Getting started
This guide shows you how to get started with Axoflow. You’re going to install AxoRouter, and configure or create a source to send data to AxoRouter. You’ll also configure AxoRouter to forward the received data to your destination SIEM or storage provider. The resulting topology will look something like this:
Why use Axoflow
Using the Axoflow security data pipeline automatically corrects and augments the security data you collect, resulting in high-quality, curated, SIEM-optimized data. It also removes redundant data to reduce storage and SIEM costs. In addition, it allows automates pipeline configuration and provides metrics and alerts for your telemetry data flows.
Prerequisites
You’ll need:
-
An Axoflow subscription, or access to a free evaluation version.
-
A data source. This can be any host that you can configure to send syslog or OpenTelemetry data to your AxoRouter instance that you’ll install. If you don’t want to change the configuration of an existing device, you can use a virtual machine or a docker container on your local computer.
-
A host that you’ll install AxoRouter on. This can be a separate Linux host, or a virtual machine running on your local computer.
AxoRouter should work on most Red Hat and Debian compatible Linux distributions. For production environments, we recommend using Red Hat 9.
-
Access to a supported SIEM or storage provider, like Splunk or Amazon S3. For a quick test of Axoflow, you can use a free Splunk or OpenObserve account as well.
Network access
The hosts must be able to access the following domains related to the Axoflow Console:
<your-tenant-id>.cloud.axoflow.io
: HTTPS traffic on TCP port 443, needed to download the binaries for Axoflow software (like Axolet and AxoRouter).kcp.<your-tenant-id>.cloud.axoflow.io
: HTTPS (mutual TLS) traffic on TCP port 443 for management traffic.telemetry.<your-tenant-id>.cloud.axoflow.io
: HTTPS (mutual TLS) traffic on TCP port 443, where Axolet sends the metrics of the host.us-docker.pkg.dev
: HTTPS traffic on TCP port 443, for pulling container images (AxoRouter only).
Log in to the Axoflow Console
Verify that you have access to the Axoflow Console.
- Open
https://<your-tenant-id>.axoflow.io/
in your browser. - Log in using Google Authentication.
Add a destination
Add the destination where you’re sending your data. For a quick test, you can use a free Splunk or OpenObserve account.
Add a Splunk Cloud destination. For other destinations, see Destinations.
Prerequisites
-
Enable the HTTP Event Collector (HEC) on your Splunk deployment if needed. On Splunk Cloud Platform deployments, HEC is enabled by default.
-
Create a token for Axoflow to use in the destination. When creating the token, use the syslog source type.
For details, see Set up and use HTTP Event Collector in Splunk Web.
-
If you’re using AxoRouter, create the indexes where Axoflow sends the log data. Which index is needed depends on the sources you have, but create at least the following event indices:
axoflow
,infraops
,netops
,netfw
,osnix
(for unclassified messages). Check your sources in the Data sources section for a detailed lists on which indices their data is sent.
Steps
-
Create a new destination.
- Open the Axoflow Console.
- Select Topology.
- Select + > Destination.
-
Configure the destination.
-
Select Splunk.
-
Enter a name for the destination.
-
Enter your Splunk URL into the URL field, for example,
https://<your-splunk-tenant-id>.splunkcloud.com:8088
for Splunk Cloud Platform free trials, orhttps://<your-splunk-tenant-id>.splunkcloud.com
for Splunk Cloud Platform instances. -
Enter the token you’ve created into the Token field.
-
Disable the Verify server certificate option unless your deployment has a valid, non-self-signed certificate. Free Splunk Cloud accounts have self-signed certificates.
-
Select Create.
-
Deploy an AxoRouter instance
Deploy an AxoRouter instance that will route, curate, and enrich your log data.
Deploy AxoRouter on Linux. For other platforms, see AxoRouter.
-
Select Provisioning > Select type and platform.
-
Select the type (AxoRouter) and platform (Linux). The one-liner installation command is displayed.
If needed, set the Advanced options (for example, proxy settings) to modify the installation parameters. Usually, you don’t have to use advanced options unless the Axoflow support team instructs you to do so.
-
Open a terminal on the host where you want to install AxoRouter.
-
Run the one-liner, then follow the on-screen instructions.
Note Running the provisioning command withsudo
would mask environment variables of the calling shell. Either start the whole procedure from a root shell, or let the install script call sudo when it needs to. In other words: don’t add thesudo
command to the provisioning command.Example output:
Do you want to install AxoRouter now? [Y] y % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4142 100 4142 0 0 19723 0 --:--:-- --:--:-- --:--:-- 19818 Verifying packages... Preparing packages... axorouter-0.40.0-1.aarch64 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 31.6M 100 31.6M 0 0 2092k 0 0:00:15 0:00:15 --:--:-- 2009k Verifying packages... Preparing packages... axolet-0.40.0-1.aarch64 Created symlink /etc/systemd/system/multi-user.target.wants/axolet.service → /usr/lib/systemd/system/axolet.service. Now continue with onboarding the host on the Axoflow web UI.
-
Register the host.
-
Reload the Provisioning page. There should be a registration request for the new AxoRouter deployment. Select ✓.
