# ZScaler NSS (syslog)

In this guide, you will create custom log formats for ZScaler NSS log configuration. This is required in order to send ZScaler ZPA logs to Radiant Security without the use of an intermediary syslog relay server. These custom log formats will be provided by Radiant Security and are specific to your configuration.

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings > Data Connectors** and click **+ Add Connector**.&#x20;
3. Search for and select the **ZScaler NSS** option and then click **Data Feeds**, then click **Credentials**.&#x20;
4. Under **Credential** **Name**, give the credential an identifiable name (e.g. `ZScaler NSS - Token` ). If you already have a credential in place, select it from the drop-down menu. Click **Add** **Connector**.
5. In the **Connector** **tag** field, enter a random value. This value will act as the salt to randomize the **Token** you’ll download in the next step.
6. Click **Add** **Connector**.
7. Copy and save the Token value. Click Download File to download the **SSL** **Certificate** and **Custom** **Template** as you will need these files when configuring the syslog source.
8. Click **Done** to save your changes.

### Configure a local Radiant Security Agent

Refer to the [Install the Radiant Security Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) guide to set up a local agent to collect the logs.

### Deploy the NSS server

Please refer to ZScaler's official documentation on [how to add NSS servers](https://help.zscaler.com/zia/adding-nss-servers). You'll also need to contact the ZScaler support team for instructions on how to deploy the NSS server on your environment. The support team will calculate the appropriate resources for your NSS server.

### Set up NSS integration with Radiant Security

Some log types have specific parameters, please refer to the table at the end of this section to verify those parameters.

1. Log in to the ZScaler admin portal and go to the **Administration > Nanolog streaming service > NSS Feed** section.
2. Click **Add NSS Feed** and enter the following information:
   * Enter the feed name, preferably with the `radiantSecurity_` prefix to easily identify the feed.
   * Select **NSS for Web** in the **NSS Type** field.
   * Select an NSS server from the drop-down menu.
   * Select the SIEM destination type:
     * **IP** or **FQDN** of the local Syslog Forwarder
   * **SIEM TCP Port**: `514`
   * For **SIEM Rate**, select **Unlimited**.
   * For **Log Type**, select **Web Log**.
   * For **Feed Output Type**, select **Custom**
   * **Feed Escape Character**: `,\"`
   * **Feed Output Format**:
     * Paste the format according to the log type selected. The custom formats can be found on the **Custom** **Templates** file that you downloaded during the Radiant Security data connector set up.
   * Click **Save**.
3. Repeat **step 2** for each log type listed in the table below. Some log types require additional parameters, as indicated in the table.

| **Log Type**                | **Parameters**                                                                                                         |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| Web Logs                    | <ul><li>NSS Type: NSS for Web</li></ul>                                                                                |
| Firewall Logs               | <ul><li>NSS Type: NSS for Firewall</li><li>Log Domain: Firewall</li><li>Firewall Log Type: Aggregate Logs</li></ul>    |
| DNS Logs                    | <ul><li>Log Domain: Firewall</li></ul>                                                                                 |
| Tunnel Logs                 | <ul><li>NSS Type: NSS for Web</li><li>Record Type: Tunnel Event</li></ul>                                              |
| SaaS Security Logs          | <ul><li>NSS Type: NSS for Web</li><li>Application Category: Select all the application categories that apply</li></ul> |
| SaaS Security Activity Logs | <ul><li>NSS Type: NSS for Web</li></ul>                                                                                |
| Endpoint DLP Logs           | <ul><li>NSS Type: NSS for Web</li></ul>                                                                                |
| Email DLP Logs              | <ul><li>NSS Type: NSS for Web</li></ul>                                                                                |

4. After adding all the feeds, click on **Activation** on the left-side menu, then click **Activate** to deploy and activate the changes.\
   &#x20;![](https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F9FanX4431eBNOlHEbO8p%2FZScaler%20NSS%20\(syslog\)_05.png?alt=media\&token=fd413ed4-8f9b-4885-9f71-96b2a851dad0)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/zscaler-nss-syslog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.