Zscaler Nanolog Streaming Service
The JSA DSM for Zscaler Nanolog Streaming Service (Zscaler NSS) collects Syslog events from either Web logs or Firewall logs.
To integrate Zscaler Streaming Service with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of RPM from the https://support.juniper.net/support/downloads/ onto your JSA console.
DSM Common RPM
Zscaler NSS DSM RPM
-
Configure your AZscaler NSS device to to send events to JSA.
Note:When you configure your Zscaler NSS device, JSA supports the following feeds:
-
Firewall logs. For more information about Firewall logs, see Adding NSS Feeds for Firewall logs.
-
Web logs. For more information about Web logs, see Adding NSS Feeds for Web Logs.
Use the following LEEF output feed format for Web logs when you configure a Syslog feed in Zscaler NSS:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1| %s{reason}|cat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz} \tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tsrc=%s{cip}\tdst=%s{sip}\tsrcPostNAT=%s{cintip} \trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tdstBytes=%d{respsize}\trole= %s{dept}\tpolicy=%s{reason}\trecordid=%d{recordid}\tbwthrottle=%s{bwthrottle}\tuseragent= %s{ua}\treferer=%s{ereferer}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat} \turlsupercategory=%s{urlsupercat}\turlclass=%s{urlclass}\tappclass=%s{appclass}\tappname= %s{appname}\tmalwaretype=%s{malwarecat}\tmalwareclass=%s{malwareclass}\tthreatname= %s{threatname}\triskscore=%d{riskscore}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass= %s{fileclass}\tfiletype=%s{filetype}\treqmethod=%s{reqmethod}\trespcode=%s{respcode}\t %s{bamd5}\turl=%s{eurl}Use the following LEEF output feed format for Firewall logs when you configure a Syslog feed in Zscaler NSS:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS-FW|6.0| %s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip} \tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport} \tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT= %s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype= %s{ttype}\tcat=nss-fw\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc= %s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry} \tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes= %ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions} \n -
If JSA does not automatically detect the log source, add a Zscaler NSS log source on the JSA Console. For more information about adding the log source, see Syslog Log Source Parameters for Zscaler NSS .