1. Select Routers > Add Router.

   

2. Select the platform (Linux). The one-liner installation command is displayed.

   

3. (Optional) If you don’t want to store any logs locally on AxoRouter, disable AxoStore, select Advanced options, scroll down, and deselect Enable AxoStore.

4. (Optional)

   If needed, set the Advanced options (for example, proxy settings) to modify the installation parameters. Usually, you don’t have to use advanced options unless the Axoflow support team instructs you to do so.

5. Open a terminal on the host where you want to install AxoRouter.

6. Run the one-liner, then follow the on-screen instructions.

   Note Running the provisioning command with sudo would mask environment variables of the calling shell. Either start the whole procedure from a root shell, or let the install script call sudo when it needs to. In other words: don’t add the sudo command to the provisioning command.

   Example output:

   Do you want to install AxoRouter now? [Y]
   
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
   100  5480  100  5480    0     0  32076      0 --:--:-- --:--:-- --:--:-- 33414
   Selecting previously unselected package axorouter.
   (Reading database ... 17697 files and directories currently installed.)
   Preparing to unpack axorouter.deb ...
   Unpacking axorouter (0.66.0) ...
   Setting up axorouter (0.66.0) ...
   Low maximum socket receive buffer size value detected: 7500000 bytes (7.2MB).
   Do you you want to permanently set the net.core.rmem_max sysctl value to 33554432 bytes (32MB) on this system? [Y]
   
   net.core.rmem_max = 33554432
   Created symlink '/etc/systemd/system/multi-user.target.wants/axostore.path' → '/etc/systemd/system/axostore.path'.
   Created symlink '/etc/systemd/system/multi-user.target.wants/axorouter-wec.path' → '/etc/systemd/system/axorouter-wec.path'.
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
   100 42.9M  100 42.9M    0     0  28.1M      0  0:00:01  0:00:01 --:--:-- 28.2M
   Selecting previously unselected package axolet.
   (Reading database ... 17707 files and directories currently installed.)
   Preparing to unpack axolet.deb ...
   Unpacking axolet (0.66.0) ...
   Setting up axolet (0.66.0) ...
   Created symlink '/etc/systemd/system/multi-user.target.wants/axolet.service' → '/usr/lib/systemd/system/axolet.service'.
   Now continue with onboarding the host on the Axoflow web UI.
   

7. Register the host.

   1. Reload the Provisioning page. There should be a registration request for the new AxoRouter deployment. Select ✓.

      

   2. Select Register to register the host. You can add a description and labels (in label:value format) to the host.

      

   3. If the primary IP address (the first IP address shown in the Network addresses section on the Routers page for each AxoRouter) is not accessible from your edge hosts, set a Network address override (IP address or an FQDN) that’s accessible. Otherwise, data forwarding from edge hosts will fail.

   4. Select the Topology page. The new AxoRouter instance is displayed.

1. Log in to your device. You need administrator privileges to perform the configuration.

2. If needed, enable syslog forwarding on the device.

3. Set AxoRouter as the syslog server. Typically, you can configure the following parameters:

   • Name or IP Address of the syslog server: Set the address of your AxoRouter.

   • Protocol: If possible, set TCP or TLS.

     Note If you’re sending data over TLS, make sure to configure a TLS-enabled connector rule in Axoflow.

   • Syslog Format: If possible, set RFC5424 (or equivalent), otherwise leave the default.

   • Port: Set a port appropriate for the protocol and syslog format you have configured.

     By default, AxoRouter accepts data on the following ports (unless you’ve modified the default connector rules):

     • 514 UDP and TCP for RFC3164 (BSD-syslog) and RFC5424 (IETF-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
     • 601 TCP for RFC5424 (IETF-syslog) and RFC3164 (BSD-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
     • 6514 TCP for TLS-encrypted syslog traffic.
     • 4317 TCP for OpenTelemetry log data.

     To receive data on other ports or other protocols, configure other connector rules for the AxoRouter host.

     For TLS-encrypted syslog connections, create a new connector rule or edit an existing one, and configure the keys and certificates needed to encrypt the connections. For details, see Syslog.

     Note Make sure to enable the ports you’re using on the firewall of your host.

4. Add the source to AxoConsole.

   1. Open the AxoConsole and select Topology.

   2. Select Add Item > Source.

      

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.

      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.

        

      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Add.

1. Select Topology > Add Item > Path.

   

2. Select your data source in the Source host field.

   

3. Select the target router or aggregator this source is sending its data to in the Target host field, for example, axorouter.

4. Select the Target connector. The connector determines how the destination receives the data (for example, using which protocol or port).

5. Select Add. The new path appears on the Topology page.

   

1. Navigate to Routers > Stores > Add Store.

2. Enter default as the Name of the store. This name will appear in the list of destinations (with the -store suffix) when setting the destination of a Flow. You cannot modify the name of the store later.

   

3. Set Store type to AxoStore.

4. Set the Router Selector so it matches the AxoRouter instances where you want to create this store.

   You can use any labels and metadata of the AxoRouter hosts in the Router selectors, for example, the hostname of the AxoRouter, or any custom labels.

