Zscaler Nanolog Streaming Service

The IBM QRadar DSM for Zscaler Nanolog Streaming Service (Zscaler NSS) collects Syslog events from either Web logs or Firewall logs.

To integrate Zscaler Streaming Service with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console:
    • DSM Common RPM
    • Zscaler NSS DSM RPM
  2. Configure your Zscaler NSS device to send events to QRadar. For more information about configuring Zscaler NSS, see the Zscaler and IBM QRadar® Deployment Guide (https:/help.zscaler.com/zia/zscaler-ibm-qradar-deployment-guide).
    Important: When you configure your Zscaler NSS device, QRadar supports the following feeds:
    Use the following LEEF output feed format for Web logs when you configure a Syslog feed in Zscaler NSS:
    %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss:  LEEF:1.0|Zscaler|NSS|4.1|%s{reason}|cat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tsrc=%s{cip}\tdst=%s{sip}\tsrcPostNAT=%s{cintip}\trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tdstBytes=%d{respsize}\trole=%s{dept}\tpolicy=%s{reason}\trecordid=%d{recordid}\tbwthrottle=%s{bwthrottle}\tuseragent=%s{ua}\treferer=%s{ereferer}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat}\turlsupercategory=%s{urlsupercat}\turlclass=%s{urlclass}\tappclass=%s{appclass}\tappname=%s{appname}\tmalwaretype=%s{malwarecat}\tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname}\triskscore=%d{riskscore}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass}\tfiletype=%s{filetype}\treqmethod=%s{reqmethod}\trespcode=%s{respcode}\tbamd5=%s{bamd5}\turl=%s{eurl} 
    Use the following LEEF output feed format for Firewall logs when you configure a Syslog feed in Zscaler NSS:
    %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tcat=nss-fw\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\n
  3. If QRadar does not automatically detect the log source, add a Zscaler NSS log source on the QRadar Console. For more information about adding a Sysog log source, see Syslog log source parameters for Zscaler NSS.
  4. Optional: Configure your Zscaler NSS device to send HTTP receiver events to QRadar.
    Important: You need a certificate that is issued by a certificate authority (CA). It can't be a self-signed certificate because it must be validated by a CA. For more information about certificates and configuring the log source parameters for HTTP receiver, see HTTP Receiver protocol configuration options.