Connect Zscaler with Human Managed

This article covers the step-by-step procedure to configure your Zscaler NSS so that Human Managed can collect web and firewall logs from your Zscaler instance for analysis.

Prerequisites 

• Zscaler subscription to NSS for Web and NSS for Firewall 

Step 1: Create a service request ticket for Human Managed to receive Zscaler NSS logs

1. Submit a request 
2. In the Subject, type or select Connect Zscaler 
3. Once the ticket has been accepted by Human Managed and the ticket status has been updated, follow the next steps.

Step 2: Add NSS Server on Zscaler

1. Go to Zscaler Portal and click Administration > Nanolog Streaming Services > NSS Servers > Add NSS Server 
   
   
   

   Name: NSS for Firewall
   Type: NSS for Firewall
   Status: Enabled

    

   Name: NSS for Web
   Type: NSS for Web 
   Status: Enabled 

Step 3: Download SSL certificate for NSS Firewall and NSS Web 

1. Go to Zscaler Portal and click Administration > Nanolog Streaming Services > NSS Servers > Add NSS Servers > Download SSL Certificate
   
   
   
   
2. To add data source to NSS server, click NSS FEEDS > Add NSS Feeds. Then choose what to NSS type and log type.
   
   
   
   
3. Change the Feed Output format to this format
   
   fw logs: 
   
   

   <134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_fw_log"] \{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

   
   fw DNS logs: 
   

   <134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_fw_dns_log"] \{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
   
   
   Web admin audit: 

   <134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_web_admin_audit"] \{ "sourcetype" : "zscalernss-audit", "event" :\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":"%s{epreaction}","postaction":"%s{epostaction}"\}\}
   
   

   Web logs:

   <134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_web_log"] \{"time":"%s{time}","timezone":"%s{tz}","action":"%s{action}","reason":"%s{reason}","hostname":"%s{ehost}","protocol":"%s{proto}","serverip":"%s{sip}","url":"%s{eurl}","urlcategory":"%s{urlcat}","urlclass":"%s{urlclass}","dlpdictionaries":"%s{dlpdict}","dlpengine":"%s{dlpeng}","filetype":"%s{filetype}","threatcategory":"%s{malwarecat}","threatclass":"%s{malwareclass}","pagerisk":"%d{riskscore}","threatname":"%s{threatname}","clientpublicIP":"%s{cintip}","ClientIP":"%s{cip}","location":"%s{location}","refererURL":"%s{ereferer}","useragent":"%s{ua}","department":"%s{dept}","user":"%s{login}","event_id":"%d{recordid}","requestmethod":"%s{reqmethod}","requestsize":"%d{reqsize}","requestversion":"%s{reqversion}","status":"%s{respcode}","responsesize":"%d{respsize}","responseversion":"%s{respversion}","transactionsize":"%d{totalsize}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}

4. Click Save. 

Step 4: Update service request ticket for Human Managed to receive Zscaler NSS logs

1. Update the service ticket to let Human Managed know that your Zscaler has been configured.  
2. Human Managed will send confirmation when logs are successfully received by the Human Managed platform.