Solved: Re: Zscaler log ingestion

Roberto_Lio · 11-20-2023 07:14 AM

Hi everyone

Has anyone had any experience with ingesting ZScaler logs?
I was expecting a cloud-to-cloud connection, but I don't see any documentation on this.

Thanks

Roberto

adam9

We're working on a new set of documentation (and updated parsers) for Zscaler products. We will be using webhooks where possible. The new docs should be ready later this quarter.

View solution in original post

phaubertin

Hi Roberto, if you have the zscaler cloud appliance. You would probably need to configure a feed in chronicle. If you have a the on prem nss log server, you will have to forward all your log to your collector and configure well.

Roberto_Lio

HI @phaubertin zscaler is a cloud appliance. The easiest way perhaps is to use a webook feed, but right now they are suspended. To use what you suggest, I would have to copy or publish the logs somewhere(like a S3 bucket), I think

phaubertin

Hi Roberto, I understand that zscaler is cloud appliance. However, Zscaler offer 2 way to sending log to SIEM: VM-based NSS and Cloud NSS (source).

There is several way to configure the feeds in chronicle. Right now, third party api is not a way for zscaler log ingestion.

I'm not aware how to ingest log with web hook. Chronicle Feeds offer a way to ingest from S3 bucket.

Wish you luck,

Mustache

Chronicle currently recommends you leverage native APIs (third party integrations that are supported), and if that isn't available then to leverage the GCS bucket method (or s3).

https://github.com/chronicle/ingestion-scripts Google has a lot of ingest scripts, but they offer no support on them. I would look into maybe ripping apart some scripts to get zscalar to ingest to a bucket so then you can use Feed Management to ingest from that bucket.

hzmndt

Depends on the Zscaler products:

1. If ZPA -> https://help.zscaler.com/zscaler-deployments-operations/siem-zpa-integration-deployment-and-operatio...
Use ISS to send logs over chronicle forwarder or the new collector agent in json format

2. If ZIA -> https://help.zscaler.com/zia/about-insights-logs
Use NSS to send logs over chronicle forwarder or the new collector agent or Use NSS to push the logs via Webhook

jkephsecru

Hi @Roberto_Lio

Seeing as this thread has been resurrected it would be worth mentioning that Webhooks are GA again and instead of needing NSS / Cloud-NSS over Syslog to CFPS we are now able to use Webhooks with the ZIA & ZDX products.

https://help.zscaler.com/zia/about-webhooks
https://help.zscaler.com/zdx/configuring-webhooks

I haven't seen any documentation yet to enable ZPA to be sent using the same method.

adam9

We're working on a new set of documentation (and updated parsers) for Zscaler products. We will be using webhooks where possible. The new docs should be ready later this quarter.

Roberto_Lio

Thanks @adam9 for your reply, we'll wait new docs