from your CloudWatch. Axoflow Cloud Connector is a simple container that you can deploy into AWS, another cloud provider, or on-prem.
• The connector forwards the collected data to the OpenTelemetry connector of an AxoRouter instance. This AxoRouter can be deployed within AWS, another cloud provider, or on-prem.
• Configure a Flow on Axoflow Console that processes and routes the collected data to your destination (for example, Splunk or another SIEM).

Prerequisites

• An AWS account with an active subscription.
• A virtual machine or Kubernetes node running to deploy Axoflow Cloud Connector on.
• An AxoRouter instance that can receive data from the connector. Verify that it has an OpenTelemetry Connector (it’s enabled by default).

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.
• The Axoflow Cloud Connector must be able to access the AxoRouter on the port the OpenTelemetry Connector is listening on (by default, port 4317). Depending on where the Axoflow Cloud Connector and AxoRouter are deployed, you might need to adjust firewall and ingress/egress rules in your environment.
• Depending on how you want to authenticate Axoflow Cloud Connector, you’ll need an AWS_PROFILE or AWS access keys.

Steps

To collect data from AWS CloudWatch, complete the following steps.

1. Deploy an Axoflow Cloud Connector.

   1. Access the Kubernetes node or virtual machine where you want to deploy Axoflow Cloud Connector.

   2. Set the following environment variable to the IP address of the AxoRouter where you want to forward the data from CloudWatch. This IP address must be accessible from the connector. You can find the IP address of AxoRouter on the Hosts > AxoRouter > Overview page.

      export AXOROUTER_ENDPOINT=<AxoRouter-IP-address>
      

   3. (Optional) By default, the connector stores positional and other persistence-related data in the /etc/axoflow-otel-collector/storage directory. In case you want to use a different directory, set the STORAGE_DIRECTORY environment variable.

   4. Run the following command to generate a UUID for the connector. Axoflow Console will use this ID to identify the connector.

      UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
      export AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
      

   5. Set TLS encryption to secure the communication between Axoflow Cloud Connector and AxoRouter.

      Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

      Variable	Required	Default	Description
      AXOROUTER_TLS_INSECURE	No	false	Disables TLS encryption if set to true
      AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL	No	false	Set to true to use the system CA certificates
      AXOROUTER_TLS_CA_FILE	No	-	Path to the CA certificate file used to validate the certificate of AxoRouter
      AXOROUTER_TLS_CA_PEM	No	-	PEM-encoded CA certificate
      AXOROUTER_TLS_INSECURE_SKIP_VERIFY	No	false	Set to true to disable TLS certificate verification of AxoRouter
      AXOROUTER_TLS_CERT_FILE	No	-	Path to the certificate file of Axoflow Cloud Connector
      AXOROUTER_TLS_CERT_PEM	No	-	PEM-encoded client certificate
      AXOROUTER_TLS_KEY_FILE	No	-	Path to the client private key file of Axoflow Cloud Connector
      AXOROUTER_TLS_KEY_PEM	No	-	PEM-encoded client private key
      AXOROUTER_TLS_MIN_VERSION	No	1.2	Minimum TLS version to use
      AXOROUTER_TLS_MAX_VERSION	No	-	Maximum TLS version to use

      Note You’ll have to include the TLS-related environment variables you set in the docker command used to deploy Axoflow Cloud Connector.

   6. Configure the authentication that the Axoflow Cloud Connector will use to access CloudWatch. Set the environment variables for the authentication method you want to use.

      • AWS Profile with a configuration file: Set the region and the AWS_PROFILE

        export AWS_PROFILE=""
        export AWS_REGION=""
        

      • AWS Credentials: To use AWS access keys, set an access key and a matching secret.

        export AWS_ACCESS_KEY_ID=""
        export AWS_SECRET_ACCESS_KEY=""
        export AWS_REGION=""
        

      • EC2 instance profile:

        export AWS_REGION=""
        

   7. Deploy the Axoflow Cloud Connector. The exact command depends on the authentication method and the TLS settings you want to configure.

      • AWS Profile with a configuration file: Set the region and the AWS_PROFILE. Also, pass the TLS-related settings you’ve set earlier.

        docker run --rm \
        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
        -e AWS_PROFILE="${AWS_PROFILE}" \
        -e AWS_REGION="${AWS_REGION}" \
        -e AWS_SDK_LOAD_CONFIG=1 \
        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
        -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
        -v "${HOME}/.aws:/cloudconnectors/.aws:ro" \
        ghcr.io/axoflow/axocloudconnectors:latest
        

      • AWS Credentials: To use AWS access keys, set an access key and a matching secret. Also, pass the TLS-related settings you’ve set earlier.

        docker run --rm \
        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
        -e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
        -e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
        -e AWS_REGION="${AWS_REGION}" \
        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
        -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
        ghcr.io/axoflow/axocloudconnectors:latest
        

      • EC2 instance profile: Also, pass the TLS-related settings you’ve set earlier.

        docker run --rm \
        -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
        -e AWS_REGION="${AWS_REGION}" \
        -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
        -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
        -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
        -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
        ghcr.io/axoflow/axocloudconnectors:latest
        

      The Axoflow Cloud Connector starts forwarding logs to the AxoRouter instance.

