Appearance
Zscaler ZIA
Realm Security integrates seamlessly with Zscaler NSS VM based appliances, enabling intelligent routing and analysis of security event logs.
Zscaler NSS supports sending log data to configured destinations using the generic syslog protocol in key/value format.
Data Flow:
Zscaler (VM based) NSS > Realm Data Connector (onprem) > Realm Cloud Backend
Setup Zscaler Source in Realm
- Login to Realm console
- Add a new Source. Go to Sources > Add > Select Zscaler ZIA / Splunk (CIM) format
- Name: Zscaler ZIA
- Description: Zscaler ZIA logs
- If a collector is already setup, Go to Collectors > Select your collector. If not, add a new collector
- To add a new collector, Go to Collectors > Add > Give it a name and description
- Add an Zscaler stream to the Collector.
- Click on Add Stream
- Select Product Format:
Zscaler ZIA / Splunk (CIM) - From Source drop down: Select
Zscalersource - Framing Trailer: Select
Unspecified - Click
Add Streambutton
- To view all assigned ports for Zscaler ZIA feeds, click
VIEW PORTSaction. The modal shows receiving port numbers for each of the NSS feed types. The port numbers listed in the modal are the syslog receiving ports on the collector. You will need these when configuring each of the Zscaler NSS Syslog feeds.
Prerequisites
- Ensure you have administrative access to your Zscaler NSS VM.
- Realm collector is setup and running. See Realm Collector install guide for setting up a collector.
- Realm Security syslog collector IP address or FQDN
- Realm Collector receiving port numbers. In Realm console, go to Collectors > select collector > More actions button
...for the Zscaler stream >View assigned ports> Copy port number listed for each of the NSS feed type.
Setup Zscaler NSS feed
Follow these concise steps to configure NSS feed for firewall logs to Realm Security Data Fabric.
Make sure to use the following values:
- Feed Name:
Name of the feed - NSS Type:
Select type - SIEM Destination Type:
SIEM IP AddressEnter the IP Address of the Realm data collector VM. - SIEM TCP Port: Port number from Realm console corresponding to the NSS feed type.
- Feed Output Type: Select
Splunk CIM.
Support
For additional details, refer to the official Zscaler NSS documentation.
If you encounter any issues or require assistance, contact Realm Security support.
Event meta data
Following additional meta data fields will be included with the events
| Feed Type | Field Name | Value |
|---|---|---|
| All feeds | _sourceCategory | zscaler/zia-splunk |
| Feed Type | Field Name | Value |
|---|---|---|
| ZIA WEB | source_type | zscalernss-web |
| ZIA TUNNEL | source_type | zscalernss-tunnel |
| ZIA FIREWALL | source_type | zscalernss-fw |
| ZIA DNS | source_type | zscalernss-dns |
| ZIA AUDIT | source_type | zscalernss-audit |
References
- https://help.zscaler.com/zia/adding-nss-feeds-firewall-logs
- https://help.zscaler.com/zia/understanding-nanolog-streaming-service’
- https://help.zscaler.com/zia/general-guidelines-nss-feeds-and-feed-formats
- https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs
- https://help.zscaler.com/zpa/zpa-and-splunk-deployment-guide