ZScaler NSS (syslog)

Configure ZScaler NSS custom log formats log forwarding to Radiant Security.

Overview

In this guide, you will create custom log formats for ZScaler NSS log configuration. This is required in order to send ZScaler ZPA logs to Radiant Security without the use of an intermediary syslog relay server. These custom log formats will be provided by Radiant Security and are specific to your configuration.

To do this, you’ll need to complete the following steps:

Add the data connector in Radiant Security
Deploy the NSS server
Set up NSS integration with Radiant Security

Add the data connector in Radiant Security

1. Log in to Radiant Security.
2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.
3. Search for and select the ZScaler NSS option and then click Data Feeds.
4. Select the ZScaler NSS data feed and then click Credentials.
5. Under Credential Name, give the credential an identifiable name (e.g. `ZScaler NSS - Token` ). If you already have a credential in place, select it from the drop-down menu. Click Add Connector.
6. In the Connector tag field, enter a random value. This value will act as the salt to randomize the Token you’ll download in the next step. 7. Click Add Connector.
8. Copy and save the Token value. Click Download File to download the SSL Certificate and Custom Template as you will need these files when configuring the syslog source. 9. Click Done to save your changes.

Deploy the NSS server

Please refer to ZScaler's official documentation on how to add NSS servers. You'll also need to contact the ZScaler support team for instructions on how to deploy the NSS server on your environment. The support team will calculate the appropriate resources for your NSS server.

Set up NSS integration with Radiant Security

Some log types have specific parameters, please refer to the table at the end of this section to verify those parameters.

Log in to the ZScaler admin portal and go to the Administration > Nanolog streaming service > NSS Feed section.
Click Add NSS Feed and enter the following information:
1. Enter the feed name, preferably with the radiantSecurity_ prefix to easily identify the feed.
2. Select NSS for Web in the NSS Type field.
3. Select an NSS server from the drop-down menu.
4. Select the SIEM destination type:
  1. IP or FQDN of the local Syslog Forwarder
5. SIEM TCP Port: 514
6. For SIEM Rate, select Unlimited.
7. For Log Type, select Web Log.
8. For Feed Output Type, select Custom
9. Feed Escape Character: ,\”
10. Feed Output Format:
  1. Paste the format according to the log type selected. The custom formats can be found on the Custom Templates file that you downloaded during the Radiant Security data connector set up.
11. Click Save.

Repeat step 2 for each log type listed in the table below. Some log types require additional parameters, as indicated in the table.

Log Type	Parameters
Web Logs	NSS Type: NSS for Web
Firewall Logs	NSS Type: NSS for Firewall Log Domain: Firewall Firewall Log Type: Aggregate Logs
DNS Logs	Log Domain: Firewall
Tunnel Logs	NSS Type: NSS for Web Record Type: Tunnel Event
SaaS Security Logs	NSS Type: NSS for Web Application Category: Select all the application categories that apply
SaaS Security Activity Logs	NSS Type: NSS for Web
Endpoint DLP Logs	NSS Type: NSS for Web
Email DLP Logs	NSS Type: NSS for Web

We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai

Last updated: 2024-09-17