This article covers the step-by-step procedure to configure your Zscaler NSS so that Human Managed can collect web and firewall logs from your Zscaler instance for analysis.
Prerequisites
- Zscaler subscription to NSS for Web and NSS for Firewall
Step 1: Create a service request ticket for Human Managed to receive Zscaler NSS logs
- Submit a request
- In the Subject, type or select Connect Zscaler
- Once the ticket has been accepted by Human Managed and the ticket status has been updated, follow the next steps.
Step 2: Add NSS Server on Zscaler
- Go to Zscaler Portal and click Administration > Nanolog Streaming Services > NSS Servers > Add NSS Server
Name: NSS for Firewall
Type: NSS for Firewall
Status: EnabledName: NSS for Web
Type: NSS for Web
Status: Enabled
Step 3: Download SSL certificate for NSS Firewall and NSS Web
- Go to Zscaler Portal and click Administration > Nanolog Streaming Services > NSS Servers > Add NSS Servers > Download SSL Certificate
- To add data source to NSS server, click NSS FEEDS > Add NSS Feeds. Then choose what to NSS type and log type.
- Change the Feed Output format to this format
fw logs:
<134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_fw_log"] \{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
fw DNS logs:
<134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_fw_dns_log"] \{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
<134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_web_admin_audit"] \{ "sourcetype" : "zscalernss-audit", "event" :\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":"%s{epreaction}","postaction":"%s{epostaction}"\}\}
Web admin audit:
Web logs:
<134>1 %d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z - - - - [receive stream_name="zscaler_web_log"] \{"time":"%s{time}","timezone":"%s{tz}","action":"%s{action}","reason":"%s{reason}","hostname":"%s{ehost}","protocol":"%s{proto}","serverip":"%s{sip}","url":"%s{eurl}","urlcategory":"%s{urlcat}","urlclass":"%s{urlclass}","dlpdictionaries":"%s{dlpdict}","dlpengine":"%s{dlpeng}","filetype":"%s{filetype}","threatcategory":"%s{malwarecat}","threatclass":"%s{malwareclass}","pagerisk":"%d{riskscore}","threatname":"%s{threatname}","clientpublicIP":"%s{cintip}","ClientIP":"%s{cip}","location":"%s{location}","refererURL":"%s{ereferer}","useragent":"%s{ua}","department":"%s{dept}","user":"%s{login}","event_id":"%d{recordid}","requestmethod":"%s{reqmethod}","requestsize":"%d{reqsize}","requestversion":"%s{reqversion}","status":"%s{respcode}","responsesize":"%d{respsize}","responseversion":"%s{respversion}","transactionsize":"%d{totalsize}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}
- Click Save.
Step 4: Update service request ticket for Human Managed to receive Zscaler NSS logs
- Update the service ticket to let Human Managed know that your Zscaler has been configured.
- Human Managed will send confirmation when logs are successfully received by the Human Managed platform.
Comments
0 comments
Please sign in to leave a comment.