# Getting started using a SIEM This guide shows you how to get started with Axoflow. You’re going to install AxoRouter, and configure or create a source to send data to AxoRouter. You’ll also configure AxoRouter to forward the received data to your destination SIEM or storage provider. The resulting topology will look something like this: ![Getting started topology](/docs/axoflow/getting-started/getting-started-siem/topology-final.png) ## Why use Axoflow Using the Axoflow security data pipeline automatically corrects and augments the security data you collect, resulting in high-quality, curated, SIEM-optimized data. It also removes redundant data to reduce storage and SIEM costs. In addition, it allows automates pipeline configuration and provides metrics and alerts for your telemetry data flows. ## Prerequisites You’ll need: * An Axoflow subscription, access to a [free evaluation version](../../docs/axoflow/trial/index.md), or an [on-premise deployment](../../docs/axoflow/deploy/onprem/index.md). * A data source. This can be any host that you can configure to send syslog or OpenTelemetry data to your AxoRouter instance that you’ll install. If you don’t want to change the configuration of an existing device, you can use a virtual machine or a docker container on your local computer. * A host that you’ll install AxoRouter on. This can be a separate Linux host, or a virtual machine running on your local computer. AxoRouter should work on most Red Hat and Debian compatible Linux distributions. For production environments, we recommend using Red Hat 9. * A destination where AxoRouter will send the received data. This can be a supported SIEM or storage provider, like Splunk or Amazon S3 that you have access to. For a quick test of Axoflow, you can use a free Splunk or OpenObserve account as well. See our list of supported [Destinations](../../docs/axoflow/destinations/index.md). ### Network access The hosts must be able to access the following domains related to the AxoConsole: * When using AxoConsole SaaS: * `.cloud.axoflow.io`: HTTPS traffic on TCP port 443, needed to download the binaries for Axoflow software (like Axolet and AxoRouter). * `kcp..cloud.axoflow.io`: HTTPS (mutual TLS) traffic on TCP port 443 for management traffic. * `telemetry..cloud.axoflow.io`: HTTPS (mutual TLS) traffic on TCP port 443, where Axolet sends the metrics of the host. * `us-docker.pkg.dev`: HTTPS traffic on TCP port 443, for pulling container images (AxoRouter only). * When using an on-premise AxoConsole: * The following domains should point to AxoConsole IP address to access Axoflow from your desktop and AxoRouter hosts: * `your-host.your-domain`: The main domain of your AxoConsole deployment. * `authenticate.your-host.your-domain`: A subdomain used for authentication. * `idp.your-host.your-domain`: A subdomain for the identity provider. * The AxoConsole host must have the following **Open Ports** : * Port 80 (HTTP) * Port 443 (HTTPS) * When installing Axoflow agent for Windows or Linux: * `github.com`: HTTPS traffic on TCP port 443, for downloading installer packages. Note If you’ve already completed the [Getting started using AxoStore](../../docs/axoflow/getting-started/getting-started-storage/index.md), you can skip to the [Add a destination](../../docs/axoflow/getting-started/getting-started-siem/index.md#destination) section. ### Log in to the AxoConsole Verify that you have access to the AxoConsole. 1. Open `https://.axoflow.io/` in your browser. 2. Log in using Google Authentication. ## Deploy an AxoRouter instance Deploy an AxoRouter instance that will route, curate, and enrich your log data. Note Note that AxoRouter and Axoflow agent collects detailed, real-time metrics about the data-flows – giving you observability over the health of the security data pipeline and its components. Your security data remains in your self-managed cloud or in your on-prem instance where your sources, destinations, Axoflow agents, and AxoRouters are running, only metrics are forwarded to AxoConsole. Deploy AxoRouter on Linux. For other platforms, see [AxoRouter](../../docs/axoflow/provisioning/axorouter/index.md). 