You have administrative access to the source device or host.
You have an AxoRouter deployed and configured with a Syslog (autodetect and classify) connector. This device is going to receive the data from the source device or host.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

Steps

To onboard a source that is specifically supported by Axoflow, complete the following steps. Onboarding allows you to collect metrics about the host, and display the host on the Topology page.

Open the Axoflow Console.
Select Topology.
Select + > Source.
If the source is already sending logs to an AxoRouter instance that is registered in the Axoflow Console, select Detected, then select the source.

Otherwise, select the type of the source you want to onboard, and follow the on-screen instructions.
Connect the source to the destination or AxoRouter instance it’s sending logs to.
1. Select Topology > + > Path.
2. Select your data source in the Source host field.
3. Select the target router or aggregator this source is sending its data to in the Target host field, for example, axorouter.
4. Select the Target connector. The connector determines how the destination receives the data (for example, using which protocol or port).
5. Select Create. The new path appears on the Topology page.
Configure the source to send logs to an AxoRouter instance. Specific instructions regarding individual vendors are listed below, along with default metadata (labels) and specific metadata for Splunk.
Note
Unless instructed otherwise, configure your source to send the logs to the Syslog (autodetect and classify) connector of AxoRouter, using the appropriate port. Use RFC5424 if the source supports it.
- 514 TCP and UDP for RFC3164 (BSD-syslog) formatted traffic.
- 601 TCP for RFC5424 (IETF-syslog) formatted traffic.
- 6514 TCP for TLS-encrypted syslog traffic.

1 - A10 Networks

1.1 - vThunder

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	a10networks
product	vthunder
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
a10networks:vThunder:cef	a10networks:vThunder	netwaf

2 - Amazon

2.1 - CloudWatch

Axoflow can collect data from your Amazon CloudWatch. At a high level, the process looks like this:

Deploy an Axoflow Cloud Connector that will collect the data from your CloudWatch. Axoflow Cloud Connector is a simple container that you can deploy into AWS, another cloud provider, or on-prem.
The connector forwards the collected data to the OpenTelemetry connector of an AxoRouter instance. This AxoRouter can be deployed within AWS, another cloud provider, or on-prem.
Configure a Flow on Axoflow Console that processes and routes the collected data to your destination (for example, Splunk or another SIEM).

Prerequisites

An AWS account with an active subscription.
A virtual machine or Kubernetes node running to deploy Axoflow Cloud Connector on.
An AxoRouter instance that can receive data from the connector. Verify that it has an OpenTelemetry Connector (it’s enabled by default).
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.
The Axoflow Cloud Connector must be able to access the AxoRouter on the port the OpenTelemetry Connector is listening on (by default, port 4317). Depending on where the Axoflow Cloud Connector and AxoRouter are deployed, you might need to adjust firewall and ingress/egress rules in your environment.
Depending on how you want to authenticate Axoflow Cloud Connector, you’ll need an AWS_PROFILE or AWS access keys.

Steps

To collect data from AWS CloudWatch, complete the following steps.

Deploy an Axoflow Cloud Connector.

Access the Kubernetes node or virtual machine where you want to deploy Axoflow Cloud Connector.
Set the following environment variable to the IP address of the AxoRouter where you want to forward the data from CloudWatch. This IP address must be accessible from the connector. You can find the IP address of AxoRouter on the Hosts > AxoRouter > Overview page.
```
export AXOROUTER_ENDPOINT=<AxoRouter-IP-address>
```
(Optional) By default, the connector stores positional and other persistence-related data in the /etc/axoflow-otel-collector/storage directory. In case you want to use a different directory, set the STORAGE_DIRECTORY environment variable.

Run the following command to generate a UUID for the connector. Axoflow Console will use this ID to identify the connector.

UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
export AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)

Set TLS encryption to secure the communication between Axoflow Cloud Connector and AxoRouter.

Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

Variable	Required	Default	Description
`AXOROUTER_TLS_INSECURE`	No	`false`	Disables TLS encryption if set to `true`
`AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL`	No	`false`	Set to `true` to use the system CA certificates
`AXOROUTER_TLS_CA_FILE`	No	-	Path to the CA certificate file used to validate the certificate of AxoRouter
`AXOROUTER_TLS_CA_PEM`	No	-	PEM-encoded CA certificate
`AXOROUTER_TLS_INSECURE_SKIP_VERIFY`	No	`false`	Set to `true` to disable TLS certificate verification of AxoRouter
`AXOROUTER_TLS_CERT_FILE`	No	-	Path to the certificate file of Axoflow Cloud Connector
`AXOROUTER_TLS_CERT_PEM`	No	-	PEM-encoded client certificate
`AXOROUTER_TLS_KEY_FILE`	No	-	Path to the client private key file of Axoflow Cloud Connector
`AXOROUTER_TLS_KEY_PEM`	No	-	PEM-encoded client private key
`AXOROUTER_TLS_MIN_VERSION`	No	`1.2`	Minimum TLS version to use
`AXOROUTER_TLS_MAX_VERSION`	No	-	Maximum TLS version to use

Note You’ll have to include the TLS-related environment variables you set in the docker command used to deploy Axoflow Cloud Connector.

