An existing S3 bucket configured for programmatic access, and the related ACCESS_KEY and SECRET_KEY of a user that can access it. The user needs to have the following permissions:
- kms:Decrypt
- kms:Encrypt
- kms:GenerateDataKey
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:AbortMultipartUpload
- s3:ListMultipartUploadParts
- s3:PutObject
To configure Axoflow, you’ll need the bucket name, region (or URL), access key, and the secret key of the bucket.

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select Amazon S3.
2. Enter a name for the destination.
3. Enter the name of the bucket you want to use.
4. Enter the region code of the bucket into the Region field (for example, us-east-1.), or select the Use custom endpoint URL option, and enter the URL of the endpoint into the URL field.
5. Enter the Access key and the Secret key for the account you want to use.
6. Enter the Object key (or key name), which uniquely identifies the object in an Amazon S3 bucket, for example: my-logs/${HOSTNAME}/.
  
  You can use AxoSyslog macros in this field.
1. Select the Object key timestamp format you want to use, or select Use custom object key timestamp and enter a custom template. For details on the available date-related macros, see the AxoSyslog documentation.
2. Set the maximal size of the S3 object. If an object reaches this size, Axoflow appends an index ("-1", “-2”, …) to the end of the object key and starts a new object after rotation.
3. Select Create.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.

2 - Apache Kafka

If you’d like to send data from this source to AxoRouter, contact our support team for details.

3 - Clickhouse

If you’d like to send data from this source to AxoRouter, contact our support team for details.

4 - CrowdStrike

If you’d like to send data from this source to AxoRouter, contact our support team for details.

5 - Elastic

5.1 - Elastic Cloud and Elasticsearch

To add an Elasticsearch destination to Axoflow, complete the following steps.

Prerequisites

An Elastic Cloud account for Axoflow, or
a self-hosted Elasticsearch deployment.
To configure Axoflow, you’ll need the username, password, and the Elasticsearch index where you want to send your data.

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select Elasticsearch.
2. Select which type of configuration you want to use:
  - Simple: Send all data into a single index.
  - Dynamic: Send data to an index based on the content or metadata of the incoming messages (or to a default index).
  - Advanced: Allows you to specify a custom URL endpoint.
3. Enter a name for the destination.
4. Configure the endpoint of the destination.
  - Advanced: Enter your Elasticsearch URL into the URL field, for example, http://my-elastic-server:9200/_bulk
  - Simple and Dynamic:
    1. Select the HTTPS or HTTP protocol to use to access your destination.
    2. Enter the Hostname and Port of the destination.
5. Specify the Elasticsearch index to send the data to.
  - Simple: Enter the expression that specifies the Elasticsearch index to use into the Index field, for example: test-${YEAR}${MONTH}${DAY}. All data will be sent into this index.
  - Dynamic and Advanced: Enter the expression that specifies the default index. The data will be sent into this index if no other index is set during the processing of the message (for example, by the processing steps of the Flow).
  You can use AxoSyslog macros in this field.
6. Enter the username and password for the account you want to use.
7. (Optional)
  By default, Axoflow rejects connections to the destination server if the certificate of the server is invalid (for example, it’s expired, signed by an unknown CA, or its CN and the name of the server is mismatched: the Common Name or the subject_alt_name parameter of the peer’s certificate must contain the hostname or the IP address (as resolved from AxoRouter) of the peer).
  
  Warning When validating a certificate, the entire certificate chain must be valid, including the CA certificate. If any certificate of the chain is invalid, Axoflow will reject the connection.
  
  If you want to accept invalid certificates (or no certificate) from the destination servers, disable the Verify server certificate option.
8. (Optional) Set other options as needed for your environments.
  - Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
  - Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
  - Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.
9. Select Create.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.

6 - Generic

6.1 - /dev/null

This is a null destination that discards (drops) every data it receives, but reports that it has successfully received the data. This is useful sometimes for testing and performance measurements, for example, to find out if a real destination is the bottleneck, or another element in the upstream pipeline.

CAUTION:

All data that’s sent to the /dev/null destination only is irrevocably lost.

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select /dev/null.
2. Enter a name for the destination.
3. (Optional): Add custom labels to the destination.
4. Select Create.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.

