Skip to main content

Overview

The Ayliea Collector is a lightweight network agent that passively discovers AI platform usage on your network. It captures DNS queries and TLS Server Name Indication (SNI) handshakes — both plaintext metadata — and forwards matched events to Ayliea for analysis. Privacy-first by design:
  • No SSL/TLS decryption
  • No packet payload inspection
  • No content analysis
  • No endpoint agents required
The collector ships with a built-in registry of 57+ AI platforms and 177+ domains, covering LLM providers, code assistants, image generators, and enterprise AI services.

Deployment Methods

Choose the method that fits your environment:

Docker

Recommended for most deployments. Hardened container with minimal privileges.

Static Binary

Self-contained binary for hosts without Docker. Linux x86_64 and ARM64.

Syslog Forwarding

Point your existing firewall syslog at Ayliea. No agent required.

Prerequisites

Before deploying, generate a monitoring token in Ayliea:
1

Navigate to Discovery

Go to Discovery in the left sidebar of your Ayliea dashboard.
2

Generate a token

In the Monitoring Tokens section, click Generate Token and enter a descriptive label (e.g., “prod-firewall” or “hq-network”).
3

Save the token

Copy the token immediately — it is shown only once. You will need it for all deployment methods.
Monitoring tokens are shown once at creation. If you lose a token, revoke it and generate a new one.

Docker

The recommended deployment method. The container runs as a non-root user with a read-only filesystem and minimal Linux capabilities.
1

Create the compose file

Save the following as docker-compose.collector.yml:
docker-compose.collector.yml
Replace YOUR_TOKEN_HERE with your monitoring token and eth0 with your network interface.
2

Find your network interface

Common values: eth0 (Linux), ens33 (VMware), eno1 (Dell/HP servers), bond0 (bonded interfaces).
3

Start the collector

4

Verify it's running

You should see "status": "running" and events_captured incrementing as traffic flows.
If port 9090 is already in use on your host, change the HEALTH_PORT environment variable to an available port.

Security hardening

The Docker configuration above includes production-grade security defaults:

Environment variables

Static Binary

A self-contained binary for Linux hosts without Docker. No Python runtime required — only libpcap.
1

Download and verify

Choose your architecture:
Run uname -m to check: x86_64 = amd64, aarch64 = arm64.
2

Install libpcap (if not present)

Most server distributions include libpcap by default.
3

Run the collector

The binary requires root or CAP_NET_RAW for packet capture.

CLI options

All options can also be set via environment variables. CLI flags take precedence.

Running as a systemd service

For persistent deployments, create a systemd unit:
/etc/systemd/system/ayliea-collector.service

Syslog Forwarding

If your firewall or proxy already exports syslog, you can point it directly at Ayliea without deploying an agent.

Ingest endpoints

Authentication

Include your monitoring token in the RFC 5424 structured data element on every syslog message:
Most enterprise firewalls (Palo Alto, Fortinet, pfSense) support custom structured data in their syslog forwarding configuration.

Supported log formats

Health Endpoint

Both the Docker container and the binary expose a local health endpoint (default: http://127.0.0.1:9090/health):
Use this endpoint for monitoring and integration with your existing health check tooling (Uptime Kuma, Prometheus, etc.).

Scan Frequency

The collector buffers captured events and processes them into discovery scans on a configurable schedule. You can set the scan frequency in your Ayliea dashboard under Discovery > Scan Frequency. Regardless of the schedule, events are processed immediately if the buffer reaches 5,000 events. Events are persisted across collector restarts and deployments — no data is lost during planned maintenance.

Troubleshooting

No events captured

  • Verify the interface name matches your primary network interface (ip link show)
  • Confirm the container has NET_RAW capability: docker inspect ayliea-collector | grep CapAdd
  • Check that DNS and TLS traffic is actually flowing on the specified interface
  • Set LOG_LEVEL=DEBUG for verbose capture output

Syslog forwarding errors

  • Confirm ingest.ayliea.com resolves from the host: dig ingest.ayliea.com
  • Check that port 6514 (TLS) or 514 (TCP/UDP) is not blocked by a firewall
  • Verify your token is valid and has not been revoked
  • Check your firewall’s syslog forwarding logs for transmission errors

Health endpoint unreachable

  • The health endpoint binds to 127.0.0.1 — it is only accessible from the host itself
  • If another service uses port 9090, set HEALTH_PORT to an unused port

Connection verification timeout

After deploying, use the Verify button in the Ayliea dashboard to confirm events are flowing. If verification times out after 5 minutes:
  • Generate test traffic by visiting an AI platform from a device on the monitored network (e.g., curl https://api.openai.com)
  • Check the health endpoint for events_captured > 0
  • Verify the token matches exactly (no extra spaces or quotes)