Configure the authentication that the Axoflow Cloud Connector will use to access CloudWatch. Set the environment variables for the authentication method you want to use.
- AWS Profile with a configuration file: Set the region and the AWS_PROFILE
```
export AWS_PROFILE=""
export AWS_REGION=""
```
- AWS Credentials: To use AWS access keys, set an access key and a matching secret.
```
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_REGION=""
```
- EC2 instance profile:
```
export AWS_REGION=""
```

Deploy the Axoflow Cloud Connector. The exact command depends on the authentication method and the TLS settings you want to configure.

AWS Profile with a configuration file: Set the region and the AWS_PROFILE. Also, pass the TLS-related settings you’ve set earlier.

docker run --rm \
-v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
-e AWS_PROFILE="${AWS_PROFILE}" \
-e AWS_REGION="${AWS_REGION}" \
-e AWS_SDK_LOAD_CONFIG=1 \
-e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
-e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
-e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
-e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
-v "${HOME}/.aws:/cloudconnectors/.aws:ro" \
ghcr.io/axoflow/axocloudconnectors:latest

AWS Credentials: To use AWS access keys, set an access key and a matching secret. Also, pass the TLS-related settings you’ve set earlier.

docker run --rm \
-v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
-e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
-e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
-e AWS_REGION="${AWS_REGION}" \
-e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
-e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
-e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
-e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
ghcr.io/axoflow/axocloudconnectors:latest

EC2 instance profile: Also, pass the TLS-related settings you’ve set earlier.

docker run --rm \
-v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
-e AWS_REGION="${AWS_REGION}" \
-e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
-e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
-e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
-e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
ghcr.io/axoflow/axocloudconnectors:latest

The Axoflow Cloud Connector starts forwarding logs to the AxoRouter instance.

Add the appliance to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
3. Select AWS CloudWatch.
4. Enter the IP address and the FQDN of the Axoflow Cloud Connector instance.
5. Select Create.
Create a Flow to route the data from the AxoRouter instance to a destination. You can use the Labels of this source to select messages from this source.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	amazon
product	aws-cloudwatch
format	otlp

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
aws:cloudwatchlogs	aws-activity

3 - Broadcom

3.1 - Edge Secure Web Gateway (Edge SWG)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	broadcom
product	edge-swg

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
bluecoat:proxysg:access:syslog	netops
bluecoat:proxysg:access:kv	netproxy

Earlier name/vendor

Blue Coat Proxy
Blue Coat ProxySG
Symantec ProxySG
Symantec Edge Secure Web Gateway
Symantec Edge SWG

3.2 - NSX

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Configure your NSX appliances, NSX Edges, and hypervisors to send their logs to the Syslog (autodetect and classify) connector of an AxoRouter instance. Use either:

The TCP protocol (port 601 when using the default connector), or
TLS-encrypted TCP protocol (port 6514 when using the default connector)

For details on configuring NSX, see Configure Remote Logging in the NSX Administration Guide.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	broadcom
product	nsx

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
vmware:nsxlog:dfwpktlogs	netfw
vmware:nsxlog:firewall-pktlog	netfw
vmware:nsxlog:nsx	infraops
vmware:nsxlog:nsxv	infraops

Earlier name/vendor

VMware NSX
NSX-T Data Center

4 - Check Point

4.1 - Anti-Bot

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	anti-bot

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:endpoint	netops

4.2 - Anti-Malware

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	anti-malware

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:endpoint	netops

4.3 - Anti-Phishing

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	anti-phishing

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:email	email

4.4 - Anti-Spam and Email Security

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	antispam-emailsecurity

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:email	email

4.5 - CPMI Client

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	cpmi-client

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cp_log	netops

4.6 - cpmidu_update_tool

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	cpmidu-update-tool

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:audit	netops

4.7 - Database Tool

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	database-tool

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:audit	netops

4.8 - Edge Secure Web Gateway (Edge SWG)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	ios-profiles

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:network	netops

4.9 - Endpoint Compliance

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	endpoint-compliance

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:endpoint	netops

4.10 - Endpoint Management

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	endpoint-management

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:endpoint	netops

4.11 - Forensics

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	forensics

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:endpoint	netops

4.12 - GO Password Reset

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	go-password-reset

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:audit	netops

4.13 - HTTPS Inspection

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	https-inspection

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:firewall	netfw

4.14 - IPS

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	ips

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:ids	netids

4.15 - MDS Query Tool

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	mds-query-tool

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cp_log	netops

4.16 - Media Encryption & Port Protection

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	media-port

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:endpoint	netops

4.17 - Mobile Access

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	mobile-access

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:network	netops

4.18 - Next-Generation Firewall (NGFW)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	firewall

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:firewall	netfw

4.19 - QoS

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	qos

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:firewall	netfw

4.20 - Quantum

If you’d like to send data from this source to AxoRouter, contact our support team for details.

4.21 - Query Database

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	query-database

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:audit	netops

4.22 - SmartConsole

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	smartconsole

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:audit	netops

4.23 - SmartUpdate

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	smartupdate

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:audit	netops

4.24 - Threat Emulation and Anti-Exploit

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	threat-emulation

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:endpoint	netops

4.25 - URL Filtering

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	url-filtering

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:firewall	netfw

4.26 - Web API

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	checkpoint
product	web-api

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cp_log	checkpoint:audit	netops

5 - Cisco

5.1 - Access Control System (ACS)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	acs

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:acs	netauth

5.2 - Adaptive Security Appliance (ASA)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	asa
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:asa	netfw

5.3 - Application Control Engine (ACE)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	ace
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:ace	netops

5.4 - Cisco IOS

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	ios
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:ios	netops

5.5 - Digital Network Architecture (DNA)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	dna
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:dna	netops