6.2 - syslog

The syslog destination forwards your security data in an RFC-3164 or RFC-5424 compliant syslog format, using the UDP, TCP, or TLS-encrypted TCP protocols.

Prerequisites

If you want to enable TLS encryption for this connector to encrypt the communication with the sources, you’ll need to set appropriate keys and certificates.

CAUTION:

Copy the keys and certificates to AxoRouter before starting to configure the connector. Otherwise, you won’t be able to make configuration changes that require reloading the AxoRouter service, including starting log tapping or flow tapping.

Note the following points:

Keys and certificates must be in PEM format.
If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order.
You must manually copy these files to their place on the AxoRouter host, currently you can’t distribute them from Axoflow Console.

The files must be readable by the axorouter service.
The recommended path for certificates is under /etc/axorouter/user-config/ (for example, /etc/axorouter/user-config/tls-key.pem). (If you need to use a different path, you have to append an option like -v /your/path:/your/path to the AXOROUTER_PODMAN_ARGS variable of /etc/axorouter/container.env.)
When referring to the key or certificate during when configuring the connector, use absolute paths (for example, /etc/axorouter/user-config/tls-key.pem).

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select Syslog.
2. Select the template to use one of the standard syslog ports and transport protocols—for example, UDP port 514, which is commonly used for the RFC3164 syslog protocol.
  
  To configure a different port, or to specify the protocol elements manually, select Custom.
3. Enter a name for the destination.
4. (Optional): Add custom labels to the destination.
5. Select the protocol to use for receiving syslog data: TCP, UDP, or TLS.
6. Select the syslog format to use: BSD (RFC3164) or Syslog (RFC5424).
7. (Optional) If explicitly needed for your use case, you can configure *Framing manually when using the Syslog (RFC5424) format. Enable framing (On) if the payload contains the length of the message as specified in RFC6587 3.4.1. Disable (Off) for non-transparent-framing RFC6587 3.4.2.
8. If you’ve selected Protocol > TLS, set the TLS-related options.
  
  When using TLS, set the paths for the certificates and keys used for the TLS-encrypted communication with the clients. For details, see Prerequisites.
  - Client certificate path: The certificate that AxoRouter shows to the destination server.
  - Client private key path: The private key of the client certificate.
  - CA certificate path: The CA certificate that AxoRouter uses to verify the certificate of the destination if Verify peer certificate is enabled.
9. Set the Address and the Port of the destination. Usually:
  - 514 TCP and UDP for RFC3164 (BSD-syslog) formatted traffic.
  - 601 TCP for RFC5424 (IETF-syslog) formatted traffic.
  - 6514 TCP for TLS-encrypted syslog traffic.
10. Select Create.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.

Protocol-specific destination options

If needed, select More options to set the following:

TCP Keepalive Time Interval: The interval (number of seconds) between subsequential keepalive probes, regardless of the traffic exchanged in the connection.
TCP Keepalive Probes: The number of unacknowledged probes to send before considering the connection dead.
TCP Keepalive Time: The interval (in seconds) between the last data packet sent and the first keepalive probe.

7 - Google

7.1 - BigQuery

Axoflow will soon support sending data to Google BigQuery using a high-performance gRPC-based destination.

If you’d like to send data from this source to AxoRouter, contact our support team for details.

7.2 - Google Cloud Pub/Sub

To add a Google Cloud Pub/Sub destination to Axoflow, complete the following steps. Axoflow can send data to Google Cloud Pub/Sub using its gRPC interface.

Prerequisites

A Google Pub/Sub subscription.
An IAM service account that Axoflow uses for authentication.
A Google Cloud project that has the Pub/Sub API enabled.

For details, see the Google Pub/Sub tutorial.

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select Pub/Sub.
2. Select which type of configuration you want to use:
  - Simple: Send all data into a project and topic.
  - Dynamic: Send data to a project and topic based on the content or metadata of the incoming messages (or to a default project/topic).
3. Enter a name for the destination.
4. Specify the project and topic to send the data to.
  - Simple: Enter the ID of the GCP Project and the Topic. All data will be sent to this topic.
  - Dynamic: Enter the expression that specifies the default Project and Topic. The data will be sent into here unless it is set during the processing of the message (for example, by the processing steps of the Flow).
  You can use AxoSyslog macros in this field.
5. Configure the authentication method to access the GCP project.
  - Automatic (ADC): Use the service account attached to the cloud resource (VM) that hosts AxoRouter.
  - Service Account File: Specify the path where a service account key file is located (for example, /etc/axorouter/user-config/). You must manually copy that file to its place, currently you can’t distribute it from Axoflow.
  - None: Disable authentication completely. Only available when the More options > Service Endpoint option is set.
    
