Configuring Zscaler Private Access to send events to QRadar

When you configure a Syslog format, use the following LEEF output log format for User Status logs:

<166>%s{LogTimestamp:time} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=ZPA User Status\tCustomer=%s{Customer}\tusrName=%s{Username}\tSessionID=%s{SessionID}\tSessionStatus=%s{SessionStatus}\tVersion=%s{Version}\tZEN=%s{ZEN}\tCertificateCN=%s{CertificateCN}\tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\tLatitude=%f{Latitude}\tLongitude=%f{Longitude}\tCountryCode=%s{CountryCode}\tTimestampAuthentication:iso8601=%s{TimestampAuthentication:iso8601}\tTimestampUnAuthentication:iso8601=%s{TimestampUnAuthentication:iso8601}\tdstBytes=%d{TotalBytesRx}\tsrcBytes=%d{TotalBytesTx}\tIdp=%s{Idp}\tidentHostName=%s{Hostname}\tPlatform=%s{Platform}\tClientType=%s{ClientType}\tTrustedNetworks=%s(,){TrustedNetworks}\tTrustedNetworksNames=%s(,){TrustedNetworksNames}\tSAMLAttributes=%s{SAMLAttributes}\tPosturesHit=%s(,){PosturesHit}\tPosturesMiss=%s(,){PosturesMiss}\tZENLatitude=%f{ZENLatitude}\tZENLongitude=%f{ZENLongitude}\tZENCountryCode=%s{ZENCountryCode}\n

When you configure a Syslog format, use the following LEEF output log format for App Connector Status logs:

<166>%s{LogTimestamp:time} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=Connector Status\tCustomer=%s{Customer}\tSessionID=%s{SessionID}\tSessionType=%s{SessionType}\tVersion=%s{Version}\tPlatform=%s{Platform}\tZEN=%s{ZEN}\tConnector=%s{Connector}\tConnectorGroup=%s{ConnectorGroup}\tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\tLatitude=%f{Latitude}\tLongitude=%f{Longitude}\tCountryCode=%s{CountryCode}\tTimestampAuthentication:iso8601=%s{TimestampAuthentication:iso8601}\tTimestampUnAuthentication:iso8601=%s{TimestampUnAuthentication:iso8601}\tCPUUtilization=%d{CPUUtilization}\tMemUtilization=%d{MemUtilization}\tServiceCount=%d{ServiceCount}\tInterfaceDefRoute=%s{InterfaceDefRoute}\tDefRouteGW=%s{DefRouteGW}\tPrimaryDNSResolver=%s{PrimaryDNSResolver}\tHostUpTime=%s{HostUpTime}\tConnectorUpTime=%s{ConnectorUpTime}\tNumOfInterfaces=%d{NumOfInterfaces}\tBytesRxInterface=%d{BytesRxInterface}\tPacketsRxInterface=%d{PacketsRxInterface}\tErrorsRxInterface=%d{ErrorsRxInterface}\tDiscardsRxInterface=%d{DiscardsRxInterface}\tBytesTxInterface=%d{BytesTxInterface}\tPacketsTxInterface=%d{PacketsTxInterface}\tErrorsTxInterface=%d{ErrorsTxInterface}\tDiscardsTxInterface=%d{DiscardsTxInterface}\tTotalBytesRx=%d{TotalBytesRx}\tTotalBytesTx=%d{TotalBytesTx}\n

When you configure a Syslog format, use the following LEEF output log format for Audit logs:

<166>%s{modifiedTime:iso8601} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{auditOperationType}|cat=ZPA_Audit_Log\tcreationTime=%s{creationTime:iso8601}\trequestId=%s{requestId}\tsessionId=%s{sessionId}\tauditOldValue=%s{auditOldValue}\tauditNewValue=%s{auditNewValue}\tauditOperationType=%s{auditOperationType}\tobjectType=%s{objectType}\tobjectName=%s{objectName}\tobjectId=%d{objectId}\taccountName=%d{customerId}\tusrName=%s{modifiedByUser}\n

When you configure a Syslog format, use the following LEEF output log format for User Activity logs:

<166>%s{LogTimestamp:time} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{ConnectionStatus}%s{InternalReason}|cat=ZPA User Activity\t\tCustomer=%s{Customer}\tSessionID=%s{SessionID}\tConnectionID=%s{ConnectionID}\tInternalReason=%s{InternalReason}\tConnectionStatus=%s{ConnectionStatus}\tproto=%d{IPProtocol}\tDoubleEncryption=%d{DoubleEncryption}\tusrName=%s{Username}\tdstPort=%d{ServicePort}\tsrc=%s{ClientPublicIP}\tsrcPreNAT=%s{ClientPrivateIP}\tClientLatitude=%f{ClientLatitude}\tClientLongitude=%f{ClientLongitude}\tClientCountryCode=%s{ClientCountryCode}\tClientZEN=%s{ClientZEN}\tpolicy=%s{Policy}\tConnector=%s{Connector}\tConnectorZEN=%s{ConnectorZEN}\tConnectorIP=%s{ConnectorIP}\tConnectorPort=%d{ConnectorPort}\tApplicationName=%s{Host}\tApplicationSegment=%s{Application}\tAppGroup=%s{AppGroup}\tServer=%s{Server}\tdst=%s{ServerIP}\tServerPort=%d{ServerPort}\tPolicyProcessingTime=%d{PolicyProcessingTime}\tServerSetupTime=%d{ServerSetupTime}\tTimestampConnectionStart:iso8601=%s{TimestampConnectionStart:iso8601}\tTimestampConnectionEnd:iso8601=%s{TimestampConnectionEnd:iso8601}\tTimestampCATx:iso8601=%s{TimestampCATx:iso8601}\tTimestampCARx:iso8601=%s{TimestampCARx:iso8601}\tTimestampAppLearnStart:iso8601=%s{TimestampAppLearnStart:iso8601}\tTimestampZENFirstRxClient:iso8601=%s{TimestampZENFirstRxClient:iso8601}\tTimestampZENFirstTxClient:iso8601=%s{TimestampZENFirstTxClient:iso8601}\tTimestampZENLastRxClient:iso8601=%s{TimestampZENLastRxClient:iso8601}\tTimestampZENLastTxClient:iso8601=%s{TimestampZENLastTxClient:iso8601}\tTimestampConnectorZENSetupComplete:iso8601=%s{TimestampConnectorZENSetupComplete:iso8601}\tTimestampZENFirstRxConnector:iso8601=%s{TimestampZENFirstRxConnector:iso8601}\tTimestampZENFirstTxConnector:iso8601=%s{TimestampZENFirstTxConnector:iso8601}\tTimestampZENLastRxConnector:iso8601=%s{TimestampZENLastRxConnector:iso8601}\tTimestampZENLastTxConnector:iso8601=%s{TimestampZENLastTxConnector:iso8601}\tZENTotalBytesRxClient=%d{ZENTotalBytesRxClient}\tZENBytesRxClient=%d{ZENBytesRxClient}\tZENTotalBytesTxClient=%d{ZENTotalBytesTxClient}\tZENBytesTxClient=%d{ZENBytesTxClient}\tZENTotalBytesRxConnector=%d{ZENTotalBytesRxConnector}\tZENBytesRxConnector=%d{ZENBytesRxConnector}\tZENTotalBytesTxConnector=%d{ZENTotalBytesTxConnector}\tZENBytesTxConnector=%d{ZENBytesTxConnector}\tIdp=%s{Idp}\n