2. Add the appliance to Axoflow Console.

   1. Open the Axoflow Console and select Topology.
   2. Select Create New Item > Source.
   3. Select AWS CloudWatch.
   4. Enter the IP address and the FQDN of the Axoflow Cloud Connector instance.
   5. Select Create.

3. Create a Flow to route the data from the AxoRouter instance to a destination. You can use the Labels of this source to select messages from this source.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: AWS_CLOUDWATCH.

3 - Broadcom

3.1 - Edge Secure Web Gateway (Edge SWG)

Edge Secure Web Gateway (Edge SWG): Secures web traffic through policy enforcement, SSL inspection, and real-time threat protection.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: BROADCOM_EDGE_SWG.

Earlier name/vendor

• Blue Coat Proxy
• Blue Coat ProxySG
• Symantec ProxySG
• Symantec Edge Secure Web Gateway
• Symantec Edge SWG

3.2 - NSX

NSX: Provides network virtualization, micro-segmentation, and security for software-defined data centers.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Configure your NSX appliances, NSX Edges, and hypervisors to send their logs to the Syslog (autodetect and classify) connector of an AxoRouter instance. Use either:

• The TCP protocol (port 601 when using the default connector), or
• TLS-encrypted TCP protocol (port 6514 when using the default connector)

For details on configuring NSX, see Configure Remote Logging in the NSX Administration Guide.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: VMWARE_NSX.

Earlier name/vendor

• VMware NSX
• NSX-T Data Center

4 - Check Point

4.1 - Anti-Bot

Anti-Bot: Detects and blocks botnet communications and command-and-control traffic to prevent malware infections.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

4.2 - Anti-Malware

Anti-Malware: Protects endpoints from viruses, ransomware, and other malware using signature and behavior analysis.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

4.3 - Anti-Phishing

Anti-Phishing: Prevents phishing attacks by analyzing email content and links to block credential theft attempts.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EMAIL.

4.4 - Anti-Spam and Email Security

Anti-Spam and Email Security: Blocks spam and malicious email content using reputation checks and email filtering techniques.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EMAIL.

4.5 - CPMI Client

CPMI Client: Legacy Check Point management client used to interface with security policies and logs.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

4.6 - cpmidu_update_tool

cpmidu_update_tool: Utility used to update configuration and database files for Check Point Multi-Domain environments.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

4.7 - Database Tool

Database Tool: Command-line tool to extract, query, or update Check Point configuration and policy databases.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

4.8 - Edge Secure Web Gateway (Edge SWG)

Edge Secure Web Gateway (Edge SWG): Provides configuration profiles for secure mobile access and web filtering on iOS devices.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_HARMONY.

4.9 - Endpoint Compliance

Endpoint Compliance: Checks endpoint status and posture before granting network access, enforcing security policies.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

4.10 - Endpoint Management

Endpoint Management: Centralized platform for managing endpoint protection, updates, and policy enforcement.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

4.11 - Forensics

Forensics: Analyzes security incidents on endpoints to uncover attack vectors and malicious activity.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

4.12 - GO Password Reset

GO Password Reset: Facilitates secure password reset processes for users across integrated environments.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_AUDIT.

4.13 - HTTPS Inspection

HTTPS Inspection: Decrypts and inspects HTTPS traffic to detect hidden threats within encrypted web sessions.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

4.14 - IPS

IPS: Detects and blocks known and unknown exploits, malware, and vulnerabilities in network traffic.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

4.15 - MDS Query Tool

MDS Query Tool: CLI tool for querying multi-domain configurations and policies in Check Point environments.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

4.16 - Media Encryption & Port Protection

Media Encryption & Port Protection: Secures USB ports and encrypts removable media to protect sensitive data on endpoints.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

4.17 - Mobile Access

Mobile Access: Enables secure remote access to corporate apps and data from mobile devices.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

4.18 - Next-Generation Firewall (NGFW)

Next-Generation Firewall (NGFW): Next-generation firewall providing intrusion prevention, application control, and threat protection.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

4.19 - QoS

QoS: Implements bandwidth control and traffic prioritization policies for optimized network usage.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

4.20 - Quantum

Quantum: Unified threat prevention platform delivering firewall, VPN, and intrusion prevention capabilities.

If you’d like to send data from this source to AxoRouter, contact our support team for details.

4.21 - Query Database

Query Database: Accesses and queries internal policy or object databases in Check Point systems.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

4.22 - SmartConsole

SmartConsole: Graphical interface for managing Check Point security policies, logs, and monitoring.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

4.23 - SmartUpdate

SmartUpdate: Tool for updating and managing licenses, software, and hotfixes in Check Point environments.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

4.24 - Threat Emulation and Anti-Exploit

Threat Emulation and Anti-Exploit: Emulates files in a virtual environment to detect and block advanced persistent threats and exploits.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_EDR.