    CAUTION:
    Do not disable authentication in production.
6. (Optional) Set other options as needed for your environments.
  - Service Endpoint: Use a custom API endpoint. Leave it empty to use the default: https://pubsub.googleapis.com
  - Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
  - Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.
7. Select Create.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.

Pub/Sub attributes

You can embed custom attributes as metadata in Pub/Sub messages in the processing steps of the Flow that’s sending data to the Pub/Sub destination.

To do that:

Add a FilterX processing step to the Flow.
Edit the Statements field of the processing step:
1. Add the meta.pubsub.attributes = json(); line to add an empty JSON object to the messages.
2. Set your custom attributes under the meta.pubsub.attributes key. For example, if you want to include the timestamp as a custom attribute as well, you can use:
```
meta.pubsub.attributes = {"timestamp": $S_ISODATE};
```

8 - Grafana

8.1 - Grafana Loki

If you’d like to send data from this source to AxoRouter, contact our support team for details.

9 - Microsoft

9.1 - Azure Monitor

Sending data to Azure Monitor is practically identical to using the Sentinel destination. Follow the procedure described in Microsoft Sentinel.

9.2 - Microsoft Sentinel

To add a Microsoft Sentinel or Azure Monitor destination to Axoflow, complete the following steps. Axoflow Console can configure your AxoRouters to send data to the built-in syslog table of Azure Monitor.

Prerequisites

An Azure subscription.
An Enterprise application defined in Microsoft Entra ID.. You’ll need the Tenant ID, Application ID, and Application Secret of the application to configure the Axoflow destination.
A Data Collection Endpoint (DCE) and a Data Collection Rule (DCR). We can provide you with ARM templates for both the DCE and the DCR, contact our support team for details. For information on how to install these, see the Azure Monitor documentation.
A Log Analytics Workspace in Azure.
A Microsoft Sentinel workspace (optional).

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select Sentinel or Azure Monitor.
2. Enter a name for the destination.
3. Configure the credentials needed for authentication.
  
  ![Configure authentication for Sentinel destination](auth-table .png)
  - Tenant ID: Directory (tenant) ID of the environment where you’re sending the data. (Practically everything belongs to the tenant ID: the Entra ID application, the Log analytics workspace, Sentinel, the DCE and the DCR, and so on.)
  - Application ID: Application (client) ID of the Microsoft Entra ID application.
  - Application secret: The Client secret of the Microsoft Entra ID application.
  - Scope: The scope for the authentication token. Usually you can leave empty to use the default value (https://monitor.azure.com//.default).
4. Specify the details of the table to send the data to.
  - DCE Logs Ingestion URI: The URI of your Data Collection Endpoint (DCE).
  - DCR Immutable ID: The immutable ID property of the Azure Monitor Data Collection Rule (DCR) where AxoRouter sends the data.
  - Stream name: The name of the stream where AxoRouter sends the data.
5. (Optional) Set other options as needed for your environments.
  - Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
  - Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
  - Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.
6. Select Create.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.

10 - OpenObserve

To add an OpenObserve destination to Axoflow, complete the following steps.

Prerequisites

An OpenObserve account for Axoflow, or
a self-hosted OpenObserve deployment.
To configure Axoflow, you’ll need the username, password, the name of your organization, and the name of the OpenObserve stream where you want to send your data.