   • If you leave the Router Selector field empty, the selector will match every AxoRouter instance.
   • To select only a specific AxoRouter instance, set the name field to the name of the instance as selector. For example, name = my-axorouter.
   • If you set multiple fields in the selector, the selector will match only AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.)

5. Set the Retention Time (in days) so older data is automatically deleted from the store. You cannot modify this parameter later.

6. Select Add.

1. Select Flows.

2. Select Add Flow.

3. Enter a name for the flow, for example, my-test-flow.

   

4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   You can use any labels and metadata of the AxoRouter hosts in the Router selectors, for example, the hostname of the AxoRouter, or any custom labels.

   • If you leave the Router Selector field empty, the selector will match every AxoRouter instance.
   • To select only a specific AxoRouter instance, set the name field to the name of the instance as selector. For example, name = my-axorouter.
   • If you set multiple fields in the selector, the selector will match only AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.)

5. Set the Destination where you want to send your data. Select default-store. For details on the different destinations, see Destinations.

   

6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

   1. Add a Classify, a Parse, and a Reduce step, in that order, to automatically remove redundant and empty fields from your data.
   2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the AQL Expression field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet AND meta.product = fortigate query.
   3. Save the processing steps.

   

7. Select Add.

8. The new flow appears in the Flows list.

   

1. Click your AxoRouter instance on the Topology page, then select ⋮ > Tap log flow.

   

2. Tap into the log flow.

   • To see the input data, select Input log flow > Start.
   • To see the output data, select Output log flow > Start.

   You can use labels to filter the messages and sample only the matching ones.

   

3. When the logs you’re interested in show up, click Stop Log Tap, then click a log message to see its details.

   

4. If you don’t know what the message means, select AI Analytics to ask our AI to interpret it.

   

1. Select Routers > Add Router.

   

2. Select the platform (Linux). The one-liner installation command is displayed.

   

3. (Optional) If you don’t want to store any logs locally on AxoRouter, disable AxoStore, select Advanced options, scroll down, and deselect Enable AxoStore.

4. (Optional)

   If needed, set the Advanced options (for example, proxy settings) to modify the installation parameters. Usually, you don’t have to use advanced options unless the Axoflow support team instructs you to do so.

5. Open a terminal on the host where you want to install AxoRouter.

6. Run the one-liner, then follow the on-screen instructions.

   Note Running the provisioning command with sudo would mask environment variables of the calling shell. Either start the whole procedure from a root shell, or let the install script call sudo when it needs to. In other words: don’t add the sudo command to the provisioning command.

   Example output:

   Do you want to install AxoRouter now? [Y]
   
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
   100  5480  100  5480    0     0  32076      0 --:--:-- --:--:-- --:--:-- 33414
   Selecting previously unselected package axorouter.
   (Reading database ... 17697 files and directories currently installed.)
   Preparing to unpack axorouter.deb ...
   Unpacking axorouter (0.66.0) ...
   Setting up axorouter (0.66.0) ...
   Low maximum socket receive buffer size value detected: 7500000 bytes (7.2MB).
   Do you you want to permanently set the net.core.rmem_max sysctl value to 33554432 bytes (32MB) on this system? [Y]
   
   net.core.rmem_max = 33554432
   Created symlink '/etc/systemd/system/multi-user.target.wants/axostore.path' → '/etc/systemd/system/axostore.path'.
   Created symlink '/etc/systemd/system/multi-user.target.wants/axorouter-wec.path' → '/etc/systemd/system/axorouter-wec.path'.
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
   100 42.9M  100 42.9M    0     0  28.1M      0  0:00:01  0:00:01 --:--:-- 28.2M
   Selecting previously unselected package axolet.
   (Reading database ... 17707 files and directories currently installed.)
   Preparing to unpack axolet.deb ...
   Unpacking axolet (0.66.0) ...
   Setting up axolet (0.66.0) ...
   Created symlink '/etc/systemd/system/multi-user.target.wants/axolet.service' → '/usr/lib/systemd/system/axolet.service'.
   Now continue with onboarding the host on the Axoflow web UI.
   

7. Register the host.

   1. Reload the Provisioning page. There should be a registration request for the new AxoRouter deployment. Select ✓.

      

   2. Select Register to register the host. You can add a description and labels (in label:value format) to the host.

      

   3. If the primary IP address (the first IP address shown in the Network addresses section on the Routers page for each AxoRouter) is not accessible from your edge hosts, set a Network address override (IP address or an FQDN) that’s accessible. Otherwise, data forwarding from edge hosts will fail.

   4. Select the Topology page. The new AxoRouter instance is displayed.

1. Log in to your device. You need administrator privileges to perform the configuration.

2. If needed, enable syslog forwarding on the device.

3. Set AxoRouter as the syslog server. Typically, you can configure the following parameters:

   • Name or IP Address of the syslog server: Set the address of your AxoRouter.

   • Protocol: If possible, set TCP or TLS.

     Note If you’re sending data over TLS, make sure to configure a TLS-enabled connector rule in Axoflow.