5.6 - Email Security Appliance (ESA)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	esa
format	text-plain \| cef

Note that the device can be configured to send plain syslog text or CEF-formatted output.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, index, and source settings:

sourcetype	index	source
cisco:esa:http	email	esa:http
cisco:esa:textmail	email	esa:textmail
cisco:esa:amp	email	esa:amp
cisco:esa:antispam	email	esa:antispam
cisco:esa:system_logs	email	esa:system_logs
cisco:esa:system_logs	email	esa:euq_logs
cisco:esa:system_logs	email	esa:service_logs
cisco:esa:system_logs	email	esa:reportd_logs
cisco:esa:system_logs	email	esa:sntpd_logs
cisco:esa:system_logs	email	esa:smartlicense
cisco:esa:error_logs	email	esa:error_logs
cisco:esa:error_logs	email	esa:updater_logs
cisco:esa:content_scanner	email	esa:content_scanner
cisco:esa:authentication	email	esa:authentication
cisco:esa:http	email	esa:http
cisco:esa:textmail	email	esa:textmail
cisco:esa:amp	email	esa:amp
cisco:esa	email	program: <variable>
cisco:esa:cef	email	esa:consolidated

Tested with: Splunk Add-on for Cisco ESA

5.7 - Firepower

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	firepower
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:firepower:syslog	netids

5.8 - Firepower Threat Defence (FTD)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	ftd
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:ftd	netfw

5.9 - Firewall Services Module (FWSM)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	fwsm
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:fwsm	netfw

5.10 - HyperFlex (HX, UCSH)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	ucsh
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:ucsh:hx	infraops

5.11 - Identity Services Engine (ISE)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

For details on configuring your Identity Services Engine to forward its logs to an AxoRouter instance, see Configure Remote Syslog Collection Locations in Cisco Identity Services Engine (ISE) Administrator Guide.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	ise

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:ise:syslog	netauth

5.12 - Integrated Management Controller (IMC)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	cimc
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:cimc	infraops

5.13 - IOS XR

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	xr
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:xr	netops

5.14 - Meraki MX

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	meraki
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:meraki	netfw

Tested with: TA-meraki

5.15 - Private Internet eXchange (PIX)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	pix
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:pix	netfw

5.16 - TelePresence Video Communication Server (VCS)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	tvcs
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:tvcs	main

5.17 - Unified Computing System Manager (UCSM)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	ucsm
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:ucs	infraops

5.18 - Unified Communications Manager (UCM)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	ucm
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:ucm	netops

5.19 - Viptela

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cisco
product	viptela
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cisco:viptela	netops

6 - Citrix

6.1 - Netscaler

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	citrix
product	netscaler
format	text-plain
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
citrix:netscaler:appfw:cef	netfw
citrix:netscaler:syslog	netfw
citrix:netscaler:appfw	netfw

7 - Corelight

7.1 - Open Network Detection & Response (NDR)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	corelight
product	ndr-platform

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	index
corelight_alerts	main
corelight_conn	main
corelight_corelight	main
corelight_corelight_metrics_bro	main
corelight_corelight_metrics_iface	main
corelight_dhcp	main
corelight_dpd	main
corelight_etc_viz	main
corelight_evt_all	main
corelight_evt_http	main
corelight_evt_suri	main
corelight_files	main
corelight_ftp	main
corelight_http	main
corelight_http_red	main
corelight_idx	main
corelight_irc	main
corelight_kerberos	main
corelight_metrics_bro	main
corelight_metrics_iface	main
corelight_rdp	main
corelight_smb	main
corelight_smb_files	main
corelight_socks	main
corelight_ssh	main
corelight_ssh_red	main
corelight_ssl	main
corelight_st_base	main
corelight_suri	main
corelight_suricata_corelight	main
corelight_x509	main

8 - CyberArk

8.1 - Privileged Threat Analytics (PTA)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cyberark
product	pta
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cyberark:pta:cef	main

8.2 - Vault

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	cyberark
product	vault
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
cyberark:epv:cef	netauth

9 - F5 Networks

9.1 - BIG-IP

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	f5
product	bigip
format	text-plain \| JSON \| kv

Note that the device can be configured to send plain syslog text, JSON, or key-value pairs.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
f5:bigip:syslog	netops
f5:bigip:ltm:access_json	netops
f5:bigip:asm:syslog	netops
f5:bigip:apm:syslog	netops
f5:bigip:ltm:ssl:error	netops
f5:bigip:ltm:tcl:error	netops
f5:bigip:ltm:traffic	netops
f5:bigip:ltm:log:error	netops
f5:bigip:gtm:dns:request:irule	netops
f5:bigip:gtm:dns:response:irule	netops
f5:bigip:ltm:http:irule	netops
f5:bigip:ltm:failed:irule	netops
nix:syslog	netops

Tested with: Splunk Add-on for F5 BIG-IP

10 - FireEye

11 - Forcepoint

11.1 - Email Security

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	forcepoint
product	email

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	index
forcepoint:email:cef	email
forcepoint:email:kv	email
forcepoint:email:leef	email

Earlier name/vendor

Websense Email Security

11.2 - Next-Generation Firewall (NGFW)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	forcepoint
product	firewall

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	index
websense:cg:cef	netproxy

Earlier name/vendor

Websense Webprotect
Forcepoint Webprotect
Forcepoint Secure Web Gateway

11.3 - WebProtect

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	forcepoint
product	webprotect

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	index
websense:cg:cef	netproxy
websense:cg:kv	netproxy
websense:cg:leef	netproxy

Earlier name/vendor

Websense Firewall

12 - Fortinet

12.1 - FortiGate firewalls

The following sections show you how to configure FortiGate Next-Generation Firewall (NGFW) to send their log data to Axoflow.

