You must configure a Cloud NSS feed for all web and firewall log types. Repeat this procedure to create a Cloud NSS feed for admin audit, web log, and firewall logs.
Note: You must use the same webhook URL and webhook token for each Cloud NSS feed that you configure.
- Sign in to the Zscaler Cloud Portal.
- On the Administration tab, in the Cloud Configuration section, click Nanolog Streaming Service.
- Click the Cloud NSS Feeds tab.
- Click Add Cloud NSS Feed.
- In the General section, configure these settings:
-
Feed Name — Enter a unique and descriptive name for the feed.
-
NSS Type — Select the NSS type for the feed that you are configuring. For example, select NSS for Web or NSS for Firewall.
- Status — Select Enabled.
- SIEM Rate — Select Unlimited.
- In the SIEM Connectivity section, configure these settings:
-
SIEM Type — Select Other.
- OAuth 2.0 Authentication — Make sure that the toggle is in the off position.
- Max Batch Size — Make sure that the value is 512 KB.
-
API URL — Enter the webhook URL from Get the webhook token and URL.
-
Key 1 — Enter Authorization.
-
Value 1 — Enter the webhook token from Get the webhook token and URL with the format Bearer <token>.
- In the Formatting section, configure these settings:
-
Log Type — Select the log type for the feed that you are configuring. For example, select Admin Audit, Web Log, or Firewall Logs.
- Feed Output Type — Select JSON.
- JSON Array Notation — Make sure that the toggle is in the on position.
- Feed Escape Character — Make sure that
,\" displays in the field.
- Click Save.
- Next to the feed that you just created, click the cloud icon.
A message should display
Test Connectivity Successful : OK (200).
Note: If an error message displays, make sure that the Cloud NSS feed configuration settings are accurate. If you could not resolve the error, take a screenshot and notify your Concierge Security® Team (CST).
- Repeat this procedure for each log type.
Data Collection > Cloud Sensors.