Axoflow

How do you know if your syslog-ng pipeline is actually working? Most teams can't answer that. syslog-ng was built for reliability: move logs at scale without dropping them. It does that well. But it tells you almost nothing about what's happening inside. No GUI. No health metrics. No alert when a source stops sending or a parser breaks quietly after a vendor format change. That was a reasonable design choice in 1998. Today, that same pipeline is the foundation of your detection coverage. Silent failures aren't an ops inconvenience. They're a coverage gap. When a source goes dark, you don't get a page. You get a hole in your logs and find out in the postmortem. Axoflow was built by the creator of syslog-ng to solve exactly this: Automated classification across 262+ log formats Pipeline health visible in a single console Alerts when sources go dark or parse rates drop If you're running syslog-ng, SSB, or SC4S today, it's time to modernize your syslog layer. #syslogng #SecurityData #LogManagement

96% of security leaders consider agentic AI critical. Only 23% have the data infrastructure to support it. Gartner identified the root cause: the inability to unify telemetry data is the single greatest inhibitor to large-scale agentic AI adoption. The problem isn't AI capability. It's data quality. When your AI SOC processes raw, unnormalized logs, it wastes tokens, misses context, and generates false positives. Axoflow eliminates this at the pipeline level. We normalize 262 log formats from 47 vendors, and we maintain those parsers so you don't have to. Schema drift, format changes, new sources: handled. Your AI ceiling is set by your data floor. #SecurityData #AI #SOC Link in comments.

Axoflow had such a great event at Central Ohio ISSA.

Attackers don't try to avoid your logging system. They try to control it. If they can inject forged syslog messages, those messages land in your SIEM and become part of your incident record. If they can flood your pipeline, you lose real events without knowing it. If they compromise a host that stores logs locally, those logs can be altered or deleted before anyone reviews them. None of this requires sophisticated tooling. It requires that your logging pipeline wasn't hardened. Most syslog deployments were designed for reliability, not security. Unencrypted UDP means logs are readable in transit. No mutual authentication means any host on the network can inject into the pipeline. Local-only log storage means a compromised host can rewrite its own history. And dropped logs may go unnoticed for weeks or months because there's no acknowledgment mechanism telling you something was lost. Hardening follows from the threat model. TLS encrypts transit. Mutual certificate authentication or IP allowlists prevent spoofing. Append-only or immutable storage prevents tampering after the fact. Forwarding logs off-host quickly limits what an attacker can alter after a compromise. Role-based access control with separate read, write, and admin roles limits blast radius if credentials leak. Compliance gaps arise from how logging is deployed rather than whether it exists at all. Checking the "syslog enabled" box and leaving UDP open with local-only storage doesn't give you an audit trail. It gives you the appearance of one.

Are you Central Ohio ISSA Summit in Columbus, Ohio? Meet Richard Hosgood, Neil Boyd, and Laurakate Bayman and talk about: • reducing SIEM ingestion costs • improving security data quality • making detection engineering less dependent on brittle pipelines • preparing security data infrastructure for AI-driven SOC workflows #Axoflow #InfoSecSummit #CyberSecurity #SecurityData #SIEM #DetectionEngineering #SecurityOperations #SOC #COISSA

Richard Hosgood will talk from 11 AM today on how Axoflow can improve your data quality for your SIEM at Central Ohio InfoSec Summit. You can meet also with Neil Boyd and Laurakate Bayman at Columbus all day.

Three security people walk into a hotel... No, this isn't the start of a joke. It's just Neil Boyd, Richard Hosgood, and me heading to the COISSA conference at the Hilton Downtown Columbus. We'll be talking logs, security, observability, and probably debating the correct amount of coffee required to survive a conference. If you're attending, come say hello. We're at Table 75 and we promise we're friendlier than your firewall. #COISSA #CyberSecurity #Observability #Columbus

Syslog is still the backbone of most production logging pipelines in 2026. That surprises engineers who assumed something newer had replaced it. Nothing has. The tools built on top of syslog have gotten better. The analysis platforms have gotten more capable. But the underlying problem, collecting event data from heterogeneous sources, routing it reliably, buffering it against downstream failures, and delivering it to analysis systems without losing data or destroying structure, is still the problem syslog infrastructure solves. OpenTelemetry, cloud-native logging agents, and managed observability platforms sit on top of or alongside syslog pipelines. They don't replace them. This guide covers the full picture: core protocol concepts from RFC 3164 through RFC 5424, transport options and their tradeoffs, deployment models from single-collector to enterprise multi-tier, scaling patterns for high-throughput environments, security hardening from TLS through immutable storage, SIEM integrations with Splunk, Microsoft Sentinel, Google SecOps, and others, and compliance considerations that most deployments get wrong. It's long because the subject is genuinely broad. But every section is practical. The goal is to give security engineers and infrastructure teams a reference they can use to evaluate their own deployments and identify the specific gaps that matter in their environment. If you're building or operating logging infrastructure at any serious scale, this is the foundation everything else sits on.

Beaware of Peter Wilcsinszky at Infosecurity Europe

Our blisters were happy in the cold ice bath after the busy days, and with all the band-aids. Next time, orange sandals with socks, perhaps? Worth it: our product, and our orange shoes were getting the amount of attention we wanted at Gartner this year. Thanks to the team on site: Mate Benedek, Neil Boyd, Sándor Guba, Richard Hosgood the team at the HQ for organizing. It was also nice to speak with our partners in crime: - Torq - Anvilogic - Intezer - Dropzone AI - Mate See you next year! #gartnersec