# Install AxoRouter on Linux AxoRouter is a key building block of Axoflow that collects, aggregates, transforms and routes all kinds of telemetry and security data automatically. AxoRouter for Linux includes a Podman container running AxoSyslog, Axolet, and other components. To install AxoRouter on a Linux host, complete the following steps. For other platforms, see [AxoRouter](../../../docs/axoflow/provisioning/axorouter/index.md). Note Note that AxoRouter and Axoflow agent collects detailed, real-time metrics about the data-flows – giving you observability over the health of the security data pipeline and its components. Your security data remains in your self-managed cloud or in your on-prem instance where your sources, destinations, Axoflow agents, and AxoRouters are running, only metrics are forwarded to AxoConsole. ## What the install script does When you deploy AxoRouter, you run a command that installs the required software packages, configures them and sets up the connection with Axoflow. The installer script installs the `axolet` packages, then executes the `configure-axolet` command with the right parameters. (If the packages are already installed, the installer will update them unless the `none` _package format_ is selected when generating the provisioning command.) The install script is designed to be run as root (sudo), but you can [configure AxoRouter to run as a non-root user](../../../docs/axoflow/provisioning/axorouter/linux/index.md#non-root). The installer script performs the following main steps: * Executes [prerequisite](../../../docs/axoflow/provisioning/axorouter/linux/index.md#prerequisites) checks: * Tests the network connection with the console endpoints. * Checks if the operating system is supported. * Checks if `podman` is installed. * Downloads and installs the `axorouter` RPM or DEB package. * The package contains the `axorouter-ctl` and `setup-axorouter` commands and the `axorouter.container` unit files for [podman-systemd](). **CAUTION:** The package uses docker and standard service units. On older systems (e.g. Ubuntu 22.04 or older) this results in the following limitations: * AxoWec, AxoStore services are not supported. * Some `axorouter-ctl` commands are not fully supported. * Proxy environment variables need to be added to the docker systemctl configuration manually. * Executes the `setup-axorouter` command, which * Updates the environment variables used by the axorouter service. * Enables and starts the AxoRouter service. * Downloads and installs the `axolet` RPM or DEB package. * The package contains the `axolet` and `configure-axolet` commands, and the `axolet.service` systemd unit file. * The `configure-axolet` command is executed with a configuration snippet on its standard input which contains a token required for registering into the management platform. The command: * Writes the initial `/etc/axolet/config.json` configuration file. Note: if the file already exists it will only be overwritten if the _Overwrite config_ option is enabled when generating the provisioning command. * Enables and starts the `axolet` service. `axolet` performs the following main steps on its first execution: * Generates and persists a unique identifier (GUID). * Initiates a cryptographic handshake process to AxoConsole. * AxoConsole issues a client certificate to AxoRouter, which will be stored in the above mentioned `config.json` file. * The service waits for an approval on AxoConsole. Once you approve the host registration request, axolet starts to manage the local services and send telemetry data to AxoConsole. It keeps doing so as long as the agent is registered. ## Prerequisites * AxoRouter should work on most Red Hat and Debian compatible Linux distributions. For production environments, we recommend using Red Hat 9. * Podman must be installed on the host (`sudo yum install podman`) * When using AxoRouter with an [on-premises AxoConsole deployment](../../../docs/axoflow/deploy/onprem/index.md), you must [prepare the AxoRouter host](../../../docs/axoflow/deploy/onprem/prepare-axorouter-hosts/index.md) ### Resource requirements For a deployment that handles up to 1TB/day log traffic (~14500 EPS) even with complex routing and processing configurations, we recommend: * 4 vCPU * 8 GB memory * 45 GB disk / hour. AxoRouter buffers incoming log data on disk if the destination or the network connection to the destination becomes unavailable. With a 1TB/day throughput, you need at least 45 GB of disk buffer per hour to avoid putting backpressure on your sources. This doesn’t include any disk for using AxoStore. For more details on hardware sizing, [contact our support team](). #### Resource