1. Select **Routers > Add Router**. ![Provisioning AxoRouter on Linux](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-linux.png) 2. Select the platform (**Linux**). The one-liner installation command is displayed. ![Provisioning AxoRouter on Linux](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-popup.png) 3. (Optional) If you don’t want to store any logs locally on AxoRouter, disable AxoStore, select **Advanced options** , scroll down, and deselect **Enable AxoStore**. 4. (Optional) If needed, set the **Advanced options** (for example, proxy settings) to modify the installation parameters. Usually, you don’t have to use advanced options unless the Axoflow support team instructs you to do so. 5. Open a terminal on the host where you want to install AxoRouter. 6. Run the one-liner, then follow the on-screen instructions. Note Running the provisioning command with `sudo` would mask environment variables of the calling shell. Either start the whole procedure from a root shell, or let the install script call sudo when it needs to. In other words: don’t add the `sudo` command to the provisioning command. Example output: ``` Do you want to install AxoRouter now? [Y] % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5480 100 5480 0 0 32076 0 --:--:-- --:--:-- --:--:-- 33414 Selecting previously unselected package axorouter. (Reading database ... 17697 files and directories currently installed.) Preparing to unpack axorouter.deb ... Unpacking axorouter (0.66.0) ... Setting up axorouter (0.66.0) ... Low maximum socket receive buffer size value detected: 7500000 bytes (7.2MB). Do you you want to permanently set the net.core.rmem_max sysctl value to 33554432 bytes (32MB) on this system? [Y] net.core.rmem_max = 33554432 Created symlink '/etc/systemd/system/multi-user.target.wants/axostore.path' → '/etc/systemd/system/axostore.path'. Created symlink '/etc/systemd/system/multi-user.target.wants/axorouter-wec.path' → '/etc/systemd/system/axorouter-wec.path'. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 42.9M 100 42.9M 0 0 28.1M 0 0:00:01 0:00:01 --:--:-- 28.2M Selecting previously unselected package axolet. (Reading database ... 17707 files and directories currently installed.) Preparing to unpack axolet.deb ... Unpacking axolet (0.66.0) ... Setting up axolet (0.66.0) ... Created symlink '/etc/systemd/system/multi-user.target.wants/axolet.service' → '/usr/lib/systemd/system/axolet.service'. Now continue with onboarding the host on the Axoflow web UI. ``` 7. Register the host. 1. Reload the **Provisioning** page. There should be a registration request for the new AxoRouter deployment. Select **✓**. ![Provisioning AxoRouter - registration request](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-request.png) 2. Select **Register** to register the host. You can add a description and labels (in `label:value` format) to the host. ![Provisioning AxoRouter - registration details](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-request.png) 3. If the primary IP address (the first IP address shown in the **Network addresses** section on the **Routers** page for each AxoRouter) is not accessible from your edge hosts, set a **Network address override** (IP address or an FQDN) that’s accessible. Otherwise, data forwarding from edge hosts will fail. 4. Select the **Topology** page. The new AxoRouter instance is displayed. ## Add a source Configure a host to send data to AxoRouter. Configure a generic syslog host. For sources that are specifically supported by Axoflow, see [Sources](../../docs/axoflow/data-sources/index.md). 1. Log in to your device. You need administrator privileges to perform the configuration. 2. If needed, enable syslog forwarding on the device. 3. Set AxoRouter as the syslog server. Typically, you can configure the following parameters: * **Name or IP Address of the syslog server** : Set the address of your AxoRouter. * **Protocol** : If possible, set TCP or TLS. Note If you’re sending data over TLS, make sure to configure a TLS-enabled [connector rule](../../docs/axoflow/data-sources/syslog/index.md) in Axoflow. * **Syslog Format** : If possible, set RFC5424 (or equivalent), otherwise leave the default. * **Port** : Set a port appropriate for the protocol and syslog format you have configured. By default, AxoRouter accepts data on the following ports (unless you’ve modified the default connector rules): * 514 UDP and TCP for RFC3164 (BSD-syslog) and RFC5424 (IETF-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats. * 601 TCP for RFC5424 (IETF-syslog) and