Skip to content

[axonius][gateway] Add Axonius Gateway datastream #16169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kcreddy merged 3 commits into from
Jan 8, 2026
Merged

[axonius][gateway] Add Axonius Gateway datastream #16169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
314f0b9
Initial release of Gateway datastream in Axonius
muskan-crest Dec 1, 2025
a441698
added transform and ilm policy
muskan-crest Dec 17, 2025
946096f
Resolved comments provided by @kcreddy
muskan-crest Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions packages/axonius/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,15 @@ This integration collects log messages of the following type:

- `User`: Collect details of all users (endpoint: `/api/v2/users`).

- `Gateway`: Collect details of all Gateway (endpoint: `/api/v2/gateway`).

### Supported use cases

Integrating the Axonius Adapter and User Data streams with Elastic SIEM provides centralized visibility into both data-collection health and user identity context across the environment. Together, these data streams help analysts understand how data is being ingested through adapters and how that data maps to user identities and access posture.
Integrating the Axonius Adapter, User, and Gateway data streams with Elastic SIEM provides centralized visibility into data ingestion health, user identity context, and gateway configuration across the environment. Together, these data streams help analysts understand how data flows into the platform, how it maps to user access and roles, and how gateways operate within the network.

The dashboards highlight overall adapter status and connection behavior, making it easy to identify healthy integrations, failing plugins, and error-prone connections that may impact asset visibility. At the same time, user-focused views surface role distribution and essential identity attributes, helping analysts quickly assess access patterns and identify high-privileged or unusual user activity. Consolidated user details and source information provide clarity on where identity data originates and whether coverage gaps exist.
The dashboards surface key insights into adapter and gateway status, connection behavior, and routing context, making it easy to identify failing integrations, misconfigurations, or irregular network behavior. At the same time, user-focused views highlight role distribution and essential identity attributes, supporting quick assessment of access posture and detection of unusual or high-privileged activity.

By combining adapter health insights with user identity visibility, security teams can ensure reliable data ingestion, detect identity-related anomalies, reduce blind spots, and streamline investigations that depend on accurate, end-to-end context from both integrations and users.
By correlating integration health, identity context, and gateway configuration, security teams can reduce blind spots, detect anomalies more effectively, and streamline investigations with accurate, end-to-end operational and security context.

## What do I need to use this integration?

Expand Down Expand Up @@ -126,6 +128,16 @@ The `user` data stream provides user events from axonius.

{{ event "user" }}

### Gateway

The `gateway` data stream provides gateway events from axonius.

#### gateway fields

{{ fields "gateway" }}

{{ event "gateway" }}

### Inputs used
{{/* All inputs used by this package will be automatically listed here. */}}
{{ inputDocs }}
Expand All @@ -136,7 +148,8 @@ These APIs are used with this integration:

* Adapter (endpoint: `/api/v2/adapters`)
* User (endpoint: `/api/v2/users`)
* Gateway (endpoint: `/api/v2/gateway`)