4.25 - URL Filtering

URL Filtering: Controls and logs web access based on URL categories and custom site rules to enforce policy.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CHECKPOINT_FIREWALL.

4.26 - Web API

Web API: Provides programmatic access to Check Point security management through RESTful API endpoints.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5 - Cisco

5.1 - Access Control System (ACS)

Access Control System (ACS): Centralizes network access control with RADIUS and TACACS+ for authentication and authorization.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ACS.

5.2 - Adaptive Security Appliance (ASA)

Adaptive Security Appliance (ASA): Provides stateful firewall, VPN support, and advanced threat protection for secure network perimeters.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ASA_FIREWALL.

5.3 - Application Control Engine (ACE)

Application Control Engine (ACE): Provides application-aware load balancing, SSL offload, and traffic control for Cisco networks.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ACE.

5.4 - Cisco IOS

Cisco IOS: Network operating system for Cisco routers and switches, enabling routing, switching, and security.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_IOS.

5.5 - Digital Network Architecture (DNA)

Digital Network Architecture (DNA): Provides software-defined networking, policy automation, and analytics for enterprise infrastructure.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_DNAC.

5.6 - Email Security Appliance (ESA)

Email Security Appliance (ESA): Protects email systems from spam, phishing, malware, and data loss with advanced threat filtering.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Note that the device can be configured to send plain syslog text or CEF-formatted output.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, index, and source settings:

Tested with: Splunk Add-on for Cisco ESA

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_EMAIL_SECURITY.

5.7 - Firepower

Firepower: Provides next-gen firewall features including intrusion prevention, app control, and malware protection.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_FIREPOWER_FIREWALL.

5.8 - Firepower Threat Defence (FTD)

Firepower Threat Defence (FTD): Unifies firewall, VPN, and intrusion prevention into a single software for comprehensive threat defense.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.9 - Firewall Services Module (FWSM)

Firewall Services Module (FWSM): Delivers multi-context, high-performance firewall services integrated into Cisco Catalyst switches.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_FWSM.

5.10 - HyperFlex (HX, UCSH)

HyperFlex (HX, UCSH): Infrastructure solution combining compute, storage, and networking in a single system.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_UCS.

5.11 - Identity Services Engine (ISE)

Identity Services Engine (ISE): Manages network access control and enforces policies with user and device authentication capabilities.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

For details on configuring your Identity Services Engine to forward its logs to an AxoRouter instance, see Configure Remote Syslog Collection Locations in Cisco Identity Services Engine (ISE) Administrator Guide.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_ISE.

5.12 - Integrated Management Controller (IMC)

Integrated Management Controller (IMC): Provides out-of-band server management for Cisco UCS, enabling hardware monitoring and configuration.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.13 - IOS XR

IOS XR: High-performance, modular network operating system for carrier-grade routing and scalability.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.14 - Meraki MX

Meraki MX: Cloud-managed network appliance offering firewall, VPN, SD-WAN, and security in a single platform.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: TA-meraki

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_MERAKI.

5.15 - Private Internet eXchange (PIX)

Private Internet eXchange (PIX): Legacy firewall appliance delivering stateful inspection and secure network access control.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_PIX_FIREWALL.

5.16 - TelePresence Video Communication Server (VCS)

TelePresence Video Communication Server (VCS): Enables video conferencing control and call routing for Cisco TelePresence systems and endpoints.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

5.17 - Unified Computing System Manager (UCSM)

Unified Computing System Manager (UCSM): Centralized management platform for Cisco Unified Computing System (UCS) servers and resources.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_UCS.

5.18 - Unified Communications Manager (UCM)

Unified Communications Manager (UCM): Delivers unified voice, video, messaging, and mobility services in enterprise IP telephony systems.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_UCM.

5.19 - Viptela

Viptela: Software-defined WAN solution providing secure connectivity, centralized control, and traffic optimization.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_VIPTELA.

6 - Citrix

6.1 - Netscaler

Netscaler: Offers application delivery, load balancing, and security features for optimized app performance.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CITRIX_NETSCALER_WEB_LOGS.

7 - Corelight

7.1 - Open Network Detection & Response (NDR)

Open Network Detection & Response (NDR): Provides network detection and response by analyzing traffic for advanced threats and anomalous behavior.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CORELIGHT.

8 - CyberArk

8.1 - Privileged Threat Analytics (PTA)

Privileged Threat Analytics (PTA): Analyzes privileged account behavior to detect threats and suspicious activity in real time.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CYBERARK_PTA.

8.2 - Vault

Vault: Stores and manages privileged credentials, session recordings, and access control policies securely.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CYBERARK.

9 - F5 Networks

9.1 - BIG-IP

BIG-IP: Provides load balancing, traffic management, and application security for optimized service delivery.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Note that the device can be configured to send plain syslog text, JSON, or key-value pairs.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for F5 BIG-IP

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: F5_BIGIP_APM.

10 - FireEye

11 - Forcepoint

11.1 - Email Security

Email Security: Protects email systems from spam, phishing, malware, and data exfiltration using advanced threat defense.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORCEPOINT_EMAILSECURITY.

