Configuring Syslog on Zscaler
Step 1: Create NSS Feed
- Log in and navigate to Administration > Cloud Configuration > Nano Streaming Service.
2. In the NSS Feeds tab, click Add NSS Feed.
The Add NSS Feed window appears.
3. In the Add NSS Feed window, enter the following details:
-
- Feed Name: Enter the name as Web logs.
- NSS Type: Select NSS for Web.
- NSS Server: Choose the NSS from the list.
- Status: The NSS feed is Enabled by default.
- SIEM Destination Type: The type of destination.
- Chronicle IP Address: Enter the Forwarder IP to which the logs stream.
- SIEM TCP Port: Enter port number 11665
- Log Type: Choose Web Log.
- SIEM Rate Limit (Events per Second): Leave as unrestricted or unlimited.
- Feed Output Type: Select Custom.
- Feed Output Format: For the NSS Feeds for Web logs, copy and paste the pre-populated Feed Output Format with the following
%s{time} recordId=%d{recordid} login=%s{login} dname=%s{ehost} dip=%s{sip}
sip=%s{cip} natPublicIp=%s{cintip} url=%s{eurl} ua=%s{ua} module=%s{module}
proto=%s{proto} action=%s{action} reason=%s{reason} appName=%s{appname}
appClass=%s{appclass} fileType=%s{filetype} reqSize=%d{reqsize} responseSize=%d{respsize}
totalSize=%d{totalsize} malwareCat=%s{malwarecat} malwareClass=%s{malwareclass}
threatName=%s{threatname} riskScore=%d{riskscore} DLPEng=%s{dlpeng} DLPDict=%s{dlpdict}
location=%s{location} dept=%s{dept} reqMethod=%s{reqmethod} respCode=%s{respcode}
respVersion=%s{respversion} urlClass=%s{urlclass} urlSuperCat=%s{urlsupercat}
urlCat=%s{urlcat} referer=%s{ereferer} contenttype=%s{contenttype}
unscannabletype=%s{unscannabletype} devicehostname=%s{devicehostname}
deviceowner=%s{deviceowner} keyprotectiontype=%s{keyprotectiontype}\n
-
- User Obfuscation: Choose Disable to display the usernames.
- Timezone: By default, this is set to the organization's time zone.
- Duplicate Logs: Enter the number of 60 (minutes).
4. Click Save and activate the change.
Step 2. Check status in Chronicle
- Repeat the process for each device which needs to be onboarded to chronicle.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.