CAUTION:

Make sure to set data forwarding on your appliances/servers as described in this guide. Different settings like alternate message formats or ports might be valid, but can result in data loss or incorrect parsing.

Prerequisites

You have administrative access to the firewall.
The date, time, and time zone are correctly set on the firewall.
You have an AxoRouter deployed and configured. This device is going to receive the logs from the firewall.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

Steps

Note: The steps involving the FortiGate user interface are just for your convenience, for details, see the official FortiGate documentation.

Log in to your FortiGate device. You need administrator privileges to perform the configuration.
Register the address of your AxoRouter as an Address Object.
1. Select Log & Report > Log Settings > Global Settings.
2. Configure the following settings:
  - Event Logging: Click All.
  - Local traffic logging: Click All.
  - Syslog logging: Enable this option.
  - IP address/FQDN: Enter the address of your AxoRouter: %axorouter-ip%
3. Click Apply.
Add the source to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
  - If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
  - Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
  Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.
3. (Optional) Add custom labels as needed.
4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	fortinet
product	fortigate
format	kv

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
fortigate_event	netops
fortigate_traffic	netfw
fortigate_utm	netfw

Tested with: Fortinet FortiGate Add-On for Splunk technical add-on

12.2 - FortiMail

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	fortinet
product	fortimail
format	kv

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
fml:log	email

Tested with: FortiMail Add-on for Splunk technical add-on

12.3 - FortiWeb

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	fortinet
product	fortiweb
product	kv

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
fwb_log	netops
fwb_attack	netids
fwb_event	netops
fwb_traffic	netfw

Tested with: Fortinet FortiWeb Add-0n for Splunk technical add-on

13 - Fortra

13.1 - Powertech SIEM Agent for IBM i

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	forta
product	powertech-siem-agent
format	cef
format	leef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	source	index
PowerTech:SIEMAgent:cef	PowerTech:SIEMAgent	netops
PowerTech:SIEMAgent:leef	PowerTech:SIEMAgent	netops

Earlier name/vendor

Powertech Interact

14 - Imperva

14.1 - Incapsula

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	imperva
product	incapsula
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	source	index
cef	Imperva:Incapsula	netwaf

14.2 - SecureSphere

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	imperva
product	securesphere
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	index
imperva:waf:firewall:cef	netwaf
imperva:waf:security:cef	netwaf
imperva:waf	netwaf

15 - Infoblox

15.1 - NIOS

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	infloblox
product	nios
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index	source
infoblox:threatprotect	netids	Infoblox:NIOS
infoblox:dns	netids	Infoblox:NIOS

Tested with: Splunk Add-on for Infoblox

16 - Internet Systems Consortium (ISC)

16.1 - DHCPd

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	isc
product	dhcpd

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index	source
isc:dhcpd	netipam	program:dhcpd

17 - Ivanti

17.1 - Connect secure

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	ivanti
product	connect-secure

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	source	index
pulse:connectsecure		netfw
pulse:connectsecure:web		netproxy

Earlier name/vendor

Pulse Connect Secure

18 - Juniper

18.1 - Junos OS

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	juniper
product	junos
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
juniper:junos:aamw:structured	netfw
juniper:junos:firewall	netfw
juniper:junos:firewall	netids
juniper:junos:firewall:structured	netfw
juniper:junos:firewall:structured	netids
juniper:junos:idp	netids
juniper:junos:idp:structured	netids
juniper:legacy	netops
juniper:junos:secintel:structured	netfw
juniper:junos:snmp	netops
juniper:structured	netops

Tested with: Splunk Add-on for Juniper

19 - Kaspersky

19.1 - Endpoint Security

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	kaspersky
product	endpoint_security
format	text-plain \| cef \| leef

Note that the device can be configured to send plain syslog text, LEEF, or CEF-formatted output.

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
kaspersky:cef	epav
kaspersky:es	epav
kaspersky:gnrl	epav
kaspersky:klau	epav
kaspersky:klbl	epav
kaspersky:klmo	epav
kaspersky:klna	epav
kaspersky:klpr	epav
kaspersky:klsr	epav
kaspersky:leef	epav
kaspersky:sysl	epav

20 - MicroFocus

21 - Microsoft

21.1 - Azure Event Hubs

Axoflow can collect data from your Azure Event Hubs. At a high level, the process looks like this:

Deploy an Axoflow Cloud Connector that will collect the data from your Event Hub. Axoflow Cloud Connector is a simple container that you can deploy into Azure, another cloud provider, or on-prem.
The connector forwards the collected data to the OpenTelemetry connector of an AxoRouter instance. This AxoRouter can be deployed within Azure, another cloud provider, or on-prem.
Configure a Flow on Axoflow Console that processes and routes the collected data to your destination (for example, Splunk or another SIEM).

Prerequisites

An Azure account with an active subscription.
A virtual machine or Kubernetes node running to deploy Axoflow Cloud Connector on.
An AxoRouter instance that can receive data from the connector. Verify that it has an OpenTelemetry Connector (it’s enabled by default).
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.
The Axoflow Cloud Connector must be able to access the AxoRouter on the port the OpenTelemetry Connector is listening on (by default, port 4317). Depending on where the Axoflow Cloud Connector and AxoRouter are deployed, you might need to adjust firewall and ingress/egress rules in your environment.
An Event Hubs connection string.

