This article covers how to configure Syslog on Zscaler firewall.
Configuring Syslog on Zscaler Firewall
For ZSCALER_FIREWALL:
To configure a feed for the Firewall Logs, enter the following details while you feed,
- Feed Name: Enter the name as Firewall logs.
- NSS Type: Select NSS for Firewall.
- NSS Server: Choose the NSS from the list.
- Status: It is Enabled by default.
- SIEM Destination Type: Enter the Chronicle Forwarder IP Address.
- SIEM TCP Port: Enter port number 11667
- Log Type: Choose Firewall Logs.
- SIEM Rate Limit (Events per Second): Leave as unrestricted or unlimited.
- Feed Output Type: Select Custom.
- Feed Output Format: For the NSS Feeds for Firewall logs, copy and paste the following code:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss-fw CEF:0|Zscaler|NSSFWlog|5.7|%s{action}|%s{rulelabel}|3|
act=%s{action} suser=%s{login} src=%s{csip} spt=%d{csport} dst=%s{cdip}dpt=%d{cdport}
deviceTranslatedAddress=%s{ssip} deviceTranslatedPort=%d{ssport} destinationTranslatedAddress=%s{sdip}
destinationTranslatedPort=%d{sdport} sourceTranslatedAddress=%s{tsip} sourceTranslatedPort=%d{tsport}
proto=%s{ipproto} tunnelType=%s{ttype} dnat=%s{dnat} spriv=%s{location} reason=%s{rulelabel}
in=%ld{inbytes} out=%ld{outbytes} deviceDirection=1 cs1=%s{dept} cs1Label=dept
cs2=%s{nwsvc} cs2Label=nwService cs3=%s{nwapp} cs3Label=nwApp cs4=%s{aggregate}
cs4Label=aggregated cs5=%s{threatcat} cs5Label=threatcat cs6=%s{threatname} cs6label=threatname
cn1=%d{durationms}cn1Label=durationms cn2=%d{numsessions} cn2Label=numsessions
cs5Label=ipCat cs5=%s{ipcat} destCountry=%s{destcountry} avgduration=%d{avgduration}\n
- User Obfuscation: Choose Disable to display the usernames.
- Timezone: By default, this is set to the organization's time zone.
- Duplicate Logs: Enter the number of 60 (minutes).
- Click Save and Activate the change.
Configuring Syslog on Zscaler on DNS
For ZSCALER_DNS:
To configure a feed for the DNS Logs, please enter the following details while you feed,
- Feed Name: Enter the name as DNS logs.
- NSS Type: Select NSS for DNS.
- NSS Server: Choose the NSS from the list.
- Status: It is Enabled by default.
- SIEM Destination Type: Enter the Chronicle Forwarder IP Address.
- SIEM TCP Port: Enter port number 11666
- Log Type: Choose DNS Logs.
- SIEM Rate Limit (Events per Second): Leave as unrestricted or unlimited.
- Feed Output Type: Select Custom.
- Feed Output Format: For the NSS Feeds for Firewall logs, copy and paste the following code:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss-fw-dns CEF:0|Zscaler|NSSFWlog|5.7|%s{action}|%s{rulelabel}|3|
act=%s{ action} suser=%s{login} cip=%s{cip} cpt=%d{cport} spriv=%s{loc ation}
reason=%s{rulelabel} in=%ld{inbytes} out=%ld{outbytes} deviceDirection=1 durationms=%d{durationms}
ruleresponse=%s{re srulelabel} responseaction=%s{resaction} suser=%s{login} serve
ripaddress=%s{sip} serverport=%d{sport} externalId=%d{recordid } FQDN=%s{req}
Domaincategory=%s{domcat} requesttype=%s{reqtyp e} encoded=%s{eedone} datacentername=%s{datacenter}
detecenter city=%s{datacentercity} datacentercountry=%s{datacentercountry }\n
- User Obfuscation: Choose Disable to display the usernames.
- Timezone: By default, this is set to the organization's time zone.
- Duplicate Logs: Enter the number of 60 (minutes).
- Click Save and Activate the change.
Verifying logs on Chronicle
Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.