Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Sample Event Message

 

Use these sample event messages as a way of verifying a successful integration with JSA.

Note

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

The following table provides a sample event message for Firewall logs feeds when you use the Syslog protocol for the Zscaler NSS DSM.

Table 1: Zscaler NSS Syslog sample message for Firewall logs feeds supported by Zscaler NSS

Event name

Low level category

Sample log message

Drop

Firewall Deny

Jun 02 16:34:55 zscaler-nss: LEEF:1.0|Zscaler|NSS-FW| 5.5|Drop|usrName=GCL->SBL-1\trole=Default Department\ trealm=GCL->SBL-1\tsrc=10.11.12.13\tdst=10.66.69.21\t

srcPort=30513\tdstPort=53\tdstPreNATPort

=30512\tsrcPr eNATPort=234\tdstPostNATPort=2345\

tsrcPostNATPort=332 \tsrcPreNAT=10.17.15.14\tdstPreNAT=

10.66.69.111\tsrcP ostNAT=

10.66.54.105\tdstPostNAT=10.17.15.14\ttsip=10. 66.54.105

\t\ttsport=0\t\tttype=GRE\tcat=nss-fw\tdnat= No\tstateful

=No\taggregate=No\tnwsvc=HTTP\tnwapp=adul tadworld

\tproto=TCP\tipcat=Miscellaneous or

Unknown\t destcountry=United States

\tavgduration=115\trulelabel =Firewall

_Adult\tdstBytes

=898\tsrcBytes=14754\tdurati on=0\tdurationms=115\tnumsessions=1

The following table provides a sample event message for Web logs feeds when you use the Syslog protocol for the Zscaler NSS DSM.

Table 2: Zscaler NSS Syslog sample message for Web logs feeds supported by Zscaler NSS

Event name

Low level category

Sample log message

Block

Network Threshold Policy Violation

<13>Feb 21 06:56:02 zscalar.nss.test zscaler-nss : LEEF:1.0|Zscaler|NSS|4.1|IPS block outbound request: adware/spyware traffic|cat=Blocked devTime =Feb 21 2019 06:56:02 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src=192.0.2.0 dst=192.0.2.11 srcPos tNAT=192.0.2.14 realm=Location 1 usrName=User01 src Bytes=175 dstBytes=14798 role=Unauthenticated Trans actions policy=IPS block outbound request: adware/s pyware traffic url=qradar.example.test/?v=3.08 =123456789=CHECK recordid=6660343920943824897 bwthr ottle=NO useragent=Unknown referer=None hostname=qr adar.example.test appproto=HTTP urlcategory=Suspect ed Spyware or Adware urlsupercategory=Advanced Secu rity urlclass=Advanced Security Risk appclass=Gener al Browsing appname=generalbrowsing malwaretype=Cle an Transaction malwareclass=Clean Transaction threa tname=Win32.PUA.Jeefo riskscore=100 dlpdict=None dl peng=None fileclass=None filetype=None reqmethod=PO ST respcode=40