Log Format for zScaler

Last updated
Save as PDF

zScaler configuration

For zScaler, configure the following log format for MVISION Cloud Connector.

In the zScaler Admin Portal, navigate to Nanolog server settings.
Add a new NSS Feed with the following options:
1. Feed Name. MVISION Cloud Log Feed
2. SIEM IP Address. Enter the IP Address of MVISION Cloud Log Processor (for example, 10.1.1.3).
3. SIEM TCP Port. Enter the port number of MVISION Cloud Syslog Server on the Log Processor server (for example, 514).
4. Log Type. Web Log.
5. Status. Enabled.
6. Feed Output Type. Tab-Separated.
7. Feed Output Format. Enter the following line. (You can also download this as a text file to easily copy and paste: zScalerNSSFormat.txt )

IMPORTANT: Make sure this field does not contain any line breaks or empty lines.

%02d{mth}/%02d{dd}/%d{yyyy}\t%02d{hh}:%02d{mm}:%02d{ss}\t%s{action}\t%s{host}\t%s{proto}\t%s{sip}\t%s{filetype}\t%s{urlcat}\t%s{cip}\t%s{login}\t%s{ologin}\t%s{dept}\t%s{bwthrottle}\t%s{location}\t%d{ctime}\t%d{reqdatasize}\t%s{reqmethod}\t%d{reqsize}\t%s{respcode}\t%d{respdatasize}\t%d{respsize}\t%d{totalsize}\t%s{ua}\t%s{eurl}\t%s{ereferer}\t%s{filename}\t%s{nsssvcip}\t%s{productversion}

Click Save.

MVISION Cloud Configuration

Attached is a Log Config with preprocessor rules for this configuration as Skyhigh_zScaler_Log_Config.txt. This can be configured in the MVISION Cloud Connector Log Settings in the MVISION Cloud UI. This matches to the custom NSS log format mentioned above. If you have a different log format configured at NSS, then please contact MVISION Cloud Support with a log sample

preprocessor.rules={"dateFormat":"MM/dd/yyyy HH:mm:ss","topRule":{"type":"chain","rules":[{"type":"select","index":"0","trim":"true"},{"type":"csv","on":"\\\\t","escape":"\\\\u0000","trim":"true"}]},"fields":{"date":{"type":"select","index":"1"},"time":{"type":"select","index":"2"},"action":{"type":"select","index":"3"},"destination_host":{"type":"select","index":"4"},"protocol":{"type":"select","index":"5"},"destination_ip":{"type":"select","index":"6"},"mime_type":{"type":"select","index":"7"},"source_ip":{"type":"select","index":"9"},"source_user":{"type":"select","index":"10"},"custom1":{"type":"select","index":"12"},"custom2":{"type":"select","index":"14"},"method":{"type":"select","index":"17"},"source_bytes":{"type":"select","index":"18"},"http_status":{"type":"select","index":"19","replacePattern":".*([0-9]{3}).*","replaceWith":"$1"},"destination_bytes":{"type":"select","index":"21"},"user_agent":{"type":"select","index":"23","trim":"true"},"url":{"type":"select","index":"24","trim":"true"},"referral":{"type":"select","index":"25"}}}

It uses two custom fields from zScaler:

custom1 --> zScaler field "department"
custom2 --> zScaler field "location"