Zscaler ZIA Logs

Configuration Guide

Updated Jan 27, 2023

Zscaler ZIA Logs

Overview Direct link to this section

Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.

This document describes how to configure the Nanolog Streaming Service (NSS) to send syslog-formatted messages from Zscaler devices to your Arctic Wolf® Sensor. Arctic Wolf supports the QRadar LEEF feed output type. This process configures web logs, firewall logs, and DNS logs.

Before you begin Direct link to this section

Before you begin, you must have the NSS virtual appliance installed and configured to stream web logs from your Zscaler device(s). For more information, see About Nanolog Streaming Service (NSS) and Adding NSS Feeds on the Zscaler support website.

Configure Zscaler NSS for web logs Direct link to this section

  1. Access your ZScaler NSS web administration interface and sign in with administrator credentials.

  2. Select Administration > Settings > Nanolog Streaming Service to access the Nanolog Streaming Service page.

  3. Select the NSS Feeds tab and then click Add NSS Feed.

  4. Create a new NSS feed:

    1. In the Feed Name text box, enter a descriptive title for the feed, for example, Arctic Wolf Syslog - ZIA Web.

    2. Select the appropriate server from the NSS Server menu.

      Tip: If only one server is available, it is selected by default.

    3. Under Status, click Enabled.

    4. Set the SIEM IP Address to the management IP address of the Arctic Wolf Sensor.

    5. Set the SIEM TCP Port to 514.

    6. Verify that the Log Type is set to Web Log.

    7. Set the Feed Output Type to QRadar LEEF. The Feed Output Format is populated with the appropriate string.

    8. Leave the remaining fields as their default values. We recommend leaving User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.

  5. Click Save.

    You have successfully configured your Zscaler NSS to send syslog-formatted messages to your Arctic Wolf Sensor.

  6. Proceed to Create a ticket for your CST.

Configure Zscaler NSS for firewall logs Direct link to this section

  1. Access your ZScaler NSS web administration interface and sign in with administrator credentials.

  2. Select Administration > Settings > Nanolog Streaming Service to access the Nanolog Streaming Service page.

  3. Select the NSS Feeds tab and then click Add NSS Feed.

  4. Create a new NSS feed:

    1. In the Feed Name text box, enter a descriptive title for the feed, for example, Arctic Wolf Syslog - ZIA Firewall.

    2. For the NSS Type, select NSS for Firewall.

    3. Select the appropriate server from the NSS Server menu.

      Tip: If only one server is available, it is selected by default.

    4. Under Status, click Enabled.

    5. Set the SIEM IP Address to the management IP address of the Arctic Wolf Sensor.

    6. Set the SIEM TCP Port to 514.

    7. Verify that Log Type is set to Firewall Logs.

    8. For the Firewall Log Type, select Both Session and Aggregate Logs.

    9. Set the Feed Output Type to Custom.

    10. In the Feed Output Format text box, enter this string:

      LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\tthreatcat=%s{threatcat}\tthreatname=%s{threatname}\tipsrulelabel=%s{ipsrulelabel}\taction=%s{action}\tdevicehostname=%s{devicehostname}\trecordid=%d{recordid}\tdevicename=%s{devicename}\tdeviceostype=%s{deviceostype}\n

    11. Verify that Duplicate Logs is set to Disabled.

    12. Leave the remaining fields as their default values. We recommend leaving User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.

  5. Click Save.

    You have successfully configured your Zscaler NSS to send syslog-formatted messages to your Arctic Wolf Sensor.

  6. Proceed to Create a ticket for your CST.

Configure Zscaler NSS for DNS logs Direct link to this section

  1. Access your ZScaler NSS web administration interface and sign in with administrator credentials.

  2. Select Administration > Settings > Nanolog Streaming Service to access the Nanolog Streaming Service page.

  3. Select the NSS Feeds tab and then click Add NSS Feed.

  4. Create a new NSS feed:

    1. In the Feed Name text box, enter a descriptive title for the feed, for example, Arctic Wolf Syslog - ZIA DNS.

    2. For the NSS Type, select NSS for Firewall.

    3. Select the appropriate server from the NSS Server menu.

      Tip: If only one server is available, it is selected by default.

    4. Under Status, click Enabled.

    5. Set the SIEM IP Address to the management IP address of the Arctic Wolf Sensor.

    6. Set the SIEM TCP Port to 514.

    7. Verify that Log Type is set to DNS Logs.

    8. Set the Feed Output Type to Custom.

    9. In the Feed Output Format text box, enter this string:

      LEEF:1.0|Zscaler|NSS-DNS|6.0|%s{reqaction}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\treqaction=%s{reqaction}\tresaction=%s{resaction}\tcat=nss-dns\treqrulelabel=%s{reqrulelabel}\tresrulelabel=%s{resrulelabel}\tdnsReqtype=%s{reqtype}\tdnsReq=%s{req}\tdnsResp=%s{res}\tdstPort=%d{sport}\tdurationms=%d{durationms}\tsrc=%s{cip}\tdst=%s{sip}\tcategory=%s{domcat}\tdeviceowner=%s{deviceowner}\tdevicehostname=%s{devicehostname}\treqrulelabel=%s{reqrulelabel}\trecordid=%d{recordid}\n

    10. Verify that Duplicate Logs is set to Disabled.

    11. Leave the remaining fields as their default values. We recommend leaving User Obfuscation set to Disabled to allow Arctic Wolf to correlate these events with additional user actions in your environment.

  5. Click Save.

    You have successfully configured your Zscaler NSS to send syslog-formatted messages to your Arctic Wolf Sensor.

  6. Proceed to Create a ticket for your CST.

Create a ticket for your CST Direct link to this section

After you complete the above configurations, create a ticket for your Concierge Security® Team (CST) and include the IP address assigned to the NSS virtual machine. Your CST confirms when Arctic Wolf is successfully processing logs from your Zscaler devices.