Skip to main content
Sumo Logic

Collect Logs for the Zscaler Web Security App

Zscaler uses a virtual machine, Nanolog Streaming Service (NSS), to stream logs from the Zscaler service and deliver them to Sumo Logic installed collector via Syslog.

To collect logs for Zscaler, perform these steps, detailed in the following sections:

  1. Configure Sumo Logic Installed Collector and Syslog Source.
  2. Configure Zscaler NSS.
  3. Connect the Zscaler NSS feed to Sumo Logic.

zscalerSumo - New Page.png

Configure Sumo Logic Installed Collector and Syslog Source

To collect logs for Zscaler Web Security, do the following in Sumo Logic:

  1. Configure an Installed Collector.
  2. Configure a Syslog Source. For protocol, use TCP.

Configure Zscaler NSS

Zscaler offers a virtual appliance, called Nanolog Streaming Service (NSS) to stream web logs to external SIEM via syslog. NSS is maintained and distributed by Zscaler as an Open Virtual Application (OVA).

To stream logs to the Sumo Logic Syslog Source, perform steps A, B, and C detailed in the “NSS Configuration Guide” at:

Connect the Zscaler NSS Feed to Sumo Logic

Once you have configured the Zscaler NSS, now add a feed to send logs to the Sumo Logic syslog endpoint using the following steps.

  1. Log into your Zscaler NSS system.
  2. Go to Administration > Settings > Nanolog Streaming Service.
  3. From the NSS Feeds tab, click Add.
  4. In the Add NSS Feed dialog:
    1. Feed Name. Enter a name for your NSS feed.
    2. NSS Server. Select None. 
    3. SIEM IP Address. Enter the Sumo Logic Installed Collector IP address.
    4. Log Type. Select Web Log.
    5. Feed Output Type. QRadar LEEF is the default.
    6. NSS Type. NSS for Web is the default.
    7. Status. Select Enabled.
    8. SIEM TCP Port. Enter the Sumo Logic Syslog Source TCP port number.
    9. Feed Escape Character. Leave this field blank.
    10. Feed Output Format. The LEEF format is displayed.
    11. User Obfuscation. Select Disabled.
    12. Duplicate Logs. Disabled by default.
    13. Timezone. Set to GMT by default.
  5. Click Save.

Sample Log Message

Mon Oct 02 16:21:40 UTC 2017 zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1|NA|filetype=Archive Files dlpeng=NA cat=Blocked useragent=NA hostname=NA src= policy=Malicious file Blocked urlsupercategory=Shopping and Auctions srcPostNAT=NA reqmethod=NA bwthrottle=NA devTimeFormat=MMM dd yyyy HH:mm:ss z referer=None srcBytes=31386 malwareclass=NA appproto=NA riskscore=0 dlpdict=NA devTime=Mon Oct 02 16:21:40 UTC 2017 recordid=69790990 dst= appname=Yandex Search role=NA malwaretype=NA appclass=Enterprise urlcategory=Sports urlclass=NA realm=EMEA dstBytes=596219 threatname=W32/Tool.IJQF-0856 fileclass=Executables Files

Query Sample

Policy Violations by Realm

_sourceCategory = "zscaler" !"cat=Allowed" 
| parse "policy=*\t" as policy, "realm=*\t" as realm
| parse "src=*\t" as src_ip, "usrName=*\t" as src_user
| count by policy,realm
| transpose row realm column policy