### ILM Policy

To facilitate adapter and user data, source data stream-backed indices `.ds-logs-axonius.adapter-*` and `.ds-logs-axonius.user-*` respectively are allowed to contain duplicates from each polling interval. ILM policies `logs-axonius.adapter-default_policy` and `logs-axonius.user-default_policy` are added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date.
To facilitate adapter, user and gateway data, source data stream-backed indices `.ds-logs-axonius.adapter-*`, `.ds-logs-axonius.user-*` and `.ds-logs-axonius.gateway-*` respectively are allowed to contain duplicates from each polling interval. ILM policies `logs-axonius.adapter-default_policy`, `logs-axonius.user-default_policy` amd `logs-axonius.gateway-default_policy` are added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date.
62 changes: 62 additions & 0 deletions packages/axonius/_dev/deploy/docker/files/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,4 +154,66 @@ rules:
}
]
}
`}}
- path: /api/v2/gateways
methods: ['GET']
request_headers:
Accept: application/json
api-key: xxxx
api-secret: xxxx
responses:
- status_code: 200
headers:
Content-Type:
- 'application/json'
body: |-
{{ minify_json `
{
"gateways": [
{
"name": "Gateway_1",
"default": false,
"dns_server": "1.128.0.0",
"email_when_connected": false,
"email_when_disconnected": false,
"email_recipients": [
"john.doe@example.com"
],
"backup_ids": [
"backup1",
"backup2"
],
"tunnel_proxy_settings": {
"enabled": false,
"tunnel_proxy_addr": "addr",
"tunnel_proxy_port": 8080,
"tunnel_proxy_user": "tunnel-proxy-01"
},
"id": "tunnel3",
"status": "pending"
},
{
"name": "Gateway_3",
"default": false,
"dns_server": "216.160.83.56",
"email_when_connected": false,
"email_when_disconnected": false,
"email_recipients": [
"alias.doe@example.com"
],
"backup_ids": [
"backup1",
"backup2"
],
"tunnel_proxy_settings": {
"enabled": false,
"tunnel_proxy_addr": "addr1",
"tunnel_proxy_port": 8081,
"tunnel_proxy_user": "tunnel-proxy-02"
},
"id": "tunnel2",
"status": "error"
}
]
}
`}}
2 changes: 1 addition & 1 deletion packages/axonius/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
changes:
- description: Initial release.
type: enhancement
link: https://github.com/elastic/integrations/pull/16142
link: https://github.com/elastic/integrations/pull/16169
Comment thread
kcreddy marked this conversation as resolved.
3 changes: 3 additions & 0 deletions packages/axonius/data_stream/gateway/_dev/test/pipeline/test-common-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
fields:
tags:
- preserve_duplicate_custom_fields
3 changes: 3 additions & 0 deletions packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"name":"Gateway_1","default":false,"dns_server":"1.128.0.0","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["john.doe@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr","tunnel_proxy_port":8080,"tunnel_proxy_user":"tunnel-proxy-01"},"id":"tunnel3","status":"pending"}
{"name":"Gateway_3","default":false,"dns_server":"216.160.83.56","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["alias.doe@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr1","tunnel_proxy_port":8081,"tunnel_proxy_user":"tunnel-proxy-02"},"id":"tunnel2","status":"error"}
{"name":"Gateway_2","default":true,"dns_server":"89.160.20.128","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["john.martin@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr2","tunnel_proxy_port":8082,"tunnel_proxy_user":"tunnel-proxy-03"},"id":"tunnel1","status":"success"}
162 changes: 162 additions & 0 deletions packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
{
"expected": [
{
"axonius": {
"gateway": {
"backup_ids": [
"backup1",
"backup2"
],
"default": false,
"dns_server": "1.128.0.0",
"email_recipients": [
"john.doe@example.com"
],
"email_when_connected": false,
"email_when_disconnected": false,
"id": "tunnel3",
"name": "Gateway_1",
"status": "pending",
"tunnel_proxy_settings": {
"enabled": false,
"tunnel_proxy_addr": "addr",
"tunnel_proxy_port": "8080",
"tunnel_proxy_user": "tunnel-proxy-01"
}
}
},
"ecs": {
"version": "9.2.0"
},
"email": {
"to": {
"address": [
"john.doe@example.com"
]
}
},
"event": {
"id": "tunnel3",
"kind": "event",