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select OpenObserve.
2. Select which type of configuration you want to use:
  - Simple: Send all data into a single stream of an organization.
  - Dynamic: Send data to an organization and stream based on the content or metadata of the incoming messages (or to the default stream of the default organization).
  - Advanced: Allows you to specify a custom URL endpoint.
3. Enter a name for the destination.
4. Configure the endpoint of the destination.
  - Advanced: Enter your OpenObserve URL into the URL field, for example, https://example.com/api/my-org/my-stream/_json
  - Simple and Dynamic:
    1. Select the HTTPS or HTTP protocol to use to access your destination.
    2. Enter the Hostname and Port of the destination.
5. Specify the OpenObserve stream to send the data to.
  - Simple: Enter name of the Organization and the Stream where you want to send the data. All data will be sent into this stream.
  - Dynamic: Enter the expression that specifies the default Default Organization and teh Default Stream. The data will be sent into this stream if no other organization and stream is set during the processing of the message (for example, by the processing steps of the Flow).
  You can use AxoSyslog macros in this field.
6. Enter the username and password for the account you want to use.
7. (Optional)
  By default, Axoflow rejects connections to the destination server if the certificate of the server is invalid (for example, it’s expired, signed by an unknown CA, or its CN and the name of the server is mismatched: the Common Name or the subject_alt_name parameter of the peer’s certificate must contain the hostname or the IP address (as resolved from AxoRouter) of the peer).
  
  Warning When validating a certificate, the entire certificate chain must be valid, including the CA certificate. If any certificate of the chain is invalid, Axoflow will reject the connection.
  
  If you want to accept invalid certificates (or no certificate) from the destination servers, disable the Verify server certificate option.
8. (Optional) Set other options as needed for your environments.
  - Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
  - Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
  - Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.

11 - OpenSearch

Axoflow will soon support sending data to OpenSearch using its HTTP endpoint.

If you’d like to send data from this source to AxoRouter, contact our support team for details.

12 - Splunk

To add a Splunk destination (Splunk Cloud or Splunk Enterprise) to Axoflow, complete the following steps.

Prerequisites

Enable the HTTP Event Collector (HEC) on your Splunk deployment if needed. On Splunk Cloud Platform deployments, HEC is enabled by default.
Create a token for Axoflow to use in the destination. When creating the token, use the syslog source type.

For details, see Set up and use HTTP Event Collector in Splunk Web.
If you’re using AxoRouter, create the indexes where Axoflow sends the log data. Which index is needed depends on the sources you have, but create at least the following event indices: axoflow, infraops, netops, netfw, osnix (for unclassified messages). Check your sources in the Sources section for a detailed lists on which indices their data is sent.
If you’ve created any new indexes, make sure to add those indexes to the token’s Allowed Indexes.

Steps

Create a new destination.
1. Open the Axoflow Console.
2. Select Topology.
3. Select + > Destination.
Configure the destination.
1. Select Splunk.
2. Select which type of configuration you want to use:
  - Simple: Send all data into a single index, with fixed source and source type settings.
  - Dynamic: Set index, source, and source type based on the content or metadata of the incoming messages.
  - Advanced: Allows you to specify a custom URL endpoint.
3. Enter a name for the destination.
4. Configure the endpoint of the destination.
  - Advanced: Enter your Splunk URL into the URL field, for example, https://<your-splunk-tenant-id>.splunkcloud.com:8088 for Splunk Cloud Platform free trials, or https://<your-splunk-tenant-id>.splunkcloud.com for Splunk Cloud Platform instances.
  - Simple and Dynamic:
    1. Select the HTTPS or HTTP protocol to use to access your destination.
    2. Enter the Hostname and Port of the destination.
5. Specify the Splunk index to send the data to.
  - Simple: Enter the expression that specifies the Splunk index to use into the Index field, for example: netops. All data will be sent into this index.
  - Dynamic and Advanced:
    1. Enter the name of the Default Index. The data will be sent into this index if no other index is set during the processing of the message (based on automatic classification, or by the processing steps of the Flow). Make sure that the index exists in Splunk.
    2. Enter the Default Source and Default Source Type. These will be assigned to the messages that have no source or source type set during the processing of the message (based on automatic classification, or by the processing steps of the Flow).
6. Enter the token you’ve created into the Token field.
7. Disable the Verify server certificate option unless your deployment has a valid, non-self-signed certificate. Free Splunk Cloud accounts have self-signed certificates.
8. (Optional) Set other options as needed for your environments.
  - Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
  - Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
  - Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.
9. Select Create.
Create a flow to connect the new destination to an AxoRouter instance.
1. Select Flows.
2. Select Create New Flow.
3. Enter a name for the flow, for example, my-test-flow.
4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.
5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
  
  By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.
6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
  1. Add a Reduce step to automatically remove redundant and empty fields from your data.
  2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
  3. Save the processing steps.
7. Select Create.
8. The new flow appears in the Flows list.