Skip to main content


Splunk Lantern



Zscaler is the a cloud-based internet and application security gateway used by enterprise customers worldwide. As part of operating this service, Zscaler customer’s end users may generate a large amount of logging information, information accessible within Zscaler, and also data available to stream into the Splunk platform.

The Zscaler Technical Add-On for Splunk takes events from Zscaler data sources and maps these to types compatible with Splunk’s Common Information Model (CIM), as well as tagging all events where relevant to specific CIM data model(s).

Zscaler traffic, status, and access logs provide a rich source of data for ingesting into the Splunk platform. This information can then be used to enrich other data sources and generate interesting events related to business services and technology operations.

Zscaler data sources

Zscaler can stream logs into customer environments. This is facilitated via Zscaler-supplied virtual machines which execute in a customer’s (or partner’s) hosted compute environment.

These virtual machines attach to the Zscaler cloud via outbound connections and receive encrypted and tokenized logs to stream into customer log collection and SIEM platforms. The various types of log streams are:

Log Type Streaming Technology Platforms
Proxy NSS - Web VMware, AWS and Azure
Tunnel NSS - Web VMware, AWS and Azure
Firewall NSS - CWF VMware, AWS and Azure
DNS NSS - CWF VMware, AWS and Azure
Alert NSS – CWF/Web VMware, AWS and Azure
App Auth LSS RedHat compatible
App Access LSS RedHat compatible
Browser Access LSS RedHat compatible
Connector LSS RedHat compatible

Sourcetypes for the Zscaler Technical Add-On

Several sourcetypes are defined in the Zscaler Technical Add-On. Actual use of the sourcetypes may vary depending on what bundle and features a Zscaler customer is subscribed to.

There are no pre-configured data inputs. These will need to be configured by the Splunk Admin.

Sourcetype Function
zscalernss-web ZIA Proxy Logs
zscalernss-tunnel ZIA Tunnel Logs – up/down events and aggregate traffic stats
zscalernss-fw ZIA Firewall Logs
zscalernss-dns ZIA DNS Logs
zscalernss-alerts System Alerts from Zscaler NSS (Proxy and Firewall)
zscalerlss-zpa-connector ZPA Connector Logs
zscalerlss-zpa-app ZPA Application Access Logs
zscalerlss-zpa-auth ZPA User Authentication Logs
zscalerlss-zpa-bba ZPA Browser Access Logs
zscalerapi-zia-audit ZIA Administrative Audit Logs
zscalerapi-zia-sandbox ZIA detailed Sandbox detonation Logs

Zscaler APIs

Zscaler runs a number of open APIs which include read and write functions. The Zscaler Splunk integration focuses on read functions for Zscaler Sandbox detonation reports and Zscaler Admin Audit logs.

You can access Zscaler's help portal for full specifications for the Zscaler API.

Modular inputs for Zscaler APIs

This method is used for Admin Audit and Sandbox detonations logs.

You can access detailed configuration guides depending on whether your environment with Zscaler is cloud or on-prem. Splunk Essential Configuration (using NSS VM - stream syslog over tcp) and Splunk Essential Configuration (using Cloud-to-Cloud logging - HTTPS POST) are both available in the appendix of the Zscaler and Splunk Deployment Guide.

More resources

The Zscaler and Splunk Deployment Guide contains full guidance on integrating Zscaler data sources.

In addition, guidance for onboarding data can be found in the Spunk Documentation: