Deployment scenarios

1: Axoflow Console deployment

2: Transparent router mode

3: Router and edge deployment

4: Onboard existing syslog infrastructure

Thanks to its flexible deployment modes, you can quickly insert an Axoflow and its processing node (called AxoRouter) transparently into your data pipeline and gain instant benefits:

Data reduction
Improved SIEM accuracy
Configuration UI for routing data
Automatic data classification
Metrics about log ingestion, processing, and data drops
Analytics about the transported data
Health check, highlighting anomalies

After the first step, you can further integrate your pipeline, by deploying Axoflow agents to collect and manage your security data, or onboarding your existing log collector agents (for example, syslog-ng). Let’s see what these scenarios look like in detail.

1 - Axoflow Console deployment

You can use Axoflow Console:

as a SaaS solution, without any deployment (request a free trial),
deploy it on-premises, or
deploy it in air-gapped environments (contact us for details).

We also support hybrid environments.

The Axoflow Console provides the UI for accessing metrics and analytics, deploying and configuring AxoRouter instances, configuring data flows, and so on.

2 - Transparent router mode

AxoRouter is a powerful aggregator and data processing engine that can receive data from a wide variety of sources, including:

OpenTelemetry,
syslog,
Windows Event Forwarding, or HTTP.

In transparent mode, you deploy AxoRouter in front of your SIEM and configure your sources or aggregators to send the logs to AxoRouter instead of the SIEM. The transparent deployment method is a quick, minimally invasive way to get instant benefits and value from Axoflow, and:

automatically identify the sending device or application,
apply device-specific, zero-maintenance parsers to the incoming data,
enrich the incoming messages with metadata, and
get metrics about the data throughput.

Axoflow Console as SaaS

Transparent deployment as SaaS

Axoflow Console on premises

Transparent deployment on premises

3 - Router and edge deployment

Axoflow provides agents to collect data from all kinds of sources:

Kubernetes clusters,
cloud sources,
security appliances,
Linux servers,
Microsoft Windows hosts.

(If you’d prefer to keep using your existing syslog infrastructure instead of the Axoflow agents, see Onboard existing syslog infrastructure).

You can deploy the AxoRouter data aggregator on Linux and Kubernetes.

Router and edge deployment

Using the Axoflow collector agents gives you:

Reliable transport: Between its components, Axoflow transports security data using the reliable OpenTelemetry protocol (OTLP) for high performance, and to avoid losing messages.
Managed components: You can configure, manage, monitor, and troubleshoot all these components from the Axoflow Console. For example, you can sample the data flowing through each component.
Metrics: Detailed metrics from every collector provide unprecedented insight into the status of your data pipeline.

4 - Onboard existing syslog infrastructure

If your organization already has a syslog architecture in place, Axoflow provides ways to reuse it. This allows you to integrate your existing infrastructure with Axoflow, and optionally – in a later phase – replace your log collectors with the agents provided by Axoflow.

Managed AxoRouter deployments

This deployment mode is similar to the previous one, but instead of writing configurations manually, you use the centralized management UI of Axoflow Console to manage your AxoRouter instances. This provides the tightest integration and the most benefits. In addition to the unmanaged use case, it gives you:

Configuration management from the UI
Automatic host inventory and host attribution
Automatic classification and enrichment of incoming data
Advanced routing based on labels

Unmanaged AxoRouter deployments

In this mode, you install AxoRouter on the data source to replace its local collector agent, and manage it manually. That way you get the functional benefits of using AxoRouter (our aggregator and data curation engine) to collect and classify your data but can manage its configuration as you see fit. This gives you all the benefits of the read-only mode (since AxoRouter includes Axolet as well), and in addition, it provides:

Advanced and more detailed metrics about the log ingestion, processing, data drops, delays
More detailed analytics about the transported data
Access to the FilterX processing engine
Ability to receive OpenTelemetry data
Acts as a Windows Event Collector server, allowing you to collect Windows events
Optimized output for the specific SIEMs
Data reduction

Read-only mode

Read only mode

In this scenario, you install Axolet on the data source. Axolet is a monitoring (and management) agent that integrates with the local log collector, like AxoSyslog, Splunk Connect for Syslog, or syslog-ng, and sends detailed metrics about the host and its data traffic to the Axoflow Console. This allows you to use the Axoflow Console to:

Get a visual overview of your security data pipeline topology
Check the metrics about the log ingestion, processing, and data drops
Browse data analytics and health checks
Get notifications about alerts and anomalies