RFC3164 (BSD-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats. * 6514 TCP for TLS-encrypted syslog traffic. * 4317 TCP for OpenTelemetry log data. To receive data on other ports or other protocols, configure other [connector rules](../../docs/axoflow/data-sources/connector-rules/index.md) for the AxoRouter host. For TLS-encrypted syslog connections, create a new [connector rule](../../docs/axoflow/data-sources/connector-rules/index.md) or edit an existing one, and configure the keys and certificates needed to encrypt the connections. For details, see [Syslog](../../docs/axoflow/data-sources/syslog/index.md). Note Make sure to enable the ports you’re using on the firewall of your host. 4. Add the source to AxoConsole. 1. Open the AxoConsole and select **Topology**. 2. Select **Add Item > Source**. ![Add Source](/docs/axoflow/img/add-source.png) * If the source is actively sending data to an AxoRouter instance, select **Detected** , then select your source. * Otherwise, select the vendor and product corresponding to your source from the **Predefined** sources, then enter the parameters of the source, like **IP address** and **FQDN**. ![Add Source parameters](/docs/axoflow/img/add-source-config.png) Note During [log tapping](../../docs/axoflow/onboard-hosts/log-tapping/index.md), you can add hosts that are actively sending data to an AxoRouter instance by clicking **Register source**. 3. (Optional) Add [custom labels](../../docs/axoflow/onboard-hosts/hosts/add-host-metadata/index.md) as needed. 4. Select **Add**. 5. (Optional) **Add Path** manually. That’s needed only when AxoConsole can’t detect the path based on the IP address and the FQDN, and you haven’t yet configured the source to send data to the router. ### Add a path Create a path between the source and the AxoRouter instance. If you've added the source from the **Detected** list, you can skip this step, as the path is created automatically. (Creating a path is usually part of adding the source. You only have to add paths explicitly if you forgot to do that during source provisioning.) 1. Select **Topology > Add Item > Path**. ![Add a new path](/docs/axoflow/img/data-management/flow-management/paths/add-path.png) 2. Select the target router or aggregator this source is sending its data to in the **Target host** field, for example, `axorouter`. 3. Select the **Target connector**. The connector determines how the destination receives the data (for example, using which protocol or port). 4. Select **Add**. The new path appears on the **Topology** page. ![The new path](/docs/axoflow/img/data-management/flow-management/paths/path-created.png) Note If your syslog source is running `syslog-ng`, Splunk Connect for Syslog (SC4S), or AxoSyslog as its log forwarder agent, consider installing Axolet on the host and instrumenting the configuration of the log forwarder to receive detailed metrics about the host and the processed data. For details, see [Manage and monitor the pipeline](../../docs/axoflow/onboard-hosts/index.md). ## Add a destination Add the destination where you’re sending your data. For a quick test, you can use a free [Splunk]() or [OpenObserve]() account. Add a Splunk Cloud destination. For other destinations, see [Destinations](../../docs/axoflow/destinations/index.md). ### Prerequisites 1. [Enable the HTTP Event Collector (HEC)]() on your Splunk deployment if needed. On Splunk Cloud Platform deployments, HEC is enabled by default. 2. Create a token for Axoflow to use in the destination. When creating the token, use the syslog source type. For details, see [Set up and use HTTP Event Collector in Splunk Web](). 3. If you’re using AxoRouter, create the indexes where Axoflow sends the log data. Which index is needed depends on the sources you have, but create at least the following [event indices](): `axoflow`, `infraops`, `netops`, `netfw`, `osnix` (for unclassified messages). Check your sources in the [Sources](../../docs/axoflow/data-sources/index.md) section for a detailed lists on which indices their data is sent. 4. If you’ve created any new indexes, make sure to add those indexes to the token’s Allowed Indexes. ### Steps 1. Create a new destination. 1. Open the AxoConsole. 2. Select **Destinations > \+ Add Destination**. 2. Select **Splunk**. 