Steps

To collect data from Azure Event Hubs, complete the following steps.

Deploy an Axoflow Cloud Connector into Azure.

Access the Kubernetes node or virtual machine.
Set the following environment variable to the IP address of the AxoRouter where you want to forward the data from Event Hubs. This IP address must be accessible from the connector. You can find the IP address of AxoRouter on the Hosts > AxoRouter > Overview page.
```
export AXOROUTER_ENDPOINT=<AxoRouter-IP-address>
```
(Optional) By default, the connector stores positional and other persistence-related data in the /etc/axoflow-otel-collector/storage directory. In case you want to use a different directory, set the STORAGE_DIRECTORY environment variable.

Run the following command to generate a UUID for the connector. Axoflow Console will use this ID to identify the connector.

UUID_FULL=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c "import uuid; print(uuid.uuid4())")
export AXOCLOUDCONNECTOR_DEVICE_ID=$(echo "$UUID_FULL" | cut -d'-' -f1)

Set TLS encryption to secure the communication between Axoflow Cloud Connector and AxoRouter.

Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

Variable	Required	Default	Description
`AXOROUTER_TLS_INSECURE`	No	`false`	Disables TLS encryption if set to `true`
`AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL`	No	`false`	Set to `true` to use the system CA certificates
`AXOROUTER_TLS_CA_FILE`	No	-	Path to the CA certificate file used to validate the certificate of AxoRouter
`AXOROUTER_TLS_CA_PEM`	No	-	PEM-encoded CA certificate
`AXOROUTER_TLS_INSECURE_SKIP_VERIFY`	No	`false`	Set to `true` to disable TLS certificate verification of AxoRouter
`AXOROUTER_TLS_CERT_FILE`	No	-	Path to the certificate file of Axoflow Cloud Connector
`AXOROUTER_TLS_CERT_PEM`	No	-	PEM-encoded client certificate
`AXOROUTER_TLS_KEY_FILE`	No	-	Path to the client private key file of Axoflow Cloud Connector
`AXOROUTER_TLS_KEY_PEM`	No	-	PEM-encoded client private key
`AXOROUTER_TLS_MIN_VERSION`	No	`1.2`	Minimum TLS version to use
`AXOROUTER_TLS_MAX_VERSION`	No	-	Maximum TLS version to use

Note You’ll have to include the TLS-related environment variables you set in the docker command used to deploy Axoflow Cloud Connector.

Set the AZURE_EVENTHUB_CONNECTION_STRING environment variable.

export AZURE_EVENTHUB_CONNECTION_STRING="Endpoint=sb://<NamespaceName>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>;EntityPath=<EventHubName>"

Deploy the Axoflow Cloud Connector by running the following command. Also, pass the TLS-related settings you’ve set earlier.

docker run --rm \
-v "${STORAGE_DIRECTORY}":"${STORAGE_DIRECTORY}" \
-e AZURE_EVENTHUB_CONNECTION_STRING="${AZURE_EVENTHUB_CONNECTION_STRING}" \
-e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
-e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
-e <TlS-related-environment-variable>="${<TlS-related-environment-variable>}" \
-e AXOCLOUDCONNECTOR_DEVICE_ID="${AXOCLOUDCONNECTOR_DEVICE_ID}" \
ghcr.io/axoflow/axocloudconnectors:latest

The Axoflow Cloud Connector starts forwarding logs to the AxoRouter instance.

Add the appliance to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
3. Select Azure Event Hubs.
4. Enter the IP address and the FQDN of the Axoflow Cloud Connector instance.
5. Select Create.
Create a Flow to route the data from the AxoRouter instance to a destination. You can use the Labels of this source to select messages from this source.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	microsoft
product	azure-event-hubs
format	otlp

Event Hubs Audit logs labels

label	value
vendor	microsoft
product	azure-event-hubs-audit
format	otlp

Event Hubs Provisioning logs labels

label	value
vendor	microsoft
product	azure-event-hubs-provisioning
format	otlp

label	value
vendor	microsoft
product	azure-event-hubs-signin
format	otlp

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
mscs:azure:eventhub:log	azure-activity

Configure the TLS-related settings of Axoflow Cloud Connector using the following environment variables.

Variable	Required	Default	Description
`AXOROUTER_TLS_INSECURE`	No	`false`	Disables TLS encryption if set to `true`
`AXOROUTER_TLS_INCLUDE_SYSTEM_CA_CERTS_POOL`	No	`false`	Set to `true` to use the system CA certificates
`AXOROUTER_TLS_CA_FILE`	No	-	Path to the CA certificate file used to validate the certificate of AxoRouter
`AXOROUTER_TLS_CA_PEM`	No	-	PEM-encoded CA certificate
`AXOROUTER_TLS_INSECURE_SKIP_VERIFY`	No	`false`	Set to `true` to disable TLS certificate verification of AxoRouter
`AXOROUTER_TLS_CERT_FILE`	No	-	Path to the certificate file of Axoflow Cloud Connector
`AXOROUTER_TLS_CERT_PEM`	No	-	PEM-encoded client certificate
`AXOROUTER_TLS_KEY_FILE`	No	-	Path to the client private key file of Axoflow Cloud Connector
`AXOROUTER_TLS_KEY_PEM`	No	-	PEM-encoded client private key
`AXOROUTER_TLS_MIN_VERSION`	No	`1.2`	Minimum TLS version to use
`AXOROUTER_TLS_MAX_VERSION`	No	-	Maximum TLS version to use

21.2 - Cloud App Security (MCAS)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	microsoft
product	cas
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
cef	microsoft:cas	main

21.3 - Windows hosts

To collect event logs from Microsoft Windows hosts, Axoflow supports both agent-based and agentless methods.

