| Samurai [Local] Collector | Samurai [Cloud] Collector | Samurai [Cloud Native] Collector |
|---|---|---|
 |
Ensure correct network connectivity
You must ensure the following connectivity requirements are fulfilled:
| Source | Destination | Ports | Description |
|---|---|---|---|
| Zscaler NSS Server | Samurai Local Collector | TCP/514 | For log transmission |
Adding NSS Server
Follow the steps outlined in the ZIA documentation. If you use an existing one, skip this section.
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Name | Whatever you want, however we suggest: NTT Monitoring |
| Type | NSS for Web / NSS for Firewall |
Note
There are two types of NSS servers, NSS for Web and NSS for Firewall.Adding NSS Feeds for Web Logs
Follow the steps outlined in the ZIA documentation.
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Feed Name | Whatever you want, however we suggest: NTT-Web |
| NSS Type | Select your NSS Server created in Adding NSS Server or the existing server |
| SIEM Destination Type | IP Address |
| SIEM IP Address | IP address of your Samurai Local Collector |
| Log Type | Web Log |
| Feed Output Type | Custom |
| Feed Output Format | \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","clienttranstime":"%d{ctime}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","servertranstime":"%d{stime}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","upload_filetype":"%s{upload_filetype}","upload_filename":"%s{upload_filename}"\}\} |
| Timezone | GMT |
| Duplicate Logs | Disabled |
Adding NSS Feeds for Firewall Logs
Follow the steps outlined in the ZIA documentation.
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Feed Name | Whatever you want, however we suggest: NTT-FW |
| NSS Type | NSS for Firewall |
| NSS Server | Select your NSS Server created in Adding NSS Server or the existing server |
| SIEM Destination Type | IP Address |
| SIEM IP Address | IP address of your Samurai Local Collector |
| SIEM TCP Port | 514 |
| Log Type | Firewall Logs |
| Feed Output Type | JSON |
| Timezone | GMT |
| Duplicate Logs | Disabled |
Adding NSS Feeds for DNS Logs
Follow the steps outlined in the ZIA documentation.
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Feed Name | Whatever you want, however we suggest: NTT-DNS |
| NSS Type | NSS for Firewall |
| NSS Server | Select your NSS Server created in Adding NSS Server or the existing server |
| SIEM Destination Type | IP Address |
| SIEM IP Address | IP address of your Samurai Local Collector |
| SIEM TCP Port | 514 |
| Log Type | DNS Logs |
| Feed Output Type | JSON |
| Timezone | GMT |
| Duplicate Logs | Disabled |
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.