3. Select **Dynamic**. This will allow you to set a default index, source, and source type for messages that aren’t automatically identified. ![Configure the Splunk destination](/docs/axoflow/img/destinations/splunk/splunk-destination.png) 4. Enter your Splunk URL into the **Hostname** field, for example, `.splunkcloud.com` for Splunk Cloud Platform free trials, or `.splunkcloud.com` for Splunk Cloud Platform instances. 5. Enter the name of the **Default Index**. The data will be sent into this index if no other index is set during the processing of the message (based on automatic classification, or by the processing steps of the **Flow**). Make sure that the index exists in Splunk. 6. Enter the **Default Source Type**. This will be assigned to the messages that have no sourcetype set during the processing of the message (based on automatic classification, or by the processing steps of the **Flow**). 7. Enter the token you’ve created into the **Token** field. 8. Disable the **Verify server certificate** option unless your deployment has a valid, non-self-signed certificate. Free Splunk Cloud accounts have self-signed certificates. 9. (Optional) You can set other options as needed for your environment. For details, see [Splunk](../../docs/axoflow/destinations/splunk/index.md). 10. Select **Add**. ## Create a flow Create a flow to route the traffic from your AxoRouter instance to your destination. 1. Select **Flows**. 2. Select **Add Flow**. 3. Enter a name for the flow, for example, `my-test-flow`. ![Create a flow](/docs/axoflow/img/data-management/flow-management/flows/create-flow.png) 4. In the **Router Selector** field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, `name = my-axorouter-hostname`. You can use any labels and metadata of the AxoRouter hosts in the Router selectors, for example, the hostname of the AxoRouter, or any [custom labels](../../docs/axoflow/onboard-hosts/hosts/add-host-metadata/index.md). * If you leave the **Router Selector** field empty, the selector will match every AxoRouter instance. * To select only a specific AxoRouter instance, set the `name` field to the name of the instance as selector. For example, `name = my-axorouter`. * If you set multiple fields in the selector, the selector will match only AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.) 5. Select the **Destination** where you want to send your data. If you don’t have any destination configured, you can select **\+ Add** in the destination section to create a new destination now. For details on the different destinations, see [Destinations](../../docs/axoflow/destinations/index.md). * If you don’t have any destination configured, see [Destinations](../../docs/axoflow/destinations/index.md). * If you’ve already created a [store](../../docs/axoflow/destinations/axostore/index.md), it automatically available as a destination. Note that the **Router Selector** of the flow must match only AxoRouters that have the selected store available, otherwise you’ll get an error message. * If you want to send data to another AxoRouter, enable the **Show all destinations** option, and select the connector of the AxoRouter where you want to send the data. ![AxoRouter as destination](/docs/axoflow/img/data-management/flow-management/flows/axorouter-destination.png) 6. (Optional) To process the data transferred in the flow, select **Add New Processing Step**. For details, see [Processing steps](../../docs/axoflow/data-management/processing/index.md). For example: 1. Add a **Classify** , a **Parse** , and a **Reduce** step, in that order, to automatically remove redundant and empty fields from your data. 2. To select which messages are processed by the flow, add a **Select Messages** step, and enter a filter into the **AQL Expression** field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the `meta.vendor = fortinet AND meta.product = fortigate` query. 3. **Save** the processing steps. ![Example processing steps](/docs/axoflow/img/data-management/flow-management/flows/processing/example-processing-steps.png) 7. Select **Add**. 