ZScaler NSS (syslog)

Configure ZScaler NSS custom log formats for log forwarding to Radiant Security.

In this guide, you will create custom log formats for ZScaler NSS log configuration. This is required in order to send ZScaler ZPA logs to Radiant Security without the use of an intermediary syslog relay server. These custom log formats will be provided by Radiant Security and are specific to your configuration.

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the ZScaler NSS option and then click Data Feeds, then click Credentials.

  4. Under Credential Name, give the credential an identifiable name (e.g. ZScaler NSS - Token ). If you already have a credential in place, select it from the drop-down menu. Click Add Connector.

  5. In the Connector tag field, enter a random value. This value will act as the salt to randomize the Token you’ll download in the next step.

  6. Click Add Connector.

  7. Copy and save the Token value. Click Download File to download the SSL Certificate and Custom Template as you will need these files when configuring the syslog source.

  8. Click Done to save your changes.

Configure a local Radiant Security Agent

Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs.

Deploy the NSS server

Please refer to ZScaler's official documentation on how to add NSS servers. You'll also need to contact the ZScaler support team for instructions on how to deploy the NSS server on your environment. The support team will calculate the appropriate resources for your NSS server.

Set up NSS integration with Radiant Security

Some log types have specific parameters, please refer to the table at the end of this section to verify those parameters.

  1. Log in to the ZScaler admin portal and go to the Administration > Nanolog streaming service > NSS Feed section.

  2. Click Add NSS Feed and enter the following information:

    • Enter the feed name, preferably with the radiantSecurity_ prefix to easily identify the feed.

    • Select NSS for Web in the NSS Type field.

    • Select an NSS server from the drop-down menu.

    • Select the SIEM destination type:

      • IP or FQDN of the local Syslog Forwarder

    • SIEM TCP Port: 514

    • For SIEM Rate, select Unlimited.

    • For Log Type, select Web Log.

    • For Feed Output Type, select Custom

    • Feed Escape Character: ,\"

    • Feed Output Format:

      • Paste the format according to the log type selected. The custom formats can be found on the Custom Templates file that you downloaded during the Radiant Security data connector set up.

    • Click Save.

  3. Repeat step 2 for each log type listed in the table below. Some log types require additional parameters, as indicated in the table.

Log Type

Parameters

Web Logs

  • NSS Type: NSS for Web

Firewall Logs

  • NSS Type: NSS for Firewall

  • Log Domain: Firewall

  • Firewall Log Type: Aggregate Logs

DNS Logs

  • Log Domain: Firewall

Tunnel Logs

  • NSS Type: NSS for Web

  • Record Type: Tunnel Event

SaaS Security Logs

  • NSS Type: NSS for Web

  • Application Category: Select all the application categories that apply

SaaS Security Activity Logs

  • NSS Type: NSS for Web

Endpoint DLP Logs

  • NSS Type: NSS for Web

Email DLP Logs

  • NSS Type: NSS for Web

  1. After adding all the feeds, click on Activation on the left-side menu, then click Activate to deploy and activate the changes.

PreviousZScaler Cloud NSS FeedNextAction Connectors

Last updated