Earlier name/vendor

• Websense Email Security

11.2 - Next-Generation Firewall (NGFW)

Next-Generation Firewall (NGFW): Next-gen firewall with deep packet inspection, policy enforcement, and integrated intrusion prevention.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORCEPOINT_FIREWALL.

Earlier name/vendor

• Websense Webprotect
• Forcepoint Webprotect
• Forcepoint Secure Web Gateway

11.3 - WebProtect

WebProtect: Provides web traffic filtering, malware protection, and data loss prevention for secure internet access.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Earlier name/vendor

• Websense Firewall

12 - Fortinet

12.1 - FortiGate firewalls

FortiGate firewalls: Enterprise firewall platform offering threat protection, VPN, and traffic filtering for secure networking.

The following sections show you how to configure FortiGate Next-Generation Firewall (NGFW) to send their log data to Axoflow.

Prerequisites

• You have administrative access to the firewall.
• The date, time, and time zone are correctly set on the firewall.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the firewall.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the FortiGate user interface are just for your convenience, for details, see the official FortiGate documentation.

1. Log in to your FortiGate device. You need administrator privileges to perform the configuration.

2. Register the address of your AxoRouter as an Address Object.

   1. Select Log & Report > Log Settings > Global Settings.

   2. Configure the following settings:

      • Event Logging: Click All.
      • Local traffic logging: Click All.
      • Syslog logging: Enable this option.
      • IP address/FQDN: Enter the address of your AxoRouter: %axorouter-ip%

   3. Click Apply.

3. Add the source to Axoflow Console.

   1. Open the Axoflow Console and select Topology.

   2. Select Create New Item > Source.

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Fortinet FortiGate Add-On for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTINET_FIREWALL.

12.2 - FortiMail

FortiMail: Secures inbound and outbound email with spam filtering, malware protection, and advanced threat detection.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: FortiMail Add-on for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTINET_FORTIMAIL.

12.3 - FortiWeb

FortiWeb: Web application firewall protecting websites from attacks like XSS, SQL injection, and bot threats.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Fortinet FortiWeb Add-0n for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTINET_FORTIWEB.

13 - Fortra

13.1 - Powertech SIEM Agent for IBM i

Powertech SIEM Agent for IBM i: Monitors IBM i system activity and forwards security events for centralized analysis in SIEM platforms.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FORTRA_POWERTECH_SIEM_AGENT.

Earlier name/vendor

Powertech Interact

14 - General Unix/Linux host

14.1 - Generic Linux services

Generic Linux services: A generic placeholder for program classifications

These classifications include non-vendor specific services and applications commonly found on Linux/Unix hosts.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for Infoblox

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: NIX_SYSTEM.

15 - Imperva

15.1 - Incapsula

Incapsula: Cloud-based WAF, DDoS protection, and bot mitigation service for securing web applications and APIs.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: IMPERVA_CEF.

15.2 - SecureSphere

SecureSphere: Provides on-prem web application, database, and file security with granular activity monitoring.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: IMPERVA_SECURESPHERE.

16 - Infoblox

16.1 - NIOS

NIOS: Delivers secure DNS, DHCP, and IPAM (DDI) services with centralized network control and automation.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for Infoblox

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: INFOBLOX, INFOBLOX_DNS.

17 - Internet Systems Consortium (ISC)

17.1 - DHCPd

DHCPd:

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ISC_DHCP.

18 - Ivanti

18.1 - Connect secure

Connect secure: Provides dynamic IP address assignment and network configuration for DHCP-enabled devices.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: IVANTI_CONNECT_SECURE.

Earlier name/vendor

Pulse Connect Secure

19 - Juniper

19.1 - Junos OS

Junos OS: Junos OS is the network operating system for Juniper physical and virtual networking and security products.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Splunk Add-on for Juniper

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: JUNIPER_JUNOS.

20 - Kaspersky

20.1 - Endpoint Security

Endpoint Security: Protects endpoints from malware, ransomware, and intrusions with antivirus, firewall, and threat detection.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Note that the device can be configured to send plain syslog text, LEEF, or CEF-formatted output.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: KASPERSKY_ENDPOINT.

21 - MicroFocus

22 - Microsoft

22.1 - Azure Event Hubs

Azure Event Hubs: Big data streaming platform to ingest and process events.

Axoflow can collect data from your Azure Event Hubs. At a high level, the process looks like this:

• Deploy an Axoflow Cloud Connector that will collect the data from your Event Hub. Axoflow Cloud Connector is a simple container that you can deploy into Azure, another cloud provider, or on-prem.
• The connector forwards the collected data to the OpenTelemetry connector of an AxoRouter instance. This AxoRouter can be deployed within Azure, another cloud provider, or on-prem.
• Configure a Flow on Axoflow Console that processes and routes the collected data to your destination (for example, Splunk or another SIEM).

Prerequisites

• An Azure account with an active subscription.
• A virtual machine or Kubernetes node running to deploy Axoflow Cloud Connector on.
• An AxoRouter instance that can receive data from the connector. Verify that it has an OpenTelemetry Connector (it’s enabled by default).