For a collector agent, we recommend using the Axoflow OpenTelemetry Collector distribution. For details, see Windows host - agent based solution.
To use an agentless solution, see Windows Event Collector (WEC).

Labels

Labels assigned to data received from Windows hosts depend on how AxoRouter receives the data. For details, see Windows host - agent based solution and Windows Event Collector (WEC).

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
windows:eventlog:snare	oswin
windows:eventlog:xml	oswin

22 - MikroTik

22.1 - RouterOS

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	mikrotik
product	routeros
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
routeros	netfw
routeros	netops

23 - NetFlow Logic

23.1 - NetFlow Optimizer

The following sections show you how to configure NetFlow Optimizer to send their log data to Axoflow.

CAUTION:

Prerequisites

You have administrative access to NetFlow Optimizer.
You have an AxoRouter deployed and configured with a Syslog (autodetect and classify) connector. This device is going to receive the data from NetFlow Optimizer.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

Steps

Note: The steps involving the NetFlow Optimizer user interface are just for your convenience, for details, see the official documentation.

Log in to NetFlow Optimizer.
Select Outputs, then click the plus sign to add an output to NetFlow Optimizer.
Configure a Syslog (UDP) output:
- Name: Enter a name for the output, for example, Axoflow.
- Address: The IP address of the AxoRouter instance where you want to send the messages.
- Port: Set this parameter to 514.
Click Save.
Add the source to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
  - If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
  - Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
  Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.
3. (Optional) Add custom labels as needed.
4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	netflow
product	optimizer

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
flowintegrator	flowintegrator

24 - Netgate

24.1 - pfSense

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	netgate
product	pfsense
format	csv \| text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
pfsense:filterlog	netfw
pfsense:<program>	netops

The pfsense:<program> variant is simply a generic linux event that is generated by the underlying OS on the appliance.

Tested with: TA-pfsense

25 - Netmotion

25.1 - Netmotion

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	netmotion
product	netmotion
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
netmotion:reporting	netops
netmotion:mobilityserver:nm_mobilityanalyticsappdata	netops

26 - NETSCOUT

26.1 - Arbor Edge Defense (AED)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	netscout
product	arbor-edge
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	source	index
netscout:aed	netscout:aed	netids

26.2 - Arbor Pravail (APS)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	netscout
product	arbor-pravail

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	source	index
netscout:aps	netscout:aps	netids

Earlier name/vendor

Arbor Networks Pravail (APS)

27 - OpenText

27.1 - ArcSight

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	opentext
product	arcsight
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	source	index
cef	ArcSight:ArcSight	main

Earlier name/vendor

MicroFocus ArcSight

27.2 - Self Service Password Reset (SSPR)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	opentext
product	sspr

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	index
sspr	netauth

Earlier name/vendor

NetIQ Self Service Password Reset

28 - Palo Alto Networks

28.1 - Cortex XSOAR

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	palo-alto-networks
product	cortex-xsoar
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, source, and index settings:

sourcetype	source	index
cef	tim:cef	infraops

Earlier name/vendor

Threat Intelligence Management (TIM)

28.2 - Palo Alto firewalls

The following sections show you how to configure Palo Alto Networks Next-Generation Firewall devices to send their log data to Axoflow.

CAUTION:

Prerequisites

You have administrative access to the firewall.
The date, time, and time zone are correctly set on the firewall.
You have an AxoRouter deployed and configured. This device is going to receive the logs from the firewall.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

Steps

Note: The steps involving the Palo Alto Networks Next-Generation Firewall user interface are just for your convenience, for details, see the official PAN-OS® documentation.

Log in to your firewall device. You need administrator privileges to perform the configuration.
Configure a Syslog server profile.
1. Select Device > Server Profiles > Syslog.
2. Click Add and enter a Name for the profile, for example, axorouter.
3. Configure the following settings:
  - Syslog Server: Enter the IP address of your AxoRouter: %axorouter-ip%
  - Transport: Select TCP or TLS.
  - Port: Set the port to 601. (This is needed for the recommended IETF log format. If for some reason you need to use the BSD format, set the port to 514.)
  - Format: Select IETF.
  - Syslog logging: Enable this option.
4. Click OK.
Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs. For details, see Configure Log Forwarding the official PAN-OS® documentation.
1. Select Objects > Log Forwarding.
2. Click Add.
3. Enter a Name for the profile, for example, axoflow.
4. For each log type, severity level, or WildFire verdict, select the Syslog server profile.
5. Click OK.
6. Assign the log forwarding profile to a security policy to trigger log generation and forwarding.
7. Select Policies > Security and select a policy rule.
8. Select Actions, then select the Log Forwarding profile you created (for example, axoflow).
9. For Traffic logs, select one or both of the Log at Session Start and Log At Session End options.
10. Click OK.
Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.
1. Select Device > Log Settings.
2. For System and Correlation logs, select each Severity level, select the Syslog server profile, and click OK.
3. For Config, HIP Match, and Correlation logs, edit the section, select the Syslog server profile, and click OK.
Click Commit.
Add the source to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
  - If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
  - Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
  Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.
3. (Optional) Add custom labels as needed.
4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	palo-alto-networks
product	panos

