Zscaler Nanolog Streaming Service

The Data source type for Zscaler Nanolog Streaming Service (Zscaler NSS) collects Syslog events from either Web logs or Firewall logs.

To integrate Zscaler Streaming Service with QRadar®, complete the following steps:

Configure your Zscaler NSS device to send events to QRadar. For more information about configuring Zscaler NSS, see the Zscaler and IBM® QRadar Deployment Guide (https:/help.zscaler.com/zia/zscaler-ibm-qradar-deployment-guide).

Important: When you configure your Zscaler NSS device, QRadar supports the following feeds:

Firewall logs. For more information about Firewall logs, see Adding NSS Feeds for Firewall logs (https://help.zscaler.com/zia/adding-nss-feeds-firewall-logs).
Web logs. For more information about Web logs, see Adding NSS Feeds for Web Logs (https://help.zscaler.com/zia/adding-nss-feeds-web-logs).

Use the following LEEF output feed format for Web logs when you configure a Syslog feed in Zscaler NSS:

%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss:  LEEF:1.0|Zscaler|NSS|4.1|%s{reason}|cat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tsrc=%s{cip}\tdst=%s{sip}\tsrcPostNAT=%s{cintip}\trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tdstBytes=%d{respsize}\trole=%s{dept}\tpolicy=%s{reason}\trecordid=%d{recordid}\tbwthrottle=%s{bwthrottle}\tuseragent=%s{ua}\treferer=%s{ereferer}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat}\turlsupercategory=%s{urlsupercat}\turlclass=%s{urlclass}\tappclass=%s{appclass}\tappname=%s{appname}\tmalwaretype=%s{malwarecat}\tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname}\triskscore=%d{riskscore}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass}\tfiletype=%s{filetype}\treqmethod=%s{reqmethod}\trespcode=%s{respcode}\t%s{bamd5}\turl=%s{eurl}

Use the following LEEF output feed format for Firewall logs when you configure a Syslog feed in Zscaler NSS:

%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS-FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\tsrc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdstPreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPostNAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{ttype}\tcat=nss-fw\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rulelabel}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\n

If QRadar does not automatically detect the data source, add a Zscaler NSS data source on the QRadar Console. For more information about adding the data source, see Syslog log source parameters for Zscaler NSS.

For more information about adding a data source, see Adding ingestion data sources.

If you are an IBM QRadar user, see Terminology changes for QRadar customers.