-
Select Register to register the host. You can add a description and labels (in
label:value
format) to the host. -
Select the Topology page. The new AxoRouter instance is displayed.
-
Add a source appliance
Configure a host to send data to AxoRouter.
Configure a generic syslog host. For appliances that are specifically supported by Axoflow, see Data sources.
-
Log in to your device. You need administrator privileges to perform the configuration.
-
If needed, enable syslog forwarding on the device.
-
Set AxoRouter as the syslog server. Typically, you can configure the following parameters:
-
Name or IP Address of the syslog server: Set the address of your AxoRouter.
-
Protocol: If possible, set TCP or TLS.
-
Syslog Format: If possible, set RFC5424 (or equivalent), otherwise leave the default.
-
Port: Set a port appropriate for the protocol and syslog format you have configured.
By default, AxoRouter accepts data on the following ports:
- 514 TCP and UDP for RFC3164 (BSD-syslog) formatted traffic.
- 601 TCP for RFC5424 (IETF-syslog) formatted traffic.
- 6514 TCP for TLS-encrypted traffic.
- 4317 TCP for OpenTelemetry log data.
Make sure to enable the ports you’re using on the firewall of your host.
-
-
Add the appliance to the Axoflow Console. For details, see Appliances.
syslog-ng
, Splunk Connect for Syslog (SC4S), or AxoSyslog as its log forwarder agent, consider installing Axolet on the host and instrumenting the configuration of the log forwarder to receive detailed metrics about the host and the processed data. For details, see Manage and monitor the pipeline.
Add a path
Create a path between the source appliance and the AxoRouter instance.
-
Select Topology > + Path.
-
Select your data source in the Source host field.
-
Select the target router or aggregator this source is sending its data to in the Target host field, for example,
axorouter
. -
Select the Target connector. The connector determines how the destination receives the data (for example, using which protocol or port).
-
Select Create. The new path appears on the Topology page.
Create a flow
Create a flow to route the traffic from your AxoRouter instance to your destination.
-
Select Flows.
-
Select Create New Flow.
-
Enter a name for the flow, for example,
my-test-flow
. -
In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example,
name = my-axorouter-hostname
. -
Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.
-
(Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:
- Add a Reduce step to automatically remove redundant and empty fields from your data.
- To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet Fortigate firewalls, use the
meta.vendor = fortinet + meta.product = fortigate
query. - Save the processing steps.
-
Select Create.
-
The new flow appears in the Flows list.
Check the metrics on the Topology page
Open the Topology page and verify that your AxoRouter instance is connected both to the appliance and the destination. If it isn’t, select + > Path to connect them.
If you have traffic flowing from the source to your AxoRouter instance, the Topology page shows the amount of data flowing on the path. Click the AxoRouter instance, then select Analytics to visualize the data flow.
Tap into the log flow
Log tapping in Axoflow samples the log flow. You can use labels to filter for specific messages (like ones with parse errors) and tap only those messages. To not get overwhelmed with events, Axoflow automatically samples the output: if many messages match the selected filter, only a subset is shown (about 1 message per second). Using log tapping, you can quickly troubleshoot both parsing/curation errors and destination ingest (API) errors, and check:
- What was in the original message?
- What is sent in the final payload to the destination?
Tap into the log flow.
-
Click your AxoRouter instance on the Topology page, then select ⋮ > Tap log flow.
-
Tap into the log flow.
- To see the input data, select Input log flow > Start.
- To see the output data, select Output log flow > Start.
You can use labels to filter the messages and sample only the matching ones.
-
When the logs you’re interested in show up, click Stop Log Tap, then click a log message to see its details.
-
If you don’t know what the message means, select AI Analytics to ask our AI to interpret it.
Troubleshooting
In case you run into problems, or you’re not getting any data in Splunk, check the logs of your AxoRouter instance:
-
Select Topology, then select your AxoRouter instance.
-
Select ⋮ > Tap agent logs > Start. Axoflow displays the log messages of AxoRouter. Check the logs for error messages. Some common errors include:
Redirected event for unconfigured/disabled/deleted index=netops with source="source::axo" host="host::axosyslog-almalinux" sourcetype="sourcetype::fortigate_event" into the LastChanceIndex. So far received events from 1 missing index(es).
: The Splunk index where AxoRouter is trying to send data doesn’t exist. Check which index is missing in the error message and create it in Splunk. (For a list of recommended indices, see the Splunk destination prerequisites.)http: error sending HTTP request; url='https://prd-p-sp2id.splunkcloud.com:8088/services/collector/event/1.0?index=&source=&sourcetype=', error='SSL peer certificate or SSH remote key was not OK', worker_index='0', driver='splunk--flow-axorouter4-almalinux#0', location='/usr/share/syslog-ng/include/scl/splunk/splunk.conf:104:3'
: Your Splunk deployment uses an invalid or self-signed certificate, and the Verify server certificate option is enabled in the Splunk destination of Axoflow. Either fix the certificate in Splunk, or: select Topology > <your-splunk-destination>, disable Verify server certificate, then select Update.