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
pan:audit	netops
pan:globalprotect	netfw
pan:hipmatch	epintel
pan:traffic	netfw
pan:threat	netproxy
pan:system	netops

Tested with: Palo Alto Networks Add-on for Splunk technical add-on

29 - Powertech

30 - Progress

30.1 - Flowmon Anomaly Detection System (ADS)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	progress
product	flowmon-ads

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
flowmon-ads	netids

Earlier name/vendor

Flowmon Networks

31 - Riverbed

31.1 - SteelConnect

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	riverbed
product	steelconnect

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
riverbed:syslog	netops

31.2 - SteelHead

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	riverbed
product	steelhead

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
riverbed:steelhead	netops

32 - RSA

32.1 - Authentication Manager

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	rsa
product	authentication-manager

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
rsa:securid:admin:syslog	netauth
rsa:securid:system:syslog	netauth
rsa:securid:runtime:syslog	netauth
rsa:securid:syslog	netauth

33 - rsyslog

Axoflow treats rsyslog sources as a generic syslog source. To send data from rsyslog to Axoflow, just configure rsyslog to send data to an AxoRouter instance using the syslog protocol.

Note that even if rsyslog is acting as a relay (receiving data from other clients and forwarding them to AxoRouter), on the Topology page it will be displayed as a data source.

Prerequisites

You have administrative access to the device running rsyslog.
The date, time, and time zone are correctly set on the appliance.
You have an AxoRouter deployed and configured. This device is going to receive the logs from the appliance.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

34 - SecureAuth

34.1 - Identity Platform

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	secureauth
product	idp

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
secureauth:idp	netops

Tested with: SecureAuth IdP Splunk App

35 - Skyhigh Security

35.1 - Secure Web Gateway

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	skyhigh
product	secure-web-gateway

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
mcafee:wg:leef	mcafee:wg	netproxy
mcafee:wg:kv	mcafee:wg	netproxy

Earlier name/vendor

McAfee Secure Web Gateway

36 - SonicWall

36.1 - SonicWall

The following sections show you how to configure SonicWall firewalls to send their log data to Axoflow.

CAUTION:

Prerequisites

You have administrative access to the firewall.
The date, time, and time zone are correctly set on the firewall.
You have an AxoRouter deployed and configured. This device is going to receive the logs from the firewall.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

Steps for SonicOS 7.x

Note: The steps involving the SonicWall user interface are just for your convenience, for details, see the official SonicWall documentation.

Log in to your SonicWall device. You need administrator privileges to perform the configuration.
Register the address of your AxoRouter as an Address Object.
1. Select MENU > OBJECT.
2. Select Match Objects > Addresses > Address objects.
3. Click Add Address.
4. Configure the following settings:
  - Name: Enter a name for the AxoRouter, for example, AxoRouter.
  - Zone Assignment: Select the correct zone.
  - Type: Select Host.
  - IP Address: Enter the IP address of your AxoRouter: %axorouter-ip%
5. Click Save.
Set your AxoRouter as a syslog server.
1. Navigate to Device > Log > Syslog.
2. Select the Syslog Servers tab.
3. Click Add.
4. Configure the following options:
  - Name or IP Address: Select the Address Object of AxoRouter.
  - Server Type: Select Syslog Server.
  - Syslog Format: Select Enhanced.
  If your Syslog server does not use default port 514, type the port number in the Port field.
  By default, AxoRouter accepts data on the following ports (unless you’ve modified the default connector rules):
  - 514 TCP and UDP for RFC3164 (BSD-syslog) formatted traffic.
  - 601 TCP for RFC5424 (IETF-syslog) formatted traffic.
  - 6514 TCP for TLS-encrypted syslog traffic.
  - 4317 TCP for OpenTelemetry log data.
  To receive data on other ports or other protocols, configure other connector rules for the AxoRouter host.
  
  Make sure to enable the ports you’re using on the firewall of your host.
Add the source to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
  - If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
  - Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
  Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.
3. (Optional) Add custom labels as needed.
4. Select Create.

Steps for SonicOS 6.x

Note: The steps involving the SonicWall user interface are just for your convenience, for details, see the official SonicWall documentation.

Log in to your SonicWall device. You need administrator privileges to perform the configuration.
Register the address of your AxoRouter as an Address Object.
1. Select MANAGE > Policies > Objects > Address Objects.
2. Click Add.
3. Configure the following settings:
  - Name: Enter a name for the AxoRouter, for example, AxoRouter.
  - Zone Assignment: Select the correct zone.
  - Type: Select Host.
  - IP Address: Enter the IP address of your AxoRouter: %axorouter-ip%
4. Click Add.
Set your AxoRouter as a syslog server.
1. Navigate to MANAGE > Log Settings > SYSLOG.
2. Click ADD.
3. Configure the following options:
  - Syslog ID: Enter an ID for the firewall. This ID will be used as the hostname in the log messages.
  - Name or IP Address: Select the Address Object of AxoRouter.
  - Server Type: Select Syslog Server.
  - Enable the Enhanced Syslog Fields Settings.
4. Click OK.
Add the source to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
  - If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
  - Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
  Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.
3. (Optional) Add custom labels as needed.
4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	dell
product	sonicwall

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
dell:sonicwall	netfw

Tested with: Dell SonicWall Add-on for Splunk technical add-on

37 - Superna

37.1 - Eyeglass

The following sections show you how to configure Superna Eyeglass to send their log data to Axoflow.