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.
• The Axoflow Cloud Connector must be able to access the AxoRouter on the port the OpenTelemetry Connector is listening on (by default, port 4317). Depending on where the Axoflow Cloud Connector and AxoRouter are deployed, you might need to adjust firewall and ingress/egress rules in your environment.
• An Event Hubs connection string.

Steps

To collect data from Azure Event Hubs, complete the following steps.

1. Deploy an Axoflow Cloud Connector into Azure.

   1. Access the Kubernetes node or virtual machine.

   2. Set the following environment variable to the IP address of the AxoRouter where you want to forward the data from Event Hubs. This IP address must be accessible from the connector. You can find the IP address of AxoRouter on the Hosts > AxoRouter > Overview page.

      export AXOROUTER_ENDPOINT=<AxoRouter-IP-address>
      

   3. (Optional) By default, the connector stores positional and other persistence-related data in the /etc/axoflow-otel-collector/storage directory. In case you want to use a different directory, set the STORAGE_DIRECTORY environment variable.

   4. Run the following command to generate a UUID for the connector. Axoflow Console will use this ID to identify the connector.

      UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
      export AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)
      

   5. Set TLS encryption to secure the communication between Axoflow Cloud Connector and AxoRouter.

      Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

      Variable	Required	Default	Description
      AXOROUTER_TLS_INSECURE	No	false	Disables TLS encryption if set to true
      AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL	No	false	Set to true to use the system CA certificates
      AXOROUTER_TLS_CA_FILE	No	-	Path to the CA certificate file used to validate the certificate of AxoRouter
      AXOROUTER_TLS_CA_PEM	No	-	PEM-encoded CA certificate
      AXOROUTER_TLS_INSECURE_SKIP_VERIFY	No	false	Set to true to disable TLS certificate verification of AxoRouter
      AXOROUTER_TLS_CERT_FILE	No	-	Path to the certificate file of Axoflow Cloud Connector
      AXOROUTER_TLS_CERT_PEM	No	-	PEM-encoded client certificate
      AXOROUTER_TLS_KEY_FILE	No	-	Path to the client private key file of Axoflow Cloud Connector
      AXOROUTER_TLS_KEY_PEM	No	-	PEM-encoded client private key
      AXOROUTER_TLS_MIN_VERSION	No	1.2	Minimum TLS version to use
      AXOROUTER_TLS_MAX_VERSION	No	-	Maximum TLS version to use

      Note You’ll have to include the TLS-related environment variables you set in the docker command used to deploy Axoflow Cloud Connector.

   6. Set the AZURE_EVENTHUB_CONNECTION_STRING environment variable.

      export AZURE_EVENTHUB_CONNECTION_STRING="Endpoint=sb://<NamespaceName>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>;EntityPath=<EventHubName>"
      

   7. Deploy the Axoflow Cloud Connector by running the following command. Also, pass the TLS-related settings you’ve set earlier.

      docker run --rm \
      -v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
      -e AZURE_EVENTHUB_CONNECTION_STRING="${AZURE_EVENTHUB_CONNECTION_STRING}" \
      -e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
      -e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
      -e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
      -e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
      ghcr.io/axoflow/axocloudconnectors:latest
      

      The Axoflow Cloud Connector starts forwarding logs to the AxoRouter instance.

2. Add the appliance to Axoflow Console.

   1. Open the Axoflow Console and select Topology.
   2. Select Create New Item > Source.
   3. Select Azure Event Hubs.
   4. Enter the IP address and the FQDN of the Axoflow Cloud Connector instance.
   5. Select Create.

3. Create a Flow to route the data from the AxoRouter instance to a destination. You can use the Labels of this source to select messages from this source.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Event Hubs Audit logs labels

Event Hubs Provisioning logs labels

Event Hubs Signin logs labels

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: AZURE_EVENTHUB.

22.2 - Cloud App Security (MCAS)

Cloud App Security (MCAS): Monitors cloud app usage, detects anomalies, and enforces security policies across SaaS services.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: MICROSOFT_DEFENDER_CLOUD_ALERTS.

22.3 - Windows hosts

Windows hosts: Event logs from core services like security, system, DNS, and DHCP for operational and forensic analysis.

To collect event logs from Microsoft Windows hosts, Axoflow supports both agent-based and agentless methods.

• For a collector agent, we recommend using the Axoflow OpenTelemetry Collector distribution. For details, see Windows host - agent based solution.
• To use an agentless solution, see Windows Event Collector (WEC).

Labels

Labels assigned to data received from Windows hosts depend on how AxoRouter receives the data. For details, see Windows host - agent based solution and Windows Event Collector (WEC).

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: WINEVTLOG, WINEVTLOG_XML, WINDOWS_DHCP, WINDOWS_DNS.

23 - MikroTik

23.1 - RouterOS

RouterOS: Router operating system providing firewall, bandwidth management, routing, and hotspot functionality.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: MIKROTIK_ROUTER.

