Zscaler Webproxy Syslog Configuration

This article covers how to configure Syslog on Zscaler.

Configuring Syslog on Zscaler

Step 1: Create NSS Feed

1. Log in and navigate to Administration > Cloud Configuration > Nano Streaming Service.

2. In the NSS Feeds tab, click Add NSS Feed.
The Add NSS Feed window appears.

3. In the Add NSS Feed window, enter the following details:

• • Feed Name: Enter the name as Web logs.
  • NSS Type: Select NSS for Web.
  • NSS Server: Choose the NSS from the list.
  • Status: The NSS feed is Enabled by default.
  • SIEM Destination Type: The type of destination.
    • Chronicle IP Address: Enter the Forwarder IP to which the logs stream.
  • SIEM TCP Port: Enter port number 11665
  • Log Type: Choose Web Log.
  • SIEM Rate Limit (Events per Second): Leave as unrestricted or unlimited.
  • Feed Output Type: Select Custom.
  • Feed Output Format: For the NSS Feeds for Web logs, copy and paste the pre-populated Feed Output Format with the following

%s{time} recordId=%d{recordid} login=%s{login} sip=%s{sip} cip=%s{cip} cintip=%s{cintip} 
url=%s{url} ua=%s{ua} uaclass=%s{uaclass} module=%s{module} proto=%s{proto} action=%s{action} 
reason=%s{reason} appname=%s{appname} appclass=%s{appclass} filename=%s{filename} 
filetype=%s{filetype} filesubtype=%s{filesubtype} fileclass=%s{fileclass} reqsize=%d{reqsize} 
respsize=%d{respsize} malwarecat=%s{malwarecat} malwareclass=%s{malwareclass} 
threatname=%s{threatname} riskscore=%d{riskscore} dlpeng=%s{dlpeng} dlpdict=%s{dlpdict} 
location=%s{location} dept=%s{dept} reqmethod=%s{reqmethod} respcode=%s{respcode} 
respversion=%s{respversion} urlclass=%s{urlclass} urlsupercat=%s{urlsupercat} urlcat=%s{urlcat}
 referer=%s{referer} contenttype=%s{contenttype} unscannabletype=%s{unscannabletype} 
devicehostname=%s{devicehostname} deviceowner=%s{deviceowner} keyprotectiontype=%s{keyprotectiontype} 
bamd5=%s{bamd5} sha256=%s{sha256} clientsslcipher=%s{clientsslcipher} 
clienttlsversion=%s{clienttlsversion} upload_filename=%s{upload_filename} upload_filetype=%s{upload_filetype} 
upload_filesubtype=%s{upload_filesubtype} upload_fileclass=%s{upload_fileclass} 
upload_doctypename=%s{upload_doctypename}\n

• • User Obfuscation: Choose Disable to display the usernames.
  • Timezone: By default, this is set to the organization's time zone.
  • Duplicate Logs: Enter the number of 60 (minutes).

4. Click Save and activate the change.

Step 2. Check status in Chronicle

1. Repeat the process for each device which needs to be onboarded to chronicle.
2. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.