Configuring a Syslog Feed in Zscaler NSS
To collect events, you must configure a log feed on your Zscaler NSS to forward syslog events to JSA.
- Log in to the administration portal for Zscaler NSS.
- Select Administration >Settings >Nanolog Streaming Service.
- On the NSSFeeds tab, click Add.
- Enter a name for the feed.
- On the NSSServer menu, select an NSS.
- Set the SIEM IP Address to the IP address of the JSA Event Collector.
- Set the SIEM TCP Port to port 514.
- Set the Feed Output Type to JSA LEEF. The Feed Output
Format is automatically populated with the appropriate string:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1|%s{reason}|cat=%s{action} \tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}: %02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tdst=%s{sip}\tsrcPostNAT=%s{cintip} \trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize} \tdstBytes=%d{respsize} \trole=%s{dept}\tpolicy=%s{reason} \trecordid=%d{recordid} \tbwthrottle=%s{bwthrottle}\tuseragent=%s{ua} \treferer=%s{ereferer}\thostname=%s{ehost} \tappproto=%s{proto}\turlcategory=%s{urlcat} \turlsupercategory=%s{urlsupercat} \turlclass=%s{urlclass}\tappclass=%s{appclass}\tappname=%s{appname} \tmalwaretype=%s{malwarecat} \tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname} \triskscore=%d{riskscore} \tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass} \tfiletype=%s{filetype} \treqmethod=%s{reqmethod}\trespcode=%s{respcode}\t%s{bamd5}\turl=%s{eurl} - Click Save.
JSA automatically discovers and creates a log source for Zscaler NSS appliances. Events that are forwarded to JSA are viewable on the Log Activity tab.