24 - NetFlow Logic

24.1 - NetFlow Optimizer

NetFlow Optimizer: Aggregates and transforms flow data (NetFlow, IPFIX) into actionable security and performance insights.

The following sections show you how to configure NetFlow Optimizer to send their log data to Axoflow.

Prerequisites

• You have administrative access to NetFlow Optimizer.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from NetFlow Optimizer.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the NetFlow Optimizer user interface are just for your convenience, for details, see the official documentation.

1. Log in to NetFlow Optimizer.

2. Select Outputs, then click the plus sign to add an output to NetFlow Optimizer.

3. Configure a Syslog (UDP) output:

   • Name: Enter a name for the output, for example, Axoflow.
   • Address: The IP address of the AxoRouter instance where you want to send the messages.
   • Port: Set this parameter to 514.

   

4. Click Save.

5. Add the source to Axoflow Console.

   1. Open the Axoflow Console and select Topology.

   2. Select Create New Item > Source.

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

25 - Netgate

25.1 - pfSense

pfSense: Open-source firewall and router platform with VPN, traffic shaping, and intrusion detection capabilities.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

The pfsense:<program> variant is simply a generic linux event that is generated by the underlying OS on the appliance.

Tested with: TA-pfsense

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: PFSENSE.

26 - Netmotion

26.1 - Netmotion

Netmotion: Provides secure, optimized remote access with performance monitoring for mobile and distributed workforces.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: NETMOTION.

27 - NETSCOUT

27.1 - Arbor Edge Defense (AED)

Arbor Edge Defense (AED): Edge-based DDoS protection and threat mitigation system to block attacks before they enter the network.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ARBOR_EDGE_DEFENSE.

27.2 - Arbor Pravail (APS)

Arbor Pravail (APS): Monitors and mitigates advanced persistent threats and malware with inline packet inspection.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ARBOR_EDGE_DEFENSE.

Earlier name/vendor

• Arbor Networks Pravail (APS)

28 - OpenText

28.1 - ArcSight

ArcSight: SIEM platform for collecting, correlating, and analyzing security event data across IT environments.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ARCSIGHT_CEF.

Earlier name/vendor

MicroFocus ArcSight

28.2 - Self Service Password Reset (SSPR)

Self Service Password Reset (SSPR): Allows users to securely reset their own passwords without IT assistance, reducing helpdesk load.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Earlier name/vendor

NetIQ Self Service Password Reset

29 - Palo Alto Networks

29.1 - Cortex XSOAR

Cortex XSOAR: Security orchestration, automation, and response platform for threat detection and incident management.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: PAN_XSOAR.

Earlier name/vendor

Threat Intelligence Management (TIM)

29.2 - Palo Alto firewalls

Palo Alto firewalls: Firewall operating system delivering network security features including traffic control and threat prevention.

The following sections show you how to configure Palo Alto Networks Next-Generation Firewall devices to send their log data to Axoflow.

Prerequisites

• You have administrative access to the firewall.
• The date, time, and time zone are correctly set on the firewall.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the firewall.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the Palo Alto Networks Next-Generation Firewall user interface are just for your convenience, for details, see the official PAN-OS® documentation.

1. Log in to your firewall device. You need administrator privileges to perform the configuration.

2. Configure a Syslog server profile.

   1. Select Device > Server Profiles > Syslog.

   2. Click Add and enter a Name for the profile, for example, axorouter.

   3. Configure the following settings:

      • Syslog Server: Enter the IP address of your AxoRouter: %axorouter-ip%
      • Transport: Select TCP or TLS.
      • Port: Set the port to 601. (This is needed for the recommended IETF log format. If for some reason you need to use the BSD format, set the port to 514.)
      • Format: Select IETF.
      • Syslog logging: Enable this option.

   4. Click OK.

3. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs. For details, see Configure Log Forwarding the official PAN-OS® documentation.

   1. Select Objects > Log Forwarding.
   2. Click Add.
   3. Enter a Name for the profile, for example, axoflow.
   4. For each log type, severity level, or WildFire verdict, select the Syslog server profile.
   5. Click OK.
   6. Assign the log forwarding profile to a security policy to trigger log generation and forwarding.
   7. Select Policies > Security and select a policy rule.
   8. Select Actions, then select the Log Forwarding profile you created (for example, axoflow).
   9. For Traffic logs, select one or both of the Log at Session Start and Log At Session End options.
   10. Click OK.

4. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.

   1. Select Device > Log Settings.
   2. For System and Correlation logs, select each Severity level, select the Syslog server profile, and click OK.
   3. For Config, HIP Match, and Correlation logs, edit the section, select the Syslog server profile, and click OK.

5. Click Commit.

6. Add the source to Axoflow Console.

   1. Open the Axoflow Console and select Topology.

   2. Select Create New Item > Source.

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Palo Alto Networks Add-on for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: PAN_FIREWALL.

