Zscaler ZIA Logs
Updated Aug 31, 2023Configure Zscaler NSS to send logs to Arctic Wolf
Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.
Arctic Wolf® can monitor syslog-formatted messages from Zscaler® devices if the Nanolog Streaming Service (NSS) is configured to forward these messages to the Arctic Wolf observation pipeline.
You can configure log forwarding for any of these log types:
- Configure Zscaler NSS to send web logs to Arctic Wolf.
- Configure Zscaler NSS to send firewall logs to Arctic Wolf.
- Configure Zscaler NSS to send DNS logs to Arctic Wolf.
Requirements
- Activated Arctic Wolf Sensor
- An NSS server with a distinct hostname and IP address for each log type that you want to monitor:
- Web
- Firewall
- DNS
- IBM
QRadar LEEF
formatted logs - An installed and configured NSS virtual appliance to stream web logs from your Zscaler devices. For more information, see About Nanolog Streaming Service (NSS) and Adding NSS Feeds on the Zscaler support website.
Configure Zscaler NSS to send web logs to Arctic Wolf
-
Sign in to the ZScaler NSS web administration interface as an administrator.
-
Click Administration > Settings > Nanolog Streaming Service to access the Nanolog Streaming Service page.
-
Click the NSS Feeds tab.
-
Click Add NSS Feed.
-
On the Edit NSS Feed dialog, configure these settings:
- Feed Name — Enter a descriptive title for the feed. For example,
Arctic Wolf Syslog - ZIA Web
. - NSS Server — Select the appropriate server.
Tip: If only one server is available, it is selected by default.
- Status — Click Enabled.
- SIEM IP Address — Enter the management IP address of the Arctic Wolf Sensor.
- SIEM TCP Port — Enter
514
. - Log Type — Click Web Log.
- Feed Output Type — Select QRadar LEEF. The Feed Output Format is populated with the appropriate string.
- Leave the remaining fields as their default values. We recommend leaving User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.
- Feed Name — Enter a descriptive title for the feed. For example,
-
Click Save.
You have successfully configured your Zscaler NSS to send syslog-formatted messages to your Arctic Wolf Sensor.
Configure Zscaler NSS to send firewall logs to Arctic Wolf
-
Sign in to the ZScaler NSS web administration interface as an administrator.
-
Click Administration > Settings > Nanolog Streaming Service to access the Nanolog Streaming Service page.
-
Click the NSS Feeds tab.
-
Click Add NSS Feed.
-
On the Edit NSS Feed dialog, configure these settings:
-
Feed Name — Enter a descriptive title for the feed. For example,
Arctic Wolf Syslog - ZIA Firewall
. -
NSS Type — Select NSS for Firewall.
-
NSS Server — Select the appropriate server.
Tip: If only one server is available, it is selected by default.
-
Status — Click Enabled.
-
SIEM IP Address — Enter the management IP address of the Arctic Wolf Sensor.
-
SIEM TCP Port — Enter
514
. -
Log Type — Click Firewall Logs.
-
Firewall Log Type — Click Both Session and Aggregate Logs.
-
Feed Output Type — Select Custom.
-
Feed Output Format — Enter this string:
LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\tthreatcat=%s{threatcat}\tthreatname=%s{threatname}\tipsrulelabel=%s{ipsrulelabel}\taction=%s{action}\tdevicehostname=%s{devicehostname}\trecordid=%d{recordid}\tdevicename=%s{devicename}\tdeviceostype=%s{deviceostype}\n
-
Duplicate Logs — Select Disabled.
-
Leave the remaining fields as their default values. We recommend leaving User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.
-
-
Click Save.
You have successfully configured your Zscaler NSS to send syslog-formatted messages to your Arctic Wolf Sensor.
Configure Zscaler NSS to send DNS logs to Arctic Wolf
-
Sign in to the ZScaler NSS web administration interface as an administrator.
-
Click Administration > Settings > Nanolog Streaming Service to access the Nanolog Streaming Service page.
-
Click the NSS Feeds tab.
-
Click Add NSS Feed.
-
On the Edit NSS Feed dialog, configure these settings:
-
Feed Name — Enter a descriptive title for the feed. For example,
Arctic Wolf Syslog - ZIA DNS
. -
NSS Type — Select NSS for Firewall.
-
NSS Server — Select the appropriate server.
Tip: If only one server is available, it is selected by default.
-
Status — Click Enabled.
-
SIEM IP Address — Enter the management IP address of the Arctic Wolf Sensor.
-
SIEM TCP Port — Enter
514
. -
Log Type — Click DNS Logs.
-
Feed Output Type — Select Custom.
-
Feed Output Format — Enter this string:
LEEF:1.0|Zscaler|NSS-DNS|6.0|%s{reqaction}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\treqaction=%s{reqaction}\tresaction=%s{resaction}\tcat=nss-dns\treqrulelabel=%s{reqrulelabel}\tresrulelabel=%s{resrulelabel}\tdnsReqtype=%s{reqtype}\tdnsReq=%s{req}\tdnsResp=%s{res}\tdstPort=%d{sport}\tdurationms=%d{durationms}\tsrc=%s{cip}\tdst=%s{sip}\tcategory=%s{domcat}\tdeviceowner=%s{deviceowner}\tdevicehostname=%s{devicehostname}\treqrulelabel=%s{reqrulelabel}\trecordid=%d{recordid}\n
-
Duplicate Logs — Select Disabled.
-
Leave the remaining fields as their default values. We recommend leaving User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.
-
-
Click Save.
You have successfully configured your Zscaler NSS to send syslog-formatted messages to your Arctic Wolf Sensor.
Next steps
Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
- Confirmation that you have completed the steps in this configuration guide.
- The IP address you used during the configuration.
- Any other questions or comments that you have.