Zscaler Nanolog Streaming Service
The IBM QRadar DSM for Zscaler Nanolog Streaming Service (Zscaler NSS) collects Syslog events from either Web logs or Firewall logs.
To integrate Zscaler Streaming Service with QRadar, complete the following steps:
- If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the most recent
version of the following RPMs on your QRadar
Console:
- DSM Common RPM
- Zscaler NSS DSM RPM
- Configure your Zscaler NSS device to send events to QRadar. For more information about
configuring Zscaler NSS, see the Zscaler and IBM
QRadar® Deployment Guide (https:/help.zscaler.com/zia/zscaler-ibm-qradar-deployment-guide).Important: When you configure your Zscaler NSS device, QRadar supports the following feeds:
- Firewall logs. For more information about Firewall logs, see Adding NSS Feeds for Firewall logs (https://help.zscaler.com/zia/adding-nss-feeds-firewall-logs).
- Web logs. For more information about Web logs, see Adding NSS Feeds for Web Logs (https://help.zscaler.com/zia/adding-nss-feeds-web-logs).
Use the following LEEF output feed format for Web logs when you configure a Syslog feed in Zscaler NSS:%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1|%s{reason}|cat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tsrc=%s{cip}\tdst=%s{sip}\tsrcPostNAT=%s{cintip}\trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tdstBytes=%d{respsize}\trole=%s{dept}\tpolicy=%s{reason}\trecordid=%d{recordid}\tbwthrottle=%s{bwthrottle}\tuseragent=%s{ua}\treferer=%s{ereferer}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat}\turlsupercategory=%s{urlsupercat}\turlclass=%s{urlclass}\tappclass=%s{appclass}\tappname=%s{appname}\tmalwaretype=%s{malwarecat}\tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname}\triskscore=%d{riskscore}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass}\tfiletype=%s{filetype}\treqmethod=%s{reqmethod}\trespcode=%s{respcode}\tbamd5=%s{bamd5}\turl=%s{eurl}
Use the following LEEF output feed format for Firewall logs when you configure a Syslog feed in Zscaler NSS:%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tcat=nss-fw\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\n
- If QRadar does not automatically detect the log source, add a Zscaler NSS log source on the QRadar Console. For more information about adding a Sysog log source, see Syslog log source parameters for Zscaler NSS.
- Optional: Configure your Zscaler NSS device to send HTTP receiver events to QRadar.Important: You need a certificate that is issued by a certificate authority (CA). It can't be a self-signed certificate because it must be validated by a CA. For more information about certificates and configuring the log source parameters for HTTP receiver, see HTTP Receiver protocol configuration options.