• Feed Name — Enter a descriptive title for the feed. For example, Arctic Wolf Syslog - ZIA Firewall.
• NSS Type — Select NSS for Firewall.
• NSS Server — Select the appropriate server.
  Tip: If only one server is available, it is selected by default.
• Status — Click Enabled.
• SIEM IP Address — Enter the management IP address of the Arctic Wolf Sensor.
• SIEM TCP Port — Enter 514.
• Log Type — Click Firewall Logs.
• Firewall Log Type — Click Both Session and Aggregate Logs.
• Feed Output Type — Select Custom.
• Feed Output Format — Enter this string:
  LOGCopy

  LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\tthreatcat=%s{threatcat}\tthreatname=%s{threatname}\tipsrulelabel=%s{ipsrulelabel}\taction=%s{action}\tdevicehostname=%s{devicehostname}\trecordid=%d{recordid}\tdevicename=%s{devicename}\tdeviceostype=%s{deviceostype}\n

  LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\tthreatcat=%s{threatcat}\tthreatname=%s{threatname}\tipsrulelabel=%s{ipsrulelabel}\taction=%s{action}\tdevicehostname=%s{devicehostname}\trecordid=%d{recordid}\tdevicename=%s{devicename}\tdeviceostype=%s{deviceostype}\n

  • Duplicate Logs — Select Disabled.
  • For the remaining fields, keep the default values. Arctic Wolf recommends that you keep User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.

• Feed Name — Enter a descriptive title for the feed. For example, Arctic Wolf Syslog - ZIA DNS.
• NSS Type — Select NSS for Firewall.
• NSS Server — Select the appropriate server.
  Tip: If only one server is available, it is selected by default.
• Status — Click Enabled.
• SIEM IP Address — Enter the management IP address of the Arctic Wolf Sensor.
• SIEM TCP Port — Enter 514.
• Log Type — Click DNS Logs.
• Feed Output Type — Select Custom.
• Feed Output Format — Enter this string:
  LOGCopy

  LEEF:1.0|Zscaler|NSS-DNS|6.0|%s{reqaction}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\treqaction=%s{reqaction}\tresaction=%s{resaction}\tcat=nss-dns\treqrulelabel=%s{reqrulelabel}\tresrulelabel=%s{resrulelabel}\tdnsReqtype=%s{reqtype}\tdnsReq=%s{req}\tdnsResp=%s{res}\tdstPort=%d{sport}\tdurationms=%d{durationms}\tsrc=%s{cip}\tdst=%s{sip}\tcategory=%s{domcat}\tdeviceowner=%s{deviceowner}\tdevicehostname=%s{devicehostname}\treqrulelabel=%s{reqrulelabel}\trecordid=%d{recordid}\n

  LEEF:1.0|Zscaler|NSS-DNS|6.0|%s{reqaction}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\treqaction=%s{reqaction}\tresaction=%s{resaction}\tcat=nss-dns\treqrulelabel=%s{reqrulelabel}\tresrulelabel=%s{resrulelabel}\tdnsReqtype=%s{reqtype}\tdnsReq=%s{req}\tdnsResp=%s{res}\tdstPort=%d{sport}\tdurationms=%d{durationms}\tsrc=%s{cip}\tdst=%s{sip}\tcategory=%s{domcat}\tdeviceowner=%s{deviceowner}\tdevicehostname=%s{devicehostname}\treqrulelabel=%s{reqrulelabel}\trecordid=%d{recordid}\n

• Duplicate Logs — Select Disabled.
• For the remaining fields, keep the default values. Arctic Wolf recommends that you keep User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.

• Feed Name — Enter a descriptive title for the feed. For example, Arctic Wolf Syslog - ZIA Web.
• NSS Server — Select the appropriate server.
  Tip: If only one server is available, it is selected by default.
• Status — Click Enabled.
• SIEM IP Address — Enter the management IP address of the Arctic Wolf Sensor.
• SIEM TCP Port — Enter 514.
• Log Type — Click Web Log.
• Feed Output Type — Select QRadar LEEF.

  The Feed Output Format is populated with the appropriate string.

• For the remaining fields, keep the default values. Arctic Wolf recommends that you keep User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.

• A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
• An existing customer — Click Open a New Ticket.

• What is this ticket related to? — Select General request.
• Subject — Enter Syslog changes.
• Related ticket (optional) — Keep empty.
• Message — Enter this information for your Concierge Security® Team (CST):
  • Confirmation that you completed the steps in this configuration guide.
  • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
  • The IP address, timezone, and device type for all sources that you are forwarding.
  • Questions or comments that you have.

Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.