requirements for AxoStore If you want to enable [AxoStore](../../../docs/axoflow/destinations/axostore/index.md) on the node, you’ll need: * `1TB` storage for the free tier, or * the storage limit of your AxoStore subscription. Memory and CPU requirements depend on the incoming data volume, the [**Config profile**](../../../docs/axoflow/storage/create-store/index.md) you want to use for your AxoStores, and the number and complexity of the queries you’ll be running. * For occasional access to the data, when you’re mostly using the storage as a data warehouse, we recommend 1:80 memory to storage ratio and 6:1 GiB of memory to number of CPU cores ratio. That is, 12GiB memory and 2 CPU cores per 1TB of storage. At least 8GiB of RAM is recommended. * If you’re running frequent analytics and several concurrent queries on the stored data, we recommend 1:60 memory to storage ratio and 4:1 GiB of memory to CPU core ratio. That is, 16GiB memory and 4 CPU cores per 1TB of storage. For detailed sizing recommendations, [contact our support team](). The storage must be available on the volume storing the `/var/lib/clickhouse` folder. Alternatively, you can set a different directory to store your AxoStores using the `AXOSTORE_MOUNT` environment variable. ### Network access The host must be able to access the following domains related to the AxoConsole: * When using AxoConsole SaaS: * `.cloud.axoflow.io`: HTTPS traffic on TCP port 443, needed to download the binaries for Axoflow software (like Axolet and AxoRouter). * `kcp..cloud.axoflow.io`: HTTPS (mutual TLS) traffic on TCP port 443 for management traffic. * `telemetry..cloud.axoflow.io`: HTTPS (mutual TLS) traffic on TCP port 443, where Axolet sends the metrics of the host. * `us-docker.pkg.dev`: HTTPS traffic on TCP port 443, but only if you’re forcing the installation script to pull the container images from the public repository. The Axolet and AxoRouter for Linux installation scripts download the images directly from AxoConsole. * When using an on-premise AxoConsole: * The following domains should point to AxoConsole IP address to access Axoflow from your desktop and AxoRouter hosts: * `your-host.your-domain`: The main domain of your AxoConsole deployment. * `authenticate.your-host.your-domain`: A subdomain used for authentication. * `idp.your-host.your-domain`: A subdomain for the identity provider. * The AxoConsole host must have the following **Open Ports** : * Port 80 (HTTP) * Port 443 (HTTPS) * When installing Axoflow agent for Windows or Linux: * `github.com`: HTTPS traffic on TCP port 443, for downloading installer packages. ## Install AxoRouter Note When using AxoRouter with an on-premises AxoConsole deployment, you have to [prepare the hosts before deploying AxoRouter](../../../docs/axoflow/deploy/onprem/prepare-axorouter-hosts/index.md). These steps are specific to on-premises AxoConsole deployments, and are not needed when using the SaaS AxoConsole. 1. Select **Routers > Add Router**. ![Provisioning AxoRouter on Linux](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-linux.png) 2. Select the platform (**Linux**). The one-liner installation command is displayed. ![Provisioning AxoRouter on Linux](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-popup.png) 3. (Optional) If you don’t want to store any logs locally on AxoRouter, disable AxoStore, select **Advanced options** , scroll down, and deselect **Enable AxoStore**. 4. (Optional) If needed, set the **Advanced options** (for example, proxy settings) to modify the installation parameters. Usually, you don’t have to use advanced options unless the Axoflow support team instructs you to do so. 5. Open a terminal on the host where you want to install AxoRouter. 6. Run the one-liner, then follow the on-screen instructions. Note Running the provisioning command with `sudo` would mask environment variables of the calling shell. Either start the whole procedure from a root shell, or let the install script call sudo when it needs to. In other words: don’t add the `sudo` command to the provisioning command. Example output: ``` Do you want to install AxoRouter now? [Y] % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5480 100 5480 0 0 32076 0 --:--:-- --:--:-- --:--:-- 33414 Selecting previously unselected package axorouter. (Reading database ... 17697 files and directories currently installed.) Preparing to unpack axorouter.deb ... Unpacking axorouter (0.66.0) ... Setting up axorouter (0.66.0) ... Low maximum socket receive buffer size value detected: 7500000 bytes (7.2MB). Do you you want to permanently set the net.core.rmem_max sysctl value to 33554432 bytes (32MB) on this system? [Y] net.core.rmem_max = 33554432 Created symlink '/etc/systemd/system/multi-user.target.wants/axostore.path' → '/etc/systemd/system/axostore.path'. Created symlink '/etc/systemd/system/multi-user.target.wants/axorouter-wec.path' → '/etc/systemd/system/axorouter-wec.path'. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 42.9M 100 42.9M 0 0 28.1M 0 0:00:01 0:00:01 --:--:-- 28.2M Selecting previously unselected package axolet. (Reading database ... 17707 files and directories currently installed.) Preparing to unpack axolet.deb ... Unpacking axolet (0.66.0) ... Setting up axolet (0.66.0) ... Created symlink '/etc/systemd/system/multi-user.target.wants/axolet.service' → '/usr/lib/systemd/system/axolet.service'. Now continue with onboarding the host on the Axoflow web UI. ``` Note If you get the following errors: ``` AXOROUTER_FUSE envvar is not set. It may mean that the /usr/local/bin/setup-axorouter script is called without proper configuration. Failed to configure AxoRouter. Failed to deploy the AxoRouter. ``` Set the following (or equivalent) in the `sudoers` file on the host, and rerun the installation command. ``` Defaults!/usr/local/bin/setup-axorouter env_keep += "AXO* http_proxy https_proxy no_proxy" Defaults!/usr/local/bin/axorouter-ctl env_keep += "AXO* http_proxy https_proxy no_proxy" Defaults!/usr/local/bin/configure-axolet env_keep += "AXO* http_proxy https_proxy no_proxy" ``` 7. Register the host. 1. Reload the **Provisioning** page. There should be a registration request for the new AxoRouter deployment. Select **✓**. ![Provisioning AxoRouter - registration request](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-request.png) 2. Select **Register** to register the host. You can add a description and labels (in `label:value` format) to the host. ![Provisioning AxoRouter - registration details](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-request.png) 3. If the primary IP address (the first IP address shown in the **Network addresses** section on the **Routers** page for each AxoRouter) is not accessible from your edge hosts, set a **Network address override** (IP address or an FQDN) that’s accessible. Otherwise, data forwarding from edge hosts will fail. 4. Select the **Topology** page. The new AxoRouter instance is displayed. ## Create a flow 1. If you haven’t already done so, create a new [destination](../../../docs/axoflow/destinations/index.md). If you’ve enabled AxoStore on the node and want to send data into AxoStore, see [AxoStore](../../../docs/axoflow/destinations/axostore/index.md). 2. Create a flow to connect the new AxoRouter to the destination. 1. Select **Flows**. 2. Select **Add Flow > Flow**. To create a [fallback flow](../../../docs/axoflow/data-management/flows/index.md#fallback-flow), select **Add Flow > Fallback flow**. ![Add flow](/docs/axoflow/img/data-management/flow-management/flows/add-flow.png) 3. Enter a name for the flow, for example, `my-test-flow`. ![Create a flow](/docs/axoflow/img/data-management/flow-management/flows/create-flow.png) 4. In the **Router Selector** field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, `name = my-axorouter-hostname`. You can use any labels and metadata of the AxoRouter hosts in the Router selectors, for example, the hostname of the AxoRouter, or any [custom labels](../../../docs/axoflow/onboard-hosts/hosts/add-host-metadata/index.md). * If you leave the **Router Selector** field empty, the selector will match every AxoRouter instance. * To select only a specific AxoRouter instance, set the `name` field to the name of the instance as selector. For example, `name = my-axorouter`. * If you set multiple fields in the selector, the selector will match only AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.) Note You can configure multiple fallback flows, but only one fallback flow can apply to an AxoRouter (so the **Router Selector** of the fallback flows can’t overlap). 5. Select the **Destination** where you want to send your data. If you don’t have any destination configured, you can select **\+ Add** in the destination section to create a new destination now. For details on the different destinations, see [Destinations](../../../docs/axoflow/destinations/index.md). * If you don’t have any destination configured, see [Destinations](../../../docs/axoflow/destinations/index.md). * If you’ve already created a [store](../../../docs/axoflow/destinations/axostore/index.md), it automatically available as a destination. Note that the **Router Selector** of the flow must match only AxoRouters that have the selected store available, otherwise you’ll get an error message. * If you want to send data to another AxoRouter, enable the **Show all