Zscaler Internet Access (ZIA)

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

This guide describes the steps required to configure Zscaler Internet Access Nanolog Streaming Service (NSS) to send logs to a Samurai Local Collector deployed on your network. The NSS requires access to the Local Collector via syslog on port 514/TCP. 

1) From Zscaler Internet Access Portal:

Adding NSS Server

Follow the steps outlined in the ZIA documentation. If you use an existing one, skip this section.

mceclip0.png There are two types of NSS servers, NSS for Web (Streams web and mobile traffic logs) and NSS for Firewall (Streams logs from the Zscaler next-generation firewall).

Use the following parameters when completing the steps:

Field NameParameter
NameWhatever you want, however we suggest: NTT Monitoring
TypeNSS for Web / NSS for Firewall

Table 1: NSS Server

Adding NSS Feeds for Web Logs

Follow the steps outlined in the ZIA documentation.

Use the following parameters when completing the steps:

Field NameParameter
Feed NameWhatever you want, however we suggest: NTT-Web
NSS TypeSelect your NSS Server created in Adding NSS Server or the existing server
SIEM Destination TypeIP Address
SIEM IP AddressIP address of your Samurai Local Collector
Log TypeWeb Log
Feed Output TypeCustom
Feed Output Format```{ “sourcetype” : “zscalernss-web”, “event” : {“datetime”:"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}",
“reason”:"%s{reason}",“event_id”:"%d{recordid}",“protocol”:"%s{proto}",“action”:"%s{action}",
“transactionsize”:"%d{totalsize}",“responsesize”:"%d{respsize}",“requestsize”:"%d{reqsize}",
“urlcategory”:"%s{urlcat}",“serverip”:"%s{sip}",“clienttranstime”:"%d{ctime}",“requestmethod”:"%s{reqmethod}",
“refererURL”:"%s{ereferer}",“useragent”:"%s{eua}",“product”:“NSS”,“location”:"%s{elocation}",
“ClientIP”:"%s{cip}",“status”:"%s{respcode}",“user”:"%s{elogin}",“url”:"%s{eurl}",“vendor”:“Zscaler”,
“hostname”:"%s{ehost}",“clientpublicIP”:"%s{cintip}",“threatcategory”:"%s{malwarecat}",
“threatname”:"%s{threatname}",“filetype”:"%s{filetype}",“appname”:"%s{appname}",“pagerisk”:"%d{riskscore}",
“department”:"%s{edepartment}",“urlsupercategory”:"%s{urlsupercat}",“appclass”:"%s{appclass}",
“dlpengine”:"%s{dlpeng}",“urlclass”:"%s{urlclass}",“threatclass”:"%s{malwareclass}",
“dlpdictionaries”:"%s{dlpdict}",“fileclass”:"%s{fileclass}",“bwthrottle”:"%s{bwthrottle}",
“servertranstime”:"%d{stime}",“contenttype”:"%s{contenttype}",“unscannabletype”:"%s{unscannabletype}",
“deviceowner”:"%s{deviceowner}",“devicehostname”:"%s{devicehostname}",
“upload_filetype”:"%s{upload_filetype}",“upload_filename”:"%s{upload_filename}"}}```
TimezoneGMT
Duplicate LogsDisabled

Table 2: NSS Feeds Web

Adding NSS Feeds for Firewall Logs

Follow the steps outlined in the ZIA documentation.

Use the following parameters when completing the steps:

Field NameParameter
Feed NameWhatever you want, however we suggest: NTT-FW
NSS TypeNSS for Firewall
NSS ServerSelect your NSS Server created in Adding NSS Server or the existing server
SIEM Destination TypeIP Address
SIEM IP AddressIP address of your Samurai Local Collector
SIEM TCP Port514
Log TypeFirewall Logs
Feed Output TypeJSON
TimezoneGMT
Duplicate LogsDisabled

Table 3: NSS Feeds Firewall

Adding NSS Feeds for DNS Logs

Follow the steps outlined in the ZIA documentation.

Use the following parameters when completing the steps:

Field NameParameter
Feed NameWhatever you want, however we suggest: NTT-DNS
NSS TypeNSS for Firewall
NSS ServerSelect your NSS Server created in Adding NSS Server or the existing server
SIEM Destination TypeIP Address
SIEM IP AddressIP address of your Samurai Local Collector
SIEM TCP Port514
Log TypeDNS Logs
Feed Output TypeJSON
TimezoneGMT
Duplicate LogsDisabled

Table 4: NSS Feeds DNS

For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.