30 - Ping Identity

30.1 - PingAccess

PingAccess: A centralized access security solution which provides secure access to applications and APIs down to the URL level

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: SecureAuth IdP Splunk App

31 - Powertech

32 - Progress

32.1 - Flowmon Anomaly Detection System (ADS)

Flowmon Anomaly Detection System (ADS): Detects network anomalies and threats through flow-based behavior analysis and machine learning.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Earlier name/vendor

• Flowmon Networks

33 - Riverbed

33.1 - SteelConnect

SteelConnect: WAN optimization appliance that accelerates application performance and reduces bandwidth usage.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: STEELHEAD.

33.2 - SteelHead

SteelHead: Software-defined WAN solution for centralized network management and secure cloud connectivity.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: RIVERBED.

34 - RSA

34.1 - Authentication Manager

Authentication Manager: Manages two-factor authentication using RSA SecurID tokens for secure access to enterprise resources.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: RSA_AUTH_MANAGER.

35 - rsyslog

Axoflow treats rsyslog sources as a generic syslog source. To send data from rsyslog to Axoflow, just configure rsyslog to send data to an AxoRouter instance using the syslog protocol.

Note that even if rsyslog is acting as a relay (receiving data from other clients and forwarding them to AxoRouter), on the Topology page it will be displayed as a data source.

Prerequisites

• You have administrative access to the device running rsyslog.
• The date, time, and time zone are correctly set on the appliance.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the source.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

36 - SecureAuth

36.1 - Identity Platform

Identity Platform: Delivers identity and access management with adaptive authentication and single sign-on capabilities.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: SecureAuth IdP Splunk App

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: SECUREAUTH_SSO.

37 - Skyhigh Security

37.1 - Secure Web Gateway

Secure Web Gateway: Inspects and filters web traffic to protect against malware, enforce policies, and prevent data loss.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: MCAFEE_WEBPROXY.

Earlier name/vendor

McAfee Secure Web Gateway

38 - SonicWall

38.1 - SonicWall

SonicWall: Delivers firewall, VPN, and deep packet inspection to protect networks from cyber threats and intrusions.

The following sections show you how to configure SonicWall firewalls to send their log data to Axoflow.

Prerequisites

• You have administrative access to the firewall.
• The date, time, and time zone are correctly set on the firewall.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the firewall.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps for SonicOS 7.x

Note: The steps involving the SonicWall user interface are just for your convenience, for details, see the official SonicWall documentation.

1. Log in to your SonicWall device. You need administrator privileges to perform the configuration.

2. Register the address of your AxoRouter as an Address Object.

   1. Select MENU > OBJECT.

   2. Select Match Objects > Addresses > Address objects.

   3. Click Add Address.

   4. Configure the following settings:

      • Name: Enter a name for the AxoRouter, for example, AxoRouter.
      • Zone Assignment: Select the correct zone.
      • Type: Select Host.
      • IP Address: Enter the IP address of your AxoRouter: %axorouter-ip%

   5. Click Save.

3. Set your AxoRouter as a syslog server.

   1. Navigate to Device > Log > Syslog.

   2. Select the Syslog Servers tab.

   3. Click Add.

   4. Configure the following options:

      • Name or IP Address: Select the Address Object of AxoRouter.
      • Server Type: Select Syslog Server.
      • Syslog Format: Select Enhanced.

      If your Syslog server does not use default port 514, type the port number in the Port field.

      By default, AxoRouter accepts data on the following ports (unless you’ve modified the default connector rules):

      • 514 UDP and TCP for RFC3164 (BSD-syslog) and RFC5424 (IETF-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
      • 601 TCP for RFC5424 (IETF-syslog) and RFC3164 (BSD-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
      • 6514 TCP for TLS-encrypted syslog traffic.
      • 4317 TCP for OpenTelemetry log data.

      To receive data on other ports or other protocols, configure other connector rules for the AxoRouter host.

      For TLS-encrypted syslog connections, create a new connector rule or edit an existing one, and configure the keys and certificates needed to encrypt the connections. For details, see Syslog.

      Note Make sure to enable the ports you’re using on the firewall of your host.

      

4. Add the source to Axoflow Console.

   1. Open the Axoflow Console and select Topology.

   2. Select Create New Item > Source.

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Create.

Steps for SonicOS 6.x

Note: The steps involving the SonicWall user interface are just for your convenience, for details, see the official SonicWall documentation.

1. Log in to your SonicWall device. You need administrator privileges to perform the configuration.

2. Register the address of your AxoRouter as an Address Object.

   1. Select MANAGE > Policies > Objects > Address Objects.

   2. Click Add.

   3. Configure the following settings:

      • Name: Enter a name for the AxoRouter, for example, AxoRouter.
      • Zone Assignment: Select the correct zone.
      • Type: Select Host.
      • IP Address: Enter the IP address of your AxoRouter: %axorouter-ip%

   4. Click Add.

3. Set your AxoRouter as a syslog server.

   1. Navigate to MANAGE > Log Settings > SYSLOG.

   2. Click ADD.

   3. Configure the following options:

      • Syslog ID: Enter an ID for the firewall. This ID will be used as the hostname in the log messages.
      • Name or IP Address: Select the Address Object of AxoRouter.
      • Server Type: Select Syslog Server.
      • Enable the Enhanced Syslog Fields Settings.

