Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Log Format for zScaler

  1. Last updated
  2. Save as PDF

Zscaler acts as a cloud-based proxy and firewall, routing all traffic through its software to apply security policies. To configure Skyhigh Cloud Connector Log Settings in the Skyhigh CASB UI, configure zScaler log format for Skyhigh Cloud Connector.

zScaler configuration

For zScaler, configure the following log format for Skyhigh Cloud Connector.

  1. In the zScaler Admin Portal, go to Nanolog server settings.
  2. Add a new NSS Feed with the following options:
    1. Feed Name. Skyhigh CASB Log Feed
    2. SIEM IP Address. Enter the IP Address of Skyhigh CASB Log Processor (for example, 10.1.1.3). 
    3. SIEM TCP Port. Enter the port number of Skyhigh CASB Syslog Server on the Log Processor server (for example, 514).
    4. Log Type. Web Log.
    5. Status. Enabled.
    6. Feed Output Type. Tab-Separated.
    7. Feed Output Format. Enter the following line. (You can also download this as a text file to easily copy and paste: zScalerNSSFormat.txt )

IMPORTANT: Make sure this field does not contain any line breaks or empty lines.

%02d{mth}/%02d{dd}/%d{yyyy}\t%02d{hh}:%02d{mm}:%02d{ss}\t%s{action}\t%s{host}\t%s{proto}\t%s{sip}\t%s{filetype}\t%s{urlcat}\t%s{cip}\t%s{login}\t%s{ologin}\t%s{dept}\t%s{bwthrottle}\t%s{location}\t%d{ctime}\t%d{reqdatasize}\t%s{reqmethod}\t%d{reqsize}\t%s{respcode}\t%d{respdatasize}\t%d{respsize}\t%d{totalsize}\t%s{ua}\t%s{eurl}\t%s{ereferer}\t%s{filename}\t%s{nsssvcip}\t%s{productversion}
  1. Click Save

zs.png

Skyhigh Cloud Configuration

Attached is a Log Config with preprocessor rules for this configuration as Skyhigh_zScaler_Log_Config.txt. This can be configured in the Skyhigh Cloud Connector Log Settings in Skyhigh CASB. This matches the custom NSS log format mentioned above. If you have a different log format configured at NSS, then please contact Skyhigh Security Support with a log sample

preprocessor.rules={"dateFormat":"MM/dd/yyyy HH:mm:ss","topRule":{"type":"chain","rules":[{"type":"select","index":"0","trim":"true"},{"type":"csv","on":"\\\\t","escape":"\\\\u0000","trim":"true"}]},"fields":{"date":{"type":"select","index":"1"},"time":{"type":"select","index":"2"},"action":{"type":"select","index":"3"},"destination_host":{"type":"select","index":"4"},"protocol":{"type":"select","index":"5"},"destination_ip":{"type":"select","index":"6"},"mime_type":{"type":"select","index":"7"},"source_ip":{"type":"select","index":"9"},"source_user":{"type":"select","index":"10"},"custom1":{"type":"select","index":"12"},"custom2":{"type":"select","index":"14"},"method":{"type":"select","index":"17"},"source_bytes":{"type":"select","index":"18"},"http_status":{"type":"select","index":"19","replacePattern":".*([0-9]{3}).*","replaceWith":"$1"},"destination_bytes":{"type":"select","index":"21"},"user_agent":{"type":"select","index":"23","trim":"true"},"url":{"type":"select","index":"24","trim":"true"},"referral":{"type":"select","index":"25"}}}

It uses two custom fields from zScaler:

  • custom1 --> zScaler field "department"
  • custom2 --> zScaler field "location"
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    IT Type
    Shadow IT
  2. Tags
    1. Log Processing
    2. Settings
    3. zScaler