destinations** option, and select the connector of the AxoRouter where you want to send the data. ![AxoRouter as destination](/docs/axoflow/img/data-management/flow-management/flows/axorouter-destination.png) 6. (Optional) To process the data transferred in the flow, select **Add New Processing Step**. For details, see [Processing steps](../../../docs/axoflow/data-management/processing/index.md). For example: 1. Add a **Classify** , a **Parse** , and a **Reduce** step, in that order, to automatically remove redundant and empty fields from your data. 2. To select which messages are processed by the flow, add a **Select Messages** step, and enter a filter into the **AQL Expression** field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the `meta.vendor = fortinet AND meta.product = fortigate` query. 3. **Save** the processing steps. ![Example processing steps](/docs/axoflow/img/data-management/flow-management/flows/processing/example-processing-steps.png) 7. Select **Add**. 8. The new flow appears in the **Flows** list. ![The new flow](/docs/axoflow/img/data-management/flow-management/flows/new-flow.png) ## Send logs to AxoRouter Configure your hosts to send data to AxoRouter. * For appliances that are specifically supported by Axoflow, see [Sources](../../../docs/axoflow/data-sources/index.md). * For other appliances and generic Linux devices, see [Generic tips](../../../docs/axoflow/data-sources/generic/index.md). * For a quick test without an actual source, you can also do the following (requires `nc` to be installed on the AxoRouter host): 1. Open the AxoConsole, select **Topology** , then select the AxoRouter instance you’ve deployed. Alternatively, select `⌘/Ctrl + K` and enter the name of the AxoRouter. 2. Select **⋮ > Tap log flow > Input log flow**. Select **Start**. 3. Open a terminal on your AxoRouter host. 4. Run the following command to send 120 test messages (2 per second) in a loop to AxoRouter: ``` for i in `seq 1 120`; do echo "<165> fortigate date=$(date -u +%Y-%m-%d) time=$(date -u +"%H:%M:%S%Z") devname=us-east-1-dc1-a-dmz-fw devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2\""; sleep 0.5; done | nc -v 127.0.0.1 514 ``` Alternatively, you can send logs in an endless loop: ``` while true; do echo "<165> fortigate date=$(date -u +%Y-%m-%d) time=$(date -u +"%H:%M:%S%Z") devname=us-east-1-dc1-a-dmz-fw devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2\""; sleep 1; done | nc -v 127.0.0.1 514 ``` ## Manage AxoRouter This section describes how to start, stop and check the status of the AxoRouter service on Linux. ### Start AxoRouter To start AxoRouter, execute the following command. For example: `systemctl start axorouter` If the service starts successfully, no output will be displayed. The following message indicates that AxoRouter cannot start (see [Check AxoRouter status](../../../docs/axoflow/provisioning/axorouter/linux/index.md#check-status)): ``` Job for axorouter.service failed because the control process exited with error code. See `systemctl status axorouter.service` and `journalctl -xe` for details. ``` ### Stop AxoRouter To stop AxoRouter 1. Execute the following command. `systemctl stop axorouter` 2. Check the status of the AxoRouter service (see [Check AxoRouter status](../../../docs/axoflow/provisioning/axorouter/linux/index.md#check-status)). ### Restart AxoRouter To restart AxoRouter, execute the following command. `systemctl restart axorouter` ### Reload the configuration without restarting AxoRouter To reload the configuration file without restarting AxoRouter, execute the following command. `systemctl reload axorouter` ### Check the status of AxoRouter service To check the status of AxoRouter service 1. Execute the following command. `systemctl --no-pager status axorouter` 2. Check the `Active:` field, which shows the status of the AxoRouter service. The following statuses are possible: * `active (running)` \- `axorouter` service is up and running * `inactive (dead)` \- `axorouter` service is stopped ## Upgrade AxoRouter AxoConsole raises an alert for the host when a new AxoRouter version is available. To upgrade to the new version, re-run the one-liner installation command you used to install AxoRouter, or select [**Provisioning > Select type and platform**](../../../docs/axoflow/provisioning/axorouter/linux/index.md#install) to create a new one. Note that it can take a few minutes until the version numbers of the different services get updated on AxoConsole. * * * [Advanced installation options](../../../docs/axoflow/provisioning/axorouter/linux/advanced-options/index.md) [Run AxoRouter as non-root](../../../docs/axoflow/provisioning/axorouter/linux/non-root/index.md)