Skip to main content


Axonius is a cybersecurity asset management platform. This topic describes how to send system logs from your Axonius platform to

Before you begin, you'll need:

  • An active account with Axonius
  • An active account with
  • Filebeat installed on your machine
  • Root priveleges on your machines

Configure Axonius to send syslog notifications to a remote Syslog server running Filebeat

  1. On your Axonius web interface, go to System Settings > Global Settings > Syslog Settings. Axonius
  2. Select Use Syslog.
  3. Enter the IP address of your remote syslog server into the Syslog host field. This is the server where you run Filebeat.
  4. Enter the port number into the Port field.
  5. Select UDP in the Protocol menu.

By default, syslog will be forwarded over port 514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.

Download the public certificate to your credentials server

For HTTPS shipping, download the public certificate to your certificate authority folder.

sudo curl --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure Filebeat

  1. Paste the following into the inputs section of the Filebeat configuration file:

Filebeat requires a file extension specified for the log input.

- type: udp
max_message_size: 10MiB
logzio_codec: plain
# Your account token. You can find your token at
type: axonius
fields_under_root: true
encoding: utf-8
ignore_older: 3h
filebeat.registry.path: /var/lib/filebeat
- rename:
- from: "agent"
to: "filebeat_agent"
ignore_missing: true
- rename:
- from: "log.file.path"
to: "source"
ignore_missing: true
hosts: ["<<LISTENER-HOST>>:5015"]
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
  • Replace <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>> with the address of your server running Filebeat.
  • Your log shipping token directs the data securely to your Log Management account. The default token is auto-populated in the examples when you're logged into the app as an Admin. Manage your tokens.
  • Use the listener URL specific to the region where your account is hosted. Click to look up your listener URL.
  1. Run Filebeat with the new configuration.

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type axonius to see the incoming Axonius logs.

If you still don't see your logs, see Filebeat troubleshooting.