Zscaler is the a cloud-based internet and application security gateway used by enterprise customers worldwide. As part of operating this service, Zscaler customer’s end users may generate a large amount of logging information, information accessible within Zscaler, and also data available to stream into the Splunk platform.
The Zscaler Technical Add-On for Splunk takes events from Zscaler data sources and maps these to types compatible with Splunk’s Common Information Model (CIM), as well as tagging all events where relevant to specific CIM data model(s).
Zscaler traffic, status, and access logs provide a rich source of data for ingesting into the Splunk platform. This information can then be used to enrich other data sources and generate interesting events related to business services and technology operations.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion:
Getting data in
|Source||Add-ons and Apps||Guidance|
Splunk platformZscaler Technical Add-On for Splunk
Zscaler and Splunk Deployment Guide
Zscaler data sources
Zscaler can stream logs into customer environments. This is facilitated via Zscaler-supplied virtual machines which execute in a customer’s (or partner’s) hosted compute environment.
These virtual machines attach to the Zscaler cloud via outbound connections and receive encrypted and tokenized logs to stream into customer log collection and SIEM platforms. The log streams are:
|Log type||Streaming technology||Platforms|
|Proxy||NSS - Web||VMware, AWS and Azure|
|Tunnel||NSS - Web||VMware, AWS and Azure|
|Firewall||NSS - CWF||VMware, AWS and Azure|
|DNS||NSS - CWF||VMware, AWS and Azure|
|Alert||NSS – CWF/Web||VMware, AWS and Azure|
|App Auth||LSS||RedHat compatible|
|App Access||LSS||RedHat compatible|
|Browser Access||LSS||RedHat compatible|
Source types for the Zscaler Technical Add-On
Several source types are defined in the Zscaler Technical Add-On. Actual use of the source types may vary depending on what bundle and features a Zscaler customer is subscribed to.
There are no pre-configured data inputs. These need to be configured by the Splunk Admin.
|zscalernss-web||ZIA Proxy Logs|
|zscalernss-tunnel||ZIA Tunnel Logs – up/down events and aggregate traffic stats|
|zscalernss-fw||ZIA Firewall Logs|
|zscalernss-dns||ZIA DNS Logs|
|zscalernss-alerts||System Alerts from Zscaler NSS (Proxy and Firewall)|
|zscalerlss-zpa-connector||ZPA Connector Logs|
|zscalerlss-zpa-app||ZPA Application Access Logs|
|zscalerlss-zpa-auth||ZPA User Authentication Logs|
|zscalerlss-zpa-bba||ZPA Browser Access Logs|
|zscalerapi-zia-audit||ZIA Administrative Audit Logs|
|zscalerapi-zia-sandbox||ZIA detailed Sandbox detonation Logs|
Steaming log inputs
Zscaler NSS and LSS streams are typically sent to Splunk via Network Inputs. Zscaler NSS and LSS streams are typically sent to Splunk via Network Inputs. These can be sent directly to the inbuilt Splunk TCP inputs, or pre-processed using Splunk Connect for Syslog (SC4S). For scale and best practice, SC4S is recommended.
Zscaler runs a number of open APIs which include read and write functions. The Zscaler Splunk integration focuses on read functions for Zscaler Sandbox detonation reports and Zscaler Admin Audit logs.Access Zscaler's help portal for full specifications for the Zscaler API.
Modular inputs for Zscaler APIs
This method is used for Admin Audit and Sandbox detonations logs. Use the detailed configuration guides that correspond to cloud and on-prem Zscaler evironments. Splunk Essential Configuration (using NSS VM - stream syslog over tcp) and Splunk Essential Configuration (using Cloud-to-Cloud logging - HTTPS POST) are both available in the appendix of the Zscaler and Splunk Deployment Guide.