   • Syslog Format: If possible, set RFC5424 (or equivalent), otherwise leave the default.

   • Port: Set a port appropriate for the protocol and syslog format you have configured.

     By default, AxoRouter accepts data on the following ports (unless you’ve modified the default connector rules):

     • 514 UDP and TCP for RFC3164 (BSD-syslog) and RFC5424 (IETF-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
     • 601 TCP for RFC5424 (IETF-syslog) and RFC3164 (BSD-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
     • 6514 TCP for TLS-encrypted syslog traffic.
     • 4317 TCP for OpenTelemetry log data.

     To receive data on other ports or other protocols, configure other connector rules for the AxoRouter host.

     For TLS-encrypted syslog connections, create a new connector rule or edit an existing one, and configure the keys and certificates needed to encrypt the connections. For details, see Syslog.

     Note Make sure to enable the ports you’re using on the firewall of your host.

4. Add the source to AxoConsole.

   1. Open the AxoConsole and select Topology.

   2. Select Add Item > Source.

      

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.

      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.

        

      Note During log tapping, you can add hosts that are actively sending data to an AxoRouter instance by clicking Register source.

   3. (Optional) Add custom labels as needed.

   4. Select Add.

1. Select Topology > Add Item > Path.

   

2. Select your data source in the Source host field.

   

3. Select the target router or aggregator this source is sending its data to in the Target host field, for example, axorouter.

4. Select the Target connector. The connector determines how the destination receives the data (for example, using which protocol or port).

5. Select Add. The new path appears on the Topology page.

   

Prerequisites

1. Enable the HTTP Event Collector (HEC) on your Splunk deployment if needed. On Splunk Cloud Platform deployments, HEC is enabled by default.

2. Create a token for Axoflow to use in the destination. When creating the token, use the syslog source type.

   For details, see Set up and use HTTP Event Collector in Splunk Web.

3. If you’re using AxoRouter, create the indexes where Axoflow sends the log data. Which index is needed depends on the sources you have, but create at least the following event indices: axoflow, infraops, netops, netfw, osnix (for unclassified messages). Check your sources in the Sources section for a detailed lists on which indices their data is sent.

4. If you’ve created any new indexes, make sure to add those indexes to the token’s Allowed Indexes.

Steps

1. Create a new destination.

   1. Open the AxoConsole.
   2. Select Destinations > + Add Destination.

2. Select Splunk.

3. Select Dynamic. This will allow you to set a default index, source, and source type for messages that aren’t automatically identified.

   

4. Enter your Splunk URL into the Hostname field, for example, <your-splunk-tenant-id>.splunkcloud.com for Splunk Cloud Platform free trials, or <your-splunk-tenant-id>.splunkcloud.com for Splunk Cloud Platform instances.

5. Enter the name of the Default Index. The data will be sent into this index if no other index is set during the processing of the message (based on automatic classification, or by the processing steps of the Flow). Make sure that the index exists in Splunk.

6. Enter the Default Source and Default Source Type. These will be assigned to the messages that have no source or source type set during the processing of the message (based on automatic classification, or by the processing steps of the Flow).

7. Enter the token you’ve created into the Token field.

8. Disable the Verify server certificate option unless your deployment has a valid, non-self-signed certificate. Free Splunk Cloud accounts have self-signed certificates.

9. (Optional) You can set other options as needed for your environment. For details, see Splunk.

10. Select Add.

1. Select Flows.

2. Select Add Flow.

3. Enter a name for the flow, for example, my-test-flow.

   

4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   You can use any labels and metadata of the AxoRouter hosts in the Router selectors, for example, the hostname of the AxoRouter, or any custom labels.

   • If you leave the Router Selector field empty, the selector will match every AxoRouter instance.
   • To select only a specific AxoRouter instance, set the name field to the name of the instance as selector. For example, name = my-axorouter.
   • If you set multiple fields in the selector, the selector will match only AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.)

5. Select the Destination where you want to send your data. If you don’t have any destination configured, you can select + Add in the destination section to create a new destination now. For details on the different destinations, see Destinations.

   • If you don’t have any destination configured, see Destinations.
   • If you’ve already created a store, it automatically available as a destination. Note that the Router Selector of the flow must match only AxoRouters that have the selected store available, otherwise you’ll get an error message.
   • If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

   

6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

   1. Add a Classify, a Parse, and a Reduce step, in that order, to automatically remove redundant and empty fields from your data.
   2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the AQL Expression field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet AND meta.product = fortigate query.
   3. Save the processing steps.

   

7. Select Add.

8. The new flow appears in the Flows list.

   

1. Click your AxoRouter instance on the Topology page, then select ⋮ > Tap log flow.

   

2. Tap into the log flow.

   • To see the input data, select Input log flow > Start.
   • To see the output data, select Output log flow > Start.

   You can use labels to filter the messages and sample only the matching ones.

   

3. When the logs you’re interested in show up, click Stop Log Tap, then click a log message to see its details.

   

4. If you don’t know what the message means, select AI Analytics to ask our AI to interpret it.