Table of Contents:
This article covers how to configure Syslog on Zscaler.
Configuring Syslog on Zscaler
Step 1: Create NSS Feed
- Log in and navigate to Administration > Cloud Configuration > Nano Streaming Service.
2. In the NSS Feeds tab, click Add NSS Feed.
The Add NSS Feed window appears.
3. In the Add NSS Feed window, enter the following details:
-
- Feed Name: Enter the name as Web logs.
- NSS Type: Select NSS for Web.
- NSS Server: Choose the NSS from the list.
- Status: The NSS feed is Enabled by default.
- SIEM Destination Type: The type of destination.
- Chronicle IP Address: Enter the Forwarder IP to which the logs stream.
- SIEM TCP Port: Enter port number 11665
- Log Type: Choose Web Log.
- SIEM Rate Limit (Events per Second): Leave as unrestricted or unlimited.
- Feed Output Type: Select Custom.
- Feed Output Format: For the NSS Feeds for Web logs, copy and paste the pre-populated Feed Output Format with the following
%s{time} recordId=%d{recordid} login=%s{login} sip=%s{sip} cip=%s{cip} cintip=%s{cintip}
url=%s{url} ua=%s{ua} uaclass=%s{uaclass} module=%s{module} proto=%s{proto} action=%s{action}
reason=%s{reason} appname=%s{appname} appclass=%s{appclass} filename=%s{filename}
filetype=%s{filetype} filesubtype=%s{filesubtype} fileclass=%s{fileclass} reqsize=%d{reqsize}
respsize=%d{respsize} malwarecat=%s{malwarecat} malwareclass=%s{malwareclass}
threatname=%s{threatname} riskscore=%d{riskscore} dlpeng=%s{dlpeng} dlpdict=%s{dlpdict}
location=%s{location} dept=%s{dept} reqmethod=%s{reqmethod} respcode=%s{respcode}
respversion=%s{respversion} urlclass=%s{urlclass} urlsupercat=%s{urlsupercat} urlcat=%s{urlcat}
referer=%s{referer} contenttype=%s{contenttype} unscannabletype=%s{unscannabletype}
devicehostname=%s{devicehostname} deviceowner=%s{deviceowner} keyprotectiontype=%s{keyprotectiontype}
bamd5=%s{bamd5} sha256=%s{sha256} clientsslcipher=%s{clientsslcipher}
clienttlsversion=%s{clienttlsversion} upload_filename=%s{upload_filename} upload_filetype=%s{upload_filetype}
upload_filesubtype=%s{upload_filesubtype} upload_fileclass=%s{upload_fileclass}
upload_doctypename=%s{upload_doctypename}\n
-
- User Obfuscation: Choose Disable to display the usernames.
- Timezone: By default, this is set to the organization's time zone.
- Duplicate Logs: Enter the number of 60 (minutes).
4. Click Save and activate the change.
Step 2. Check status in Chronicle
- Repeat the process for each device which needs to be onboarded to chronicle.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.