8. The new flow appears in the **Flows** list. ![The new flow](/docs/axoflow/img/data-management/flow-management/flows/new-flow.png) ## Check metrics on the Topology page Open the **Topology** page and verify that your AxoRouter instance is connected both to the source and the destination. If you have traffic flowing from the source to your AxoRouter instance, the **Topology** page shows the amount of data flowing on the path. Click the AxoRouter instance, then select [**Analytics** to visualize the data flow](../../docs/axoflow/metrics/analytics/index.md). ![Host analytics](/docs/axoflow/getting-started/getting-started-siem/host-analytics.png) ## Tap into the log flow Log tapping in Axoflow samples the log flow. You can use labels to filter for specific messages (like ones with parse errors) and tap only those messages. To not get overwhelmed with events, Axoflow automatically samples the output: if many messages match the selected filter, only a subset is shown (about 1 message per second). Using log tapping, you can quickly troubleshoot both parsing/curation errors and destination ingest (API) errors, and check: * What was in the original message? * What is sent in the final payload to the destination? Tap into the log flow. 1. Click your AxoRouter instance on the **Topology** page, then select **⋮ > Tap log flow**. ![Open Log tapping](/docs/axoflow/img/data-management/log-tapping/open-log-tapping.png) 2. Tap into the log flow. * To see the input data, select **Input log flow > Start**. * To see the output data, select **Output log flow > Start**. You can use [labels to filter the messages](../../docs/axoflow/onboard-hosts/log-tapping/index.md#label-filtering) and sample only the matching ones. ![Configure Log tapping](/docs/axoflow/img/data-management/log-tapping/configure-log-tapping.png) 3. When the logs you’re interested in show up, click **Stop Log Tap** , then click a log message to see its details. ![Details of the log message](/docs/axoflow/img/data-management/log-tapping/log-details.png) 4. If you don’t know what the message means, select **AI Analytics** to ask our AI to interpret it. ![AI interpretation of the log message](/docs/axoflow/img/data-management/log-tapping/ai-analytics.png) ## Troubleshooting In case you run into problems, or you’re not getting any data in Splunk, check the logs of your AxoRouter instance: 1. Select **Topology** , then select your AxoRouter instance. Alternatively, select `⌘/Ctrl + K` and enter the name of your AxoRouter. 2. Select **⋮ > Tap service logs**. 3. (Optional) To tap only the logs of a specific service, set the **Service name** field. Depending on the configuration of the host, the following services can be available: * **axoflow-otel-collector** : The collector agent on edge hosts. * **axolet** : The monitoring and management agent for Axoflow pipeline elements. * **axorouter-syslog** : The main processing element of AxoRouter deployments. * **axorouter-wec** : The service that handles the [Windows Events connector (WEC)](../../docs/axoflow/data-sources/wec/index.md). * **axostore** : The service that handles AxoStore on the host. Only available if there are [stores](../../docs/axoflow/storage/index.md) configured on the host. 4. If systemd is available on the host, select **Systemd service output** to show the logs of the service from the systemd journal. Otherwise, the **Internal logs** of the service are available. 5. Select **Start**. Axoflow displays the log messages of AxoRouter. Check the logs for error messages. Some common errors include: * `Redirected event for unconfigured/disabled/deleted index=netops with source="source::axo" host="host::axosyslog-almalinux" sourcetype="sourcetype::fortigate_event" into the LastChanceIndex. So far received events from 1 missing index(es).`: The Splunk index where AxoRouter is trying to send data doesn’t exist. Check which index is missing in the error message and create it in Splunk. (For a list of recommended indices, see the [Splunk destination prerequisites](../../docs/axoflow/destinations/splunk/index.md).) * `http: error sending HTTP request; url='https://prd-p-sp2id.splunkcloud.com:8088/services/collector/event/1.0?index=&source=&sourcetype=', error='SSL peer certificate or SSH remote key was not OK', worker_index='0', driver='splunk--flow-axorouter4-almalinux#0', location='/usr/share/syslog-ng/include/scl/splunk/splunk.conf:104:3'`: Your Splunk deployment uses an invalid or self-signed certificate, and the **Verify server certificate** option is enabled in the Splunk destination of Axoflow. Either fix the certificate in Splunk, or: select **Topology > **, disable **Verify server certificate** , then select **Update**.