CAUTION:

Prerequisites

You have administrative access to Superna Eyeglass.
You have an AxoRouter deployed and configured with a webhook connector. This device is going to receive the data from Superna Eyeglass.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

Steps

Note: The steps involving the Superna Eyeglass user interface are just for your convenience, for details, see the official documentation.

Log in to Ransomware Defender and open the Zero Trust menu.
Click the plus sign to add a webhook target.
Set the parameters of the webhook.
- Name: Enter a name for the webhook, for example, Axoflow.
- URL: Enter the URL of the webhook connector of the AxoRouter instance where you want to post messages.
- Event Severity Filter: Select the severities of the events that you want to forward to the webhook.
- Lifecycle filter: Select the lifecycle changes that trigger a post message to the webhook.
Click Save, then the Test webhooks button. This will send a post message with a sample payload.
Add the source to Axoflow Console.
1. Open the Axoflow Console and select Topology.
2. Select + > Source.
  - If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
  - Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.
  Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.
3. (Optional) Add custom labels as needed.
4. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	superna
product	eyeglass

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
superna:eyeglass	main

38 - syslog-ng

By default, Axoflow treats syslog-ng sources as a generic syslog source.

The easiest way to send data from syslog-ng to Axoflow is to configure it to send data to an AxoRouter instance using the syslog protocol.
If you’re using syslog-ng Open Source Edition version 4.4 or newer, use the syslog-ng-otlp() driver to send data to AxoRouter using the OpenTelemetry Protocol.

Note that even if syslog-ng is acting as a relay (receiving data from other clients and forwarding them to AxoRouter), on the Topology page it will be displayed as a data source.

Prerequisites

You have administrative access to the device running syslog-ng.
The date, time, and time zone are correctly set on the appliance.
You have an AxoRouter deployed and configured. This device is going to receive the logs from the appliance.
You know the IP address the AxoRouter. To find it:
1. Open the Axoflow Console.
2. Select the Hosts or the Topology page.
3. Click on AxoRouter instance that is going to receive the logs.
4. Check the Networks > Address field.

Note To receive more detailed metrics about the data processed by syslog-ng, consider onboarding the host into Axoflow and instrumenting its configuration.

39 - Thales

39.1 - Vormetric Data Security Platform

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	thales
product	vormetric
format	text-plain

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
thales:vormetric	netauth

40 - Trellix

40.1 - Central Management System (CMS)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	trellix
product	cms
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
trellix:cms	trellix:cms	netops

40.2 - Endpoint Security (HX)

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	trellix
product	hx
format	text-json
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
hx_json	fireeye
fe_json	fireeye
hx_cef_syslog	fireeye

Tested with: FireEye Add-on for Splunk Enterprise

Earlier name/vendor

FireEye Endpoint Security (HX)

40.3 - ETP

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	trellix
product	etp
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
fe_etp	fireeye

40.4 - MPS

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	trellix
product	mps
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	source	index
trellix:mps	trellix:mps	netops

41 - Trend Micro

41.1 - Deep Security Agent

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	trend-micro
product	deep-security-agent
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
deepsecurity	epintel
deepsecurity-system_events	epintel
deepsecurity-intrusion_prevention	epintel
deepsecurity-firewall	epintel
deepsecurity-antimalware	epintel
deepsecurity-integrity_monitoring	epintel
deepsecurity-log_inspection	epintel
deepsecurity-web_reputation	epintel
deepsecurity-app_control	epintel
deepsecurity-system_events	epintel

42 - Ubiquiti

42.1 - Unifi

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	ubiquiti
product	unifi

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
ubnt	netops
ubnt:cef	netops
ubnt:dhcp	netops
ubnt:dnsmasq	netops
ubnt:edgeswitch	netops
ubnt:hostapd	netops
ubnt:link	netops
ubnt:mcad	netops
ubnt:sudo	netops
ubnt:wireless	netops
ubnt:fw	netfw
ubnt:fw:cef	netfw

43 - Varonis

43.1 - DatAdvantage

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	varonis
product	datadvantage
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
varonis:ta	main

44 - Vectra AI

Earlier name/vendor

Vectra Cognito

44.1 - X-Series

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	vectra
product	x-series
format	cef

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
vectra:cognito:detect	main
vectra:cognito:accountdetect	main
vectra:cognito:accountscoring	main
vectra:cognito:audit	main
vectra:cognito:campaigns	main
vectra:cognito:health	main
vectra:cognito:hostscoring	main
vectra:cognito:accountlockdown	main

45 - Zscaler appliances

45.1 - Zscaler Nanolog Streaming Service

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	zscaler
product	nss

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
zscalernss-alerts	netops
zscalernss-tunnel	netops
zscalernss-web	netproxy
zscalernss-web:leef	netproxy

Tested with: Zscaler Technical Add-On for Splunk

45.2 - Zscaler Log Streaming Service

To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label	value
vendor	zscaler
product	lss

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype	index
zscalerlss-zpa-app	netproxy
zscalerlss-zpa-audit	netproxy
zscalerlss-zpa-auth	netproxy
zscalerlss-zpa-bba	netproxy
zscalerlss-zpa-connector	netproxy

Tested with: Zscaler Technical Add-On for Splunk