Zscaler Internet Access (ZIA)
Samurai [Local] Collector | Samurai [Cloud] Collector | Samurai [Cloud Native] Collector |
---|---|---|
This guide describes the steps required to configure Zscaler Internet Access Nanolog Streaming Service (NSS) to send logs to a Samurai Local Collector deployed on your network. The NSS requires access to the Local Collector via syslog on port 514/TCP.
1) From Zscaler Internet Access Portal:
- Adding NSS Server
- Adding NSS Feeds for Web Logs
- Adding NSS Feeds for Firewall Logs
- Adding NSS Feeds for DNS Logs
Adding NSS Server
Follow the steps outlined in the ZIA documentation. If you use an existing one, skip this section.
There are two types of NSS servers, NSS for Web (Streams web and mobile traffic logs) and NSS for Firewall (Streams logs from the Zscaler next-generation firewall).
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Name | Whatever you want, however we suggest: NTT Monitoring |
Type | NSS for Web / NSS for Firewall |
Table 1: NSS Server
Adding NSS Feeds for Web Logs
Follow the steps outlined in the ZIA documentation.
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Feed Name | Whatever you want, however we suggest: NTT-Web |
NSS Type | Select your NSS Server created in Adding NSS Server or the existing server |
SIEM Destination Type | IP Address |
SIEM IP Address | IP address of your Samurai Local Collector |
Log Type | Web Log |
Feed Output Type | Custom |
Feed Output Format | ```{ “sourcetype” : “zscalernss-web”, “event” : {“datetime”:"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}", |
“reason”:"%s{reason}",“event_id”:"%d{recordid}",“protocol”:"%s{proto}",“action”:"%s{action}", | |
“transactionsize”:"%d{totalsize}",“responsesize”:"%d{respsize}",“requestsize”:"%d{reqsize}", | |
“urlcategory”:"%s{urlcat}",“serverip”:"%s{sip}",“clienttranstime”:"%d{ctime}",“requestmethod”:"%s{reqmethod}", | |
“refererURL”:"%s{ereferer}",“useragent”:"%s{eua}",“product”:“NSS”,“location”:"%s{elocation}", | |
“ClientIP”:"%s{cip}",“status”:"%s{respcode}",“user”:"%s{elogin}",“url”:"%s{eurl}",“vendor”:“Zscaler”, | |
“hostname”:"%s{ehost}",“clientpublicIP”:"%s{cintip}",“threatcategory”:"%s{malwarecat}", | |
“threatname”:"%s{threatname}",“filetype”:"%s{filetype}",“appname”:"%s{appname}",“pagerisk”:"%d{riskscore}", | |
“department”:"%s{edepartment}",“urlsupercategory”:"%s{urlsupercat}",“appclass”:"%s{appclass}", | |
“dlpengine”:"%s{dlpeng}",“urlclass”:"%s{urlclass}",“threatclass”:"%s{malwareclass}", | |
“dlpdictionaries”:"%s{dlpdict}",“fileclass”:"%s{fileclass}",“bwthrottle”:"%s{bwthrottle}", | |
“servertranstime”:"%d{stime}",“contenttype”:"%s{contenttype}",“unscannabletype”:"%s{unscannabletype}", | |
“deviceowner”:"%s{deviceowner}",“devicehostname”:"%s{devicehostname}", | |
“upload_filetype”:"%s{upload_filetype}",“upload_filename”:"%s{upload_filename}"}}``` | |
Timezone | GMT |
Duplicate Logs | Disabled |
Table 2: NSS Feeds Web
Adding NSS Feeds for Firewall Logs
Follow the steps outlined in the ZIA documentation.
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Feed Name | Whatever you want, however we suggest: NTT-FW |
NSS Type | NSS for Firewall |
NSS Server | Select your NSS Server created in Adding NSS Server or the existing server |
SIEM Destination Type | IP Address |
SIEM IP Address | IP address of your Samurai Local Collector |
SIEM TCP Port | 514 |
Log Type | Firewall Logs |
Feed Output Type | JSON |
Timezone | GMT |
Duplicate Logs | Disabled |
Table 3: NSS Feeds Firewall
Adding NSS Feeds for DNS Logs
Follow the steps outlined in the ZIA documentation.
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Feed Name | Whatever you want, however we suggest: NTT-DNS |
NSS Type | NSS for Firewall |
NSS Server | Select your NSS Server created in Adding NSS Server or the existing server |
SIEM Destination Type | IP Address |
SIEM IP Address | IP address of your Samurai Local Collector |
SIEM TCP Port | 514 |
Log Type | DNS Logs |
Feed Output Type | JSON |
Timezone | GMT |
Duplicate Logs | Disabled |
Table 4: NSS Feeds DNS
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.