Configuring Zscaler Private Access to Send Events to JSA
To send events to JSA, you must redirect the log stream for Zscaler Private Access. IBM supports user status, app connector status, and audit log types for Zscaler Private Access devices.
For more information about redirecting the log stream, see your Zscaler documentation about the Log Streaming Service.
-
To use the User Status log type, see your Zscaler documentation
About User Status Log Fields.
When you configure a Syslog format, use the following LEEF output log format for User Status logs:
<166>%s{LogTimestamp:time} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=ZPA User Status\tCustomer=%s{Customer}\tusrName=%s{Username}\tSessionID=%s{SessionID}\tSessionStatus= %s{SessionStatus}\tVersion=%s{Version}\tZEN=%s{ZEN}\tCertificateCN=%s{CertificateCN} \tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\tLatitude=%f{Latitude}\tLongitude=%f{Longitude} \tCountryCode=%s{CountryCode}\tTimestampAuthentication:iso8601= %s{TimestampAuthentication:iso8601}\tTimestampUnAuthentication:iso8601= %s{TimestampUnAuthentication:iso8601}\tdstBytes=%d{TotalBytesRx}\tsrcBytes=%d{TotalBytesTx} \tIdp=%s{Idp}\tidentHostName=%s{Hostname}\tPlatform=%s{Platform}\tClientType=%s{ClientType} \tTrustedNetworks=%s(,){TrustedNetworks}\tTrustedNetworksNames=%s(,){TrustedNetworksNames} \tSAMLAttributes=%s{SAMLAttributes}\tPosturesHit=%s(,){PosturesHit}\tPosturesMiss=%s(,) {PosturesMiss}\tZENLatitude=%f{ZENLatitude}\tZENLongitude=%f{ZENLongitude}\tZENCountryCode= %s{ZENCountryCode}\n -
To use the App Connector Status log type, see your Zscaler
documentation About App Connector Status Log Fields.
When you configure a Syslog format, use the following LEEF output log format for App Connector Status logs:
<166>%s{LogTimestamp:time} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=Connector Status\tCustomer=%s{Customer}\tSessionID=%s{SessionID}\tSessionType=%s{SessionType}\tVersion= %s{Version}\tPlatform=%s{Platform}\tZEN=%s{ZEN}\tConnector=%s{Connector}\tConnectorGroup= %s{ConnectorGroup}\tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\tLatitude=%f{Latitude} \tLongitude=%f{Longitude}\tCountryCode=%s{CountryCode}\tTimestampAuthentication:iso8601= %s{TimestampAuthentication:iso8601}\tTimestampUnAuthentication:iso8601= %s{TimestampUnAuthentication:iso8601}\tCPUUtilization=%d{CPUUtilization}\tMemUtilization= %d{MemUtilization}\tServiceCount=%d{ServiceCount}\tInterfaceDefRoute=%s{InterfaceDefRoute} \tDefRouteGW=%s{DefRouteGW}\tPrimaryDNSResolver=%s{PrimaryDNSResolver}\tHostUpTime= %s{HostUpTime}\tConnectorUpTime=%s{ConnectorUpTime}\tNumOfInterfaces=%d{NumOfInterfaces} \tBytesRxInterface=%d{BytesRxInterface}\tPacketsRxInterface=%d{PacketsRxInterface} \tErrorsRxInterface=%d{ErrorsRxInterface}\tDiscardsRxInterface=%d{DiscardsRxInterface} \tBytesTxInterface=%d{BytesTxInterface}\tPacketsTxInterface=%d{PacketsTxInterface} \tErrorsTxInterface=%d{ErrorsTxInterface}\tDiscardsTxInterface=%d{DiscardsTxInterface} \tTotalBytesRx=%d{TotalBytesRx}\tTotalBytesTx=%d{TotalBytesTx}\n -
To use the Audit log type, see your Zscaler documentation About Audit Log Fields.
When you configure a Syslog format, use the following LEEF output log format for Audit logs:
<166>%s{modifiedTime:iso8601} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{auditOperationType}| cat=ZPA_Audit_Log\tcreationTime=%s{creationTime:iso8601}\trequestId=%s{requestId}\tsessionId= %s{sessionId}\tauditOldValue=%s{auditOldValue}\tauditNewValue=%s{auditNewValue} \tauditOperationType=%s{auditOperationType}\tobjectType=%s{objectType}\tobjectName= %s{objectName}\tobjectId=%d{objectId}\taccountName=%d{customerId}\tusrName=%s{modifiedByUser} \n