"original": "{\"name\":\"Gateway_1\",\"default\":false,\"dns_server\":\"1.128.0.0\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"john.doe@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr\",\"tunnel_proxy_port\":8080,\"tunnel_proxy_user\":\"tunnel-proxy-01\"},\"id\":\"tunnel3\",\"status\":\"pending\"}"
},
"related": {
"ip": [
"1.128.0.0"
],
"user": [
"tunnel-proxy-01"
]
},
"tags": [
"preserve_duplicate_custom_fields"
]
},
{
"axonius": {
"gateway": {
"backup_ids": [
"backup1",
"backup2"
],
"default": false,
"dns_server": "216.160.83.56",
"email_recipients": [
"alias.doe@example.com"
],
"email_when_connected": false,
"email_when_disconnected": false,
"id": "tunnel2",
"name": "Gateway_3",
"status": "error",
"tunnel_proxy_settings": {
"enabled": false,
"tunnel_proxy_addr": "addr1",
"tunnel_proxy_port": "8081",
"tunnel_proxy_user": "tunnel-proxy-02"
}
}
},
"ecs": {
"version": "9.2.0"
},
"email": {
"to": {
"address": [
"alias.doe@example.com"
]
}
},
"event": {
"id": "tunnel2",
"kind": "event",
"original": "{\"name\":\"Gateway_3\",\"default\":false,\"dns_server\":\"216.160.83.56\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"alias.doe@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr1\",\"tunnel_proxy_port\":8081,\"tunnel_proxy_user\":\"tunnel-proxy-02\"},\"id\":\"tunnel2\",\"status\":\"error\"}",
"outcome": "failure"
},
"related": {
"ip": [
"216.160.83.56"
],
"user": [
"tunnel-proxy-02"
]
},
"tags": [
"preserve_duplicate_custom_fields"
]
},
{
"axonius": {
"gateway": {
"backup_ids": [
"backup1",
"backup2"
],
"default": true,
"dns_server": "89.160.20.128",
"email_recipients": [
"john.martin@example.com"
],
"email_when_connected": false,
"email_when_disconnected": false,
"id": "tunnel1",
"name": "Gateway_2",
"status": "success",
"tunnel_proxy_settings": {
"enabled": false,
"tunnel_proxy_addr": "addr2",
"tunnel_proxy_port": "8082",
"tunnel_proxy_user": "tunnel-proxy-03"
}
}
},
"ecs": {
"version": "9.2.0"
},
"email": {
"to": {
"address": [
"john.martin@example.com"
]
}
},
"event": {
"id": "tunnel1",
"kind": "event",
"original": "{\"name\":\"Gateway_2\",\"default\":true,\"dns_server\":\"89.160.20.128\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"john.martin@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr2\",\"tunnel_proxy_port\":8082,\"tunnel_proxy_user\":\"tunnel-proxy-03\"},\"id\":\"tunnel1\",\"status\":\"success\"}",
"outcome": "success"
},
"related": {
"ip": [
"89.160.20.128"
],
"user": [
"tunnel-proxy-03"
]
},
"tags": [
"preserve_duplicate_custom_fields"
]
}
]
}
12 changes: 12 additions & 0 deletions packages/axonius/data_stream/gateway/_dev/test/system/test-default-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
input: cel
service: axonius
vars:
url: http://{{Hostname}}:{{Port}}
api_key: xxxx
secret_key: xxxx
data_stream:
vars:
preserve_original_event: true
preserve_duplicate_custom_fields: true
assert:
hit_count: 2
79 changes: 79 additions & 0 deletions packages/axonius/data_stream/gateway/agent/stream/cel.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
config_version: 2
interval: {{interval}}
resource.tracer:
enabled: {{enable_request_tracer}}
filename: "../../logs/cel/http-request-trace-*.ndjson"
maxbackups: 5
{{#if proxy_url}}
resource.proxy_url: {{proxy_url}}
{{/if}}
{{#if ssl}}
resource.ssl: {{ssl}}
{{/if}}
{{#if http_client_timeout}}
resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: {{url}}

state:
api_key: {{api_key}}
secret_key: {{secret_key}}
redact:
fields:
- api_key
- secret_key
program: |
request(
"GET",
state.url.trim_right("/") + "/api/v2/gateways"
).with({
"Header":{
"Accept": ["application/json"],
"api-key": [state.api_key],
"api-secret": [state.secret_key],
}
}).do_request().as(resp, resp.StatusCode == 200 ?
resp.Body.decode_json().as(body,
{
"events": body.?gateways.orValue([]).map(e, {
"message": e.encode_json(),
}),
"api_key": state.api_key,
"secret_key": state.secret_key,
}
)
:
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "GET" + state.url.trim_right("/") + "/api/v2/gateways/: " + (
size(resp.Body) != 0 ?
string(resp.Body)
:
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
),
},
},
"api_key": state.api_key,
"secret_key": state.secret_key,
}
)
tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#if preserve_duplicate_custom_fields}}
- preserve_duplicate_custom_fields
{{/if}}
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{processors}}
{{/if}}
Loading