Skip to main content
McAfee Enterprise MVISION Cloud

Log Format for zScaler

  1. Last updated
  2. Save as PDF

Zscaler acts as a cloud-based proxy and firewall, routing all traffic through its software to apply security policies. To configure MVISION Cloud Connector Log Settings in the MVISION Cloud UI, configure zScaler log format for MVISION Cloud Connector.

zScaler configuration

For zScaler, configure the following log format for MVISION Cloud Connector.

  1. In the zScaler Admin Portal, go to Nanolog server settings.
  2. Add a new NSS Feed with the following options:
    1. Feed Name. MVISION Cloud Log Feed
    2. SIEM IP Address. Enter the IP Address of MVISION Cloud Log Processor (for example, 10.1.1.3). 
    3. SIEM TCP Port. Enter the port number of MVISION Cloud Syslog Server on the Log Processor server (for example, 514).
    4. Log Type. Web Log.
    5. Status. Enabled.
    6. Feed Output Type. Tab-Separated.
    7. Feed Output Format. Enter the following line. (You can also download this as a text file to easily copy and paste: zScalerNSSFormat.txt )

IMPORTANT: Make sure this field does not contain any line breaks or empty lines.

%02d{mth}/%02d{dd}/%d{yyyy}\t%02d{hh}:%02d{mm}:%02d{ss}\t%s{action}\t%s{host}\t%s{proto}\t%s{sip}\t%s{filetype}\t%s{urlcat}\t%s{cip}\t%s{login}\t%s{ologin}\t%s{dept}\t%s{bwthrottle}\t%s{location}\t%d{ctime}\t%d{reqdatasize}\t%s{reqmethod}\t%d{reqsize}\t%s{respcode}\t%d{respdatasize}\t%d{respsize}\t%d{totalsize}\t%s{ua}\t%s{eurl}\t%s{ereferer}\t%s{filename}\t%s{nsssvcip}\t%s{productversion}
  1. Click Save

MVISION Cloud Configuration

Attached is a Log Config with preprocessor rules for this configuration as Skyhigh_zScaler_Log_Config.txt. This can be configured in the MVISION Cloud Connector Log Settings in the MVISION Cloud UI. This matches the custom NSS log format mentioned above. If you have a different log format configured at NSS, then please contact MVISION Cloud Support with a log sample

preprocessor.rules={"dateFormat":"MM/dd/yyyy HH:mm:ss","topRule":{"type":"chain","rules":[{"type":"select","index":"0","trim":"true"},{"type":"csv","on":"\\\\t","escape":"\\\\u0000","trim":"true"}]},"fields":{"date":{"type":"select","index":"1"},"time":{"type":"select","index":"2"},"action":{"type":"select","index":"3"},"destination_host":{"type":"select","index":"4"},"protocol":{"type":"select","index":"5"},"destination_ip":{"type":"select","index":"6"},"mime_type":{"type":"select","index":"7"},"source_ip":{"type":"select","index":"9"},"source_user":{"type":"select","index":"10"},"custom1":{"type":"select","index":"12"},"custom2":{"type":"select","index":"14"},"method":{"type":"select","index":"17"},"source_bytes":{"type":"select","index":"18"},"http_status":{"type":"select","index":"19","replacePattern":".*([0-9]{3}).*","replaceWith":"$1"},"destination_bytes":{"type":"select","index":"21"},"user_agent":{"type":"select","index":"23","trim":"true"},"url":{"type":"select","index":"24","trim":"true"},"referral":{"type":"select","index":"25"}}}

It uses two custom fields from zScaler:

  • custom1 --> zScaler field "department"
  • custom2 --> zScaler field "location"
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    IT Type
    Shadow IT
  2. Tags
    1. Log Processing
    2. Settings
    3. zScaler