   4. Click OK.

4. Add the source to Axoflow Console.

   1. Open the Axoflow Console and select Topology.

   2. Select Create New Item > Source.

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Dell SonicWall Add-on for Splunk technical add-on

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: SONIC_FIREWALL.

39 - Superna

39.1 - Eyeglass

Eyeglass: Manages and automates data protection, DR, and reporting for PowerScale environments.

The following sections show you how to configure Superna Eyeglass to send their log data to Axoflow.

Prerequisites

• You have administrative access to Superna Eyeglass.
• You have an AxoRouter deployed and configured with a webhook connector. This device is going to receive the data from Superna Eyeglass.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the Superna Eyeglass user interface are just for your convenience, for details, see the official documentation.

1. Log in to Ransomware Defender and open the Zero Trust menu.

2. Click the plus sign to add a webhook target.

3. Set the parameters of the webhook.

   • Name: Enter a name for the webhook, for example, Axoflow.
   • URL: Enter the URL of the webhook connector of the AxoRouter instance where you want to post messages.
   • Event Severity Filter: Select the severities of the events that you want to forward to the webhook.
   • Lifecycle filter: Select the lifecycle changes that trigger a post message to the webhook.

4. Click Save, then the Test webhooks button. This will send a post message with a sample payload.

5. Add the source to Axoflow Console.

   1. Open the Axoflow Console and select Topology.

   2. Select Create New Item > Source.

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: SUPERNA_EYEGLASS.

40 - syslog-ng

By default, Axoflow treats syslog-ng sources as a generic syslog source.

• The easiest way to send data from syslog-ng to Axoflow is to configure it to send data to an AxoRouter instance using the syslog protocol.
• If you’re using syslog-ng Open Source Edition version 4.4 or newer, use the syslog-ng-otlp() driver to send data to AxoRouter using the OpenTelemetry Protocol.

Note that even if syslog-ng is acting as a relay (receiving data from other clients and forwarding them to AxoRouter), on the Topology page it will be displayed as a data source.

Prerequisites

• You have administrative access to the device running syslog-ng.
• The date, time, and time zone are correctly set on the appliance.
• You have an AxoRouter deployed and configured with a Syslog connector that has parsing and classification enabled (by default, every AxoRouter has such connectors). This device is going to receive the data from the source.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

41 - Thales

41.1 - Vormetric Data Security Platform

Vormetric Data Security Platform: Provides data encryption, key management, and access controls across cloud and on-premise environments.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: VORMETRIC.

42 - Trellix

42.1 - Central Management System (CMS)

Central Management System (CMS): Centralized policy and configuration management platform for Trellix security products.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FIREEYE_CMS.

42.2 - Email Threat Prevention (ETP)

Email Threat Prevention (ETP): Analyzes and filters email traffic to block phishing, malware, and targeted email-based threats.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FIREEYE_ETP.

42.3 - Endpoint Security (HX)

Endpoint Security (HX): Detects and responds to advanced threats on endpoints using behavior-based analysis and threat intel.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: FireEye Add-on for Splunk Enterprise

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: FIREEYE_HX.

Earlier name/vendor

FireEye Endpoint Security (HX)

42.4 - ePolicy Orchestrator (EPO)

ePolicy Orchestrator (EPO): Analyzes and filters email traffic to block phishing, malware, and targeted email-based threats.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: MCAFEE_EPO.

Earlier name/vendor

McAfee ePolicy Ochestrator (EPO)

42.5 - MPS

MPS: Appliance for detecting and blocking advanced threats through inline malware inspection.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

43 - Trend Micro

43.1 - Deep Security Agent

Deep Security Agent: Provides anti-malware, intrusion prevention, and log inspection for cloud and on-prem servers.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: TRENDMICRO_DEEP_SECURITY.

44 - Ubiquiti

44.1 - Unifi

Unifi: Manages network devices including routers, switches, and access points with centralized control.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: UBIQUITI_SWITCH.

45 - Varonis

45.1 - DatAdvantage

DatAdvantage: Monitors data access and permissions to detect insider threats and automate compliance reporting.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: VARONIS.

46 - Vectra AI

Earlier name/vendor

Vectra Cognito

46.1 - X-Series

X-Series: Detects and investigates cyberattacks across cloud, data center, and enterprise networks using AI.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: VECTRA_DETECT.

47 - Zscaler appliances

47.1 - Zscaler Nanolog Streaming Service

Zscaler Nanolog Streaming Service: Cloud-based secure internet gateway that inspects traffic for threats and enforces policies.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Zscaler Technical Add-On for Splunk

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ZSCALER_INTERNET_ACCESS.

47.2 - Zscaler Log Streaming Service

Zscaler Log Streaming Service: Provides secure remote access to internal apps without exposing them to the public internet.

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Zscaler Technical Add-On for Splunk

Sending data to Google SecOps

When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: ZSCALER_ZPA, ZSCALER_ZPA_AUDIT.