Skip to main content

Overview

The Ayliea Collector is a lightweight network agent that passively discovers AI platform usage on your network. It captures DNS queries and TLS Server Name Indication (SNI) handshakes — both plaintext metadata — and forwards matched events to Ayliea for analysis. Privacy-first by design:
  • No SSL/TLS decryption
  • No packet payload inspection
  • No content analysis
  • No endpoint agents required
The collector ships with a built-in registry of 57+ AI platforms and 177+ domains, covering LLM providers, code assistants, image generators, and enterprise AI services.

Deployment Methods

Choose the method that fits your environment:

Docker

Recommended for most deployments. Hardened container with minimal privileges.

Static Binary

Self-contained binary for hosts without Docker. Linux x86_64 and ARM64.

Syslog Forwarding

Point your existing firewall syslog at Ayliea. No agent required.

Prerequisites

Before deploying, generate a monitoring token in Ayliea:
1

Navigate to Discovery

Go to Discovery in the left sidebar of your Ayliea dashboard.
2

Generate a token

In the Monitoring Tokens section, click Generate Token and enter a descriptive label (e.g., “prod-firewall” or “hq-network”).
3

Save the token

Copy the token immediately — it is shown only once. You will need it for all deployment methods.
Monitoring tokens are shown once at creation. If you lose a token, revoke it and generate a new one.

Docker

The recommended deployment method. The container runs as a non-root user with a read-only filesystem and minimal Linux capabilities.
1

Create the compose file

Save the following as docker-compose.collector.yml:
docker-compose.collector.yml
services:
  ayliea-collector:
    image: ghcr.io/ayliea/ayliea-collector:latest
    container_name: ayliea-collector
    network_mode: host
    cap_drop:
      - ALL
    cap_add:
      - NET_RAW
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:size=64m,noexec,nosuid
      - /run:size=16m,noexec,nosuid
    deploy:
      resources:
        limits:
          memory: 256m
          cpus: "1.0"
    environment:
      - AYLIEA_TOKEN=YOUR_TOKEN_HERE
      - AYLIEA_ENDPOINT=ingest.ayliea.com
      - INTERFACE=eth0
      - SYSLOG_PORT=6514
      - SYSLOG_PROTOCOL=tls
      - HTTPS_ENABLED=true
      - HEALTH_PORT=9090
      - LOG_LEVEL=INFO
    restart: unless-stopped
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
Replace YOUR_TOKEN_HERE with your monitoring token and eth0 with your network interface.
2

Find your network interface

ip link show
Common values: eth0 (Linux), ens33 (VMware), eno1 (Dell/HP servers), bond0 (bonded interfaces).
3

Start the collector

docker compose -f docker-compose.collector.yml up -d
4

Verify it's running

curl -s http://127.0.0.1:9090/health | python3 -m json.tool
You should see "status": "running" and events_captured incrementing as traffic flows.
If port 9090 is already in use on your host, change the HEALTH_PORT environment variable to an available port.

Security hardening

The Docker configuration above includes production-grade security defaults:
SettingPurpose
cap_drop: ALL + cap_add: NET_RAWOnly the packet capture capability is granted
read_only: trueContainer filesystem cannot be modified
no-new-privilegesPrevents privilege escalation inside the container
tmpfs with noexec,nosuidTemp directories cannot execute binaries
memory: 256m, cpus: 1.0Limits resource consumption
Non-root userContainer process does not run as root

Environment variables

VariableDefaultDescription
AYLIEA_TOKEN(required)Your organization’s monitoring token
AYLIEA_ENDPOINTingest.ayliea.comIngest endpoint hostname
INTERFACEeth0Network interface to capture on
SYSLOG_PORT6514Syslog forwarding port
SYSLOG_PROTOCOLtlsTransport protocol: tls, tcp, or udp
HTTPS_ENABLEDtrueEnable HTTPS batch forwarding
HEALTH_PORT9090Local health endpoint port
LOG_LEVELINFOLog verbosity: DEBUG, INFO, WARNING, ERROR

Static Binary

A self-contained binary for Linux hosts without Docker. No Python runtime required — only libpcap.
1

Download and verify

Choose your architecture:
PlatformBinary
Linux x86_64ayliea-collector-linux-amd64
Linux ARM64ayliea-collector-linux-arm64
Run uname -m to check: x86_64 = amd64, aarch64 = arm64.
# Download binary and checksum
curl -LO https://github.com/Ayliea/ayliea/releases/latest/download/ayliea-collector-linux-amd64
curl -LO https://github.com/Ayliea/ayliea/releases/latest/download/ayliea-collector-linux-amd64.sha256

# Verify integrity
sha256sum -c ayliea-collector-linux-amd64.sha256

# Make executable
chmod +x ayliea-collector-linux-amd64
2

Install libpcap (if not present)

# Debian/Ubuntu
apt install libpcap0.8

# RHEL/CentOS/Fedora
yum install libpcap
Most server distributions include libpcap by default.
3

Run the collector

sudo ./ayliea-collector-linux-amd64 \
  --token YOUR_TOKEN \
  --interface eth0
The binary requires root or CAP_NET_RAW for packet capture.

