Skip to main content
Sumo Logic

Collect Logs for the Zscaler Internet Access App

Learn how to Collect Logs for Zscaler Internet Access App

Zscaler uses Cloud Nanolog Streaming Service (NSS), which allows direct cloud-to-cloud log streaming for all types of ZIA logs into Sumo Logic.

To collect logs for Zscaler, perform these steps, detailed in the following sections:

  1. Configure Sumo Logic Hosted Collector and an HTTP Source.

  2. Configure Zscaler Cloud NSS feeds.

Configure Sumo Logic Hosted Collector and an HTTP Source

To collect logs for Zscaler Web Security, do the following in Sumo Logic:

  1. Configure an Hosted Collector.

  2. Configure an Http Source.

    1. For Source Category, enter any string to tag the output collected from this Source, such as ZIA.

    2. Click Save and make note of the HTTP address for the Source. You will need it when you configure the Zscaler Cloud NSS in the next section.

Configure Zscaler Cloud NSS

Zscaler uses Cloud Nanolog Streaming Service (NSS), which allows direct cloud-to-cloud log streaming for all types of ZIA logs into Sumo Logic.

To send logs to Sumo Logic using Cloud NSS, add a feed in ZIA using the following steps.

  1. Log into your Zscaler Internet Access system.

  2. Go to Administration -> Nanolog Streaming Service -> Cloud NSS Feeds

  1. From the Cloud NSS Feeds tab, click Add Cloud NSS Feed.

  2. In the Add NSS Feed dialog:


  1. Feed Name. Enter a name for your NSS feed.

  2. NSS Server. Select NSS for Web. 

  3. Status. Enabled.

  4. SIEM Type.Select Sumo Logic.

  5. API URL. Paste the HTTP address for the Source generated in the previous section.

  6. HTTP Headers. No Headers are required for Sumo Logic. If it requires at least one Header, add a dummy Header:

                  

  1. Log Type. Select Web Log.

  2. Feed Output Type. Select JSON.

  3. Feed Escape Character. Leave this field blank.

  4. Feed Output Format. The JSON format is displayed.

  5. User Obfuscation. Select Disabled.

  6. Timezone. Set to GMT by default.

  7. Web Log Filters. Choose filters you would like to have.

  1. Click Save.

  2. Repeat above steps for:

    1. NSS Type: NSS for Web and Log Type: Tunnel.

    2. NSS Type: NSS for Web and Log Type: SaaS Security.

    3. NSS Type: NSS for FireWall and Log Type: Firewall Logs.

    4. NSS Type: NSS for FireWall and Log Type: DNS Logs.

Note: Sumo Logic Dashboards utilize Web, Tunnel, DNS Logs.

(Optional) Configure the Zscaler NSS Feeds

If you are not able to use Zscaler Cloud NSS, you can collect logs for the ZIA App using NSS Servers. For DNS, Firewall, and Tunnel logs you can select JSON as the output format for the feed in the Add NSS Feeds dialog. For Web logs you will need to configure the feed as follows:

  1. Log into your Zscaler NSS system.

  2. Go to Administration > Settings > Nanolog Streaming Service.

  3. From the NSS Feeds tab, click Add.

  4. In the Add NSS Feed dialog:

    1. Feed Name. Enter a name for your NSS feed.

    2. NSS Server. Select the NSS Server. 

    3. SIEM IP Address. Enter the Sumo Logic Installed Collector IP address.

    4. Log Type. Select Web Log.

    5. Feed Output Type. Custom.

    6. NSS Type. NSS for Web is the default.

    7. Status. Select Enabled.

    8. SIEM TCP Port. Enter the Sumo Logic Syslog Source TCP port number.

    9. Feed Escape Character. Leave this field blank.

    10. Feed Output Format. Select Custom and paste the following:

\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","clienttranstime":"%d{ctime}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{ua}","product":"NSS","location":"%s{location}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{login}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","department":"%s{dept}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","servertranstime":"%d{stime}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
  1. Duplicate Logs. Disabled by default.

  2. Timezone. Set to GMT by default.

  1. Click Save.

Sample Log Message

Web Log Sample:

{
  "sourcetype": "zscalernss-web",
  "event": {
    "datetime": "2021-06-17 14:53:16",
    "reason": "Allowed",
    "event_id": "6974776045860487177",
    "protocol": "HTTP_PROXY",
    "action": "Allowed",
    "transactionsize": "639",
    "responsesize": "65",
    "requestsize": "574",
    "urlcategory": "Corporate Marketing",
    "serverip": "104.21.31.16",
    "clienttranstime": "0",
    "requestmethod": "CONNECT",
    "refererURL": "None",
    "useragent": "Windows Microsoft Windows 10 Pro ZTunnel/1.0",
    "product": "NSS",
    "location": "Road Warrior",
    "ClientIP": "40.83.138.250",
    "status": "200",
    "user": "testuser2@bd-dev.com",
    "url": "hamsan.yektanet.com:443",
    "vendor": "Zscaler",
    "hostname": "hamsan.yektanet.com",
    "clientpublicIP": "40.83.138.250",
    "threatcategory": "None",
    "threatname": "None",
    "filetype": "None",
    "appname": "General Browsing",
    "pagerisk": "0",
    "department": "Service Admin",
    "urlsupercategory": "Business and Economy",
    "appclass": "General Browsing",
    "dlpengine": "None",
    "urlclass": "Business Use",
    "threatclass": "None",
    "dlpdictionaries": "None",
    "fileclass": "None",
    "bwthrottle": "NO",
    "servertranstime": "0",
    "contenttype": "Other",
    "unscannabletype": "None",
    "odeviceowner": "5864177",
    "odevicehostname": "4051327232"
  }
}

Query Sample

Top 10 Blocked Base URLs

_sourceCategory=ZIA
| json field=_raw "event.clientpublicIP", "event.user", "event.url", "event.action" as src_ip, src_user, url, action
| where action != "Allowed"
| parse regex field=url "(?<baseurl>.+?)[:/]" nodrop
| count by baseurl
| sort _count
| top 10 baseurl by _count