Overview
The Ayliea Collector is a lightweight network agent that passively discovers AI platform usage on your network. It captures DNS queries and TLS Server Name Indication (SNI) handshakes — both plaintext metadata — and forwards matched events to Ayliea for analysis. Privacy-first by design:- No SSL/TLS decryption
- No packet payload inspection
- No content analysis
- No endpoint agents required
Deployment Methods
Choose the method that fits your environment:Docker
Recommended for most deployments. Hardened container with minimal privileges.
Static Binary
Self-contained binary for hosts without Docker. Linux x86_64 and ARM64.
Syslog Forwarding
Point your existing firewall syslog at Ayliea. No agent required.
Prerequisites
Before deploying, generate a monitoring token in Ayliea:1
Navigate to Discovery
Go to Discovery in the left sidebar of your Ayliea dashboard.
2
Generate a token
In the Monitoring Tokens section, click Generate Token and enter a descriptive label (e.g., “prod-firewall” or “hq-network”).
3
Save the token
Copy the token immediately — it is shown only once. You will need it for all deployment methods.
Docker
The recommended deployment method. The container runs as a non-root user with a read-only filesystem and minimal Linux capabilities.1
Create the compose file
Save the following as Replace
docker-compose.collector.yml:docker-compose.collector.yml
YOUR_TOKEN_HERE with your monitoring token and eth0 with your network interface.2
Find your network interface
eth0 (Linux), ens33 (VMware), eno1 (Dell/HP servers), bond0 (bonded interfaces).3
Start the collector
4
Verify it's running
"status": "running" and events_captured incrementing as traffic flows.Security hardening
The Docker configuration above includes production-grade security defaults:Environment variables
Static Binary
A self-contained binary for Linux hosts without Docker. No Python runtime required — onlylibpcap.
1
Download and verify
Choose your architecture:
Run
uname -m to check: x86_64 = amd64, aarch64 = arm64.2
Install libpcap (if not present)
libpcap by default.3
Run the collector
CAP_NET_RAW for packet capture.CLI options
All options can also be set via environment variables. CLI flags take precedence.Running as a systemd service
For persistent deployments, create a systemd unit:/etc/systemd/system/ayliea-collector.service
Syslog Forwarding
If your firewall or proxy already exports syslog, you can point it directly at Ayliea without deploying an agent.Ingest endpoints
Authentication
Include your monitoring token in the RFC 5424 structured data element on every syslog message:Supported log formats
Health Endpoint
Both the Docker container and the binary expose a local health endpoint (default:http://127.0.0.1:9090/health):
Scan Frequency
The collector buffers captured events and processes them into discovery scans on a configurable schedule. You can set the scan frequency in your Ayliea dashboard under Discovery > Scan Frequency.
Regardless of the schedule, events are processed immediately if the buffer reaches 5,000 events.
Events are persisted across collector restarts and deployments — no data is lost during planned maintenance.
Troubleshooting
No events captured
- Verify the interface name matches your primary network interface (
ip link show) - Confirm the container has
NET_RAWcapability:docker inspect ayliea-collector | grep CapAdd - Check that DNS and TLS traffic is actually flowing on the specified interface
- Set
LOG_LEVEL=DEBUGfor verbose capture output
Syslog forwarding errors
- Confirm
ingest.ayliea.comresolves from the host:dig ingest.ayliea.com - Check that port 6514 (TLS) or 514 (TCP/UDP) is not blocked by a firewall
- Verify your token is valid and has not been revoked
- Check your firewall’s syslog forwarding logs for transmission errors
Health endpoint unreachable
- The health endpoint binds to
127.0.0.1— it is only accessible from the host itself - If another service uses port 9090, set
HEALTH_PORTto an unused port
Connection verification timeout
After deploying, use the Verify button in the Ayliea dashboard to confirm events are flowing. If verification times out after 5 minutes:- Generate test traffic by visiting an AI platform from a device on the monitored network (e.g.,
curl https://api.openai.com) - Check the health endpoint for
events_captured > 0 - Verify the token matches exactly (no extra spaces or quotes)