CLI options

All options can also be set via environment variables. CLI flags take precedence. 
ayliea-collector [OPTIONS]

Options:
  --token TOKEN              Ingest token (env: AYLIEA_TOKEN)
  --interface IFACE          Network interface (env: INTERFACE, default: eth0)
  --endpoint HOST            Ingest hostname (env: AYLIEA_ENDPOINT, default: ingest.ayliea.com)
  --syslog-port PORT         Syslog port (env: SYSLOG_PORT, default: 6514)
  --syslog-protocol PROTO    tls | tcp | udp (env: SYSLOG_PROTOCOL, default: tls)
  --no-https                 Disable HTTPS batch forwarding (env: HTTPS_ENABLED=false)
  --log-level LEVEL          DEBUG | INFO | WARNING | ERROR (env: LOG_LEVEL, default: INFO)

Running as a systemd service

For persistent deployments, create a systemd unit:
/etc/systemd/system/ayliea-collector.service
[Unit]
Description=Ayliea Collector
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/ayliea-collector --token YOUR_TOKEN --interface eth0
Restart=on-failure
RestartSec=10
AmbientCapabilities=CAP_NET_RAW
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
User=ayliea-collector

[Install]
WantedBy=multi-user.target

# Create service user
sudo useradd -r -s /usr/sbin/nologin ayliea-collector

# Copy binary
sudo cp ayliea-collector-linux-amd64 /usr/local/bin/ayliea-collector

# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable --now ayliea-collector

Syslog Forwarding

If your firewall or proxy already exports syslog, you can point it directly at Ayliea without deploying an agent.

Ingest endpoints

ProtocolEndpointPort
TLS (recommended)ingest.ayliea.com6514
TCPingest.ayliea.com514
UDPingest.ayliea.com514

Authentication

Include your monitoring token in the RFC 5424 structured data element on every syslog message: 
[ayliea@00000 key="YOUR_TOKEN"]
Most enterprise firewalls (Palo Alto, Fortinet, pfSense) support custom structured data in their syslog forwarding configuration.

Supported log formats

VendorFormatNotes
Palo Alto NetworksCSV traffic/URL filtering logsAuto-detected
FortiGateKey=value syslog or CSV exportAuto-detected
pfSense / OPNsenseCSV exportAuto-detected
Squid ProxyNative and CLF formatsAuto-detected
Windows DNS ServerDebug log formatAuto-detected
BINDQuery log formatAuto-detected
ZscalerCSV web log exportsAuto-detected
Generic CSVAny CSV with domain/IP/timestamp columnsFallback parser

Health Endpoint

Both the Docker container and the binary expose a local health endpoint (default: http://127.0.0.1:9090/health): 
{
  "status": "running",
  "uptime_seconds": 3600,
  "interface": "eth0",
  "events_captured": 1542,
  "events_matched": 87,
  "platforms_detected": 12,
  "syslog_connected": true,
  "https_connected": true,
  "last_event_at": "2026-04-10T21:15:48.230224+00:00"
}
Use this endpoint for monitoring and integration with your existing health check tooling (Uptime Kuma, Prometheus, etc.).

Scan Frequency

The collector buffers captured events and processes them into discovery scans on a configurable schedule. You can set the scan frequency in your Ayliea dashboard under Discovery > Scan Frequency.
FrequencyDescription
HourlyEvents processed every hour. Best for high-security environments needing rapid detection.
Daily (default)Events processed once per day. Recommended for most organizations.
WeeklyEvents processed once per week. Suitable for low-traffic or cost-sensitive deployments.
Regardless of the schedule, events are processed immediately if the buffer reaches 5,000 events. Events are persisted across collector restarts and deployments — no data is lost during planned maintenance.

Troubleshooting

No events captured

  • Verify the interface name matches your primary network interface (ip link show)
  • Confirm the container has NET_RAW capability: docker inspect ayliea-collector | grep CapAdd
  • Check that DNS and TLS traffic is actually flowing on the specified interface
  • Set LOG_LEVEL=DEBUG for verbose capture output

Syslog forwarding errors

  • Confirm ingest.ayliea.com resolves from the host: dig ingest.ayliea.com
  • Check that port 6514 (TLS) or 514 (TCP/UDP) is not blocked by a firewall
  • Verify your token is valid and has not been revoked
  • Check your firewall’s syslog forwarding logs for transmission errors

Health endpoint unreachable

  • The health endpoint binds to 127.0.0.1 — it is only accessible from the host itself
  • If another service uses port 9090, set HEALTH_PORT to an unused port

Connection verification timeout

After deploying, use the Verify button in the Ayliea dashboard to confirm events are flowing. If verification times out after 5 minutes:
  • Generate test traffic by visiting an AI platform from a device on the monitored network (e.g., curl https://api.openai.com)
  • Check the health endpoint for events_captured > 0
  • Verify the token matches exactly (no extra spaces or quotes)