Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Zscaler Nanolog Streaming Service

 

The JSA DSM for Zscaler Nanolog Streaming Service (Zscaler NSS) collects Syslog events from either Web logs or Firewall logs.

To integrate Zscaler Streaming Service with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of RPM from the https://support.juniper.net/support/downloads/ onto your JSA console.

    • DSM Common RPM

    • Zscaler NSS DSM RPM

  2. Configure your AZscaler NSS device to to send events to JSA.

    Note

    When you configure your Zscaler NSS device, JSA supports the following feeds:

    Use the following LEEF output feed format for Web logs when you configure a Syslog feed in Zscaler NSS:

    %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1|%s{reason}|cat=%s{action} \tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}: %02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tsrc=%s{cip}\tdst=%s{sip}\tsrcPostNAT=%s{cintip} \trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize} \tdstBytes=%d{respsize} \trole=%s{dept}\tpolicy=%s{reason} \trecordid=%d{recordid} \tbwthrottle=%s{bwthrottle}\tuseragent=%s{ua} \treferer=%s{ereferer}\thostname=%s{ehost} \tappproto=%s{proto}\turlcategory=%s{urlcat} \turlsupercategory=%s{urlsupercat} \turlclass=%s{urlclass}\tappclass=%s{appclass}\tappname=%s{appname} \tmalwaretype=%s{malwarecat} \tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname} \triskscore=%d{riskscore} \tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass} \tfiletype=%s{filetype} \treqmethod=%s{reqmethod}\trespcode=%s{respcode}\t%s{bamd5}\turl=%s{eurl}

    Use the following LEEF output feed format for Firewall logs when you configure a Syslog feed in Zscaler NSS:

    %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept} \trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\ tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport} \tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip} \tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s {tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tcat=nss-fw\tdnat=%s{dnat}\tst ateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s {nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry} \tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{in bytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d {durationms}\tnumsessions=%d{numsessions}\n

  3. If JSA does not automatically detect the log source, add a Zscaler NSS log source on the JSA Console. For more information about adding the log source, see Syslog Log Source Parameters for Zscaler NSS .