Skip to main content
Sumo Logic

Collect Logs for Zscaler Web Security

Zscaler uses a virtual machine, Nanolog Streaming Service (NSS), to stream logs from the Zscaler service and deliver them to Sumo Logic installed collector via Syslog.

 

To collect logs for Zscaler, perform these steps, detailed in the following sections:

  1. Configure Sumo Logic Installed Collector and Syslog Source.
  2. Configure Zscaler NSS.
  3. Connect the Zscaler NSS feed to Sumo Logic.

Configure Sumo Logic Installed Collector and Syslog Source

To collect logs for Zscaler Web Security, in Sumo Logic configure:

  1. An Installed Collector.
  2. A Syslog Source.

For protocol, use TCP. Note the Port number, as you will need this to configure Zscaler NSS.

Also, when you configure the Syslog Source, we recommend that you use the Source Category security_zscaler.  

Configure Zscaler NSS

Zscaler offers a virtual appliance, called Nanolog Streaming Service (NSS) to stream web logs to external SIEM via syslog. NSS is maintained and distributed by Zscaler as an Open Virtual Application (OVA).

To stream logs to the Sumo Logic Syslog Source, perform steps A, B, and C detailed in the “NSS Configuration Guide” at: https://support.zscaler.com/hc/en-us...guration-Guide.

Connect the Zscaler NSS Feed to Sumo Logic

Once you have configured the Zscaler NSS, now add a feed to send logs to the Sumo Logic syslog endpoint using the following steps.

  1. Log into your Zscaler NSS system.
  2. Go to Administration > Settings > Nanolog Streaming Service.
  3. From the NSS Feeds tab, click Add.
  4. In the Add NSS Feed dialog:
    1. Feed Name. Enter a name for your NSS feed.
    2. NSS Server. Select None. 
    3. SIEM IP Address. Enter the Sumo Logic Installed Collector IP address.
    4. Log Type. Select Web Log.
    5. Feed Output Type. QRadar LEEF is the default.
    6. NSS Type. NSS for Web is the default.
    7. Status. Select Enabled.
    8. SIEM TCP Port. Enter the Sumo Logic Syslog Source TCP port number.
    9. Feed Escape Character. Leave this field blank.
    10. Feed Output Format. The LEEF format is displayed.
    11. User Obfuscation. Select Disabled.
    12. Duplicate Logs. Disabled by default.
    13. Timezone. Set to GMT by default.
  5. Click Save.