Skip to main content
 
 
Splunk Lantern

Zscaler

 

Zscaler is the a cloud-based internet and application security gateway used by enterprise customers worldwide. As part of operating this service, Zscaler customer’s end users may generate a large amount of logging information, information accessible within Zscaler, and also data available to stream into the Splunk platform.

The Zscaler Technical Add-On for Splunk takes events from Zscaler data sources and maps these to types compatible with Splunk’s Common Information Model (CIM), as well as tagging all events where relevant to specific CIM data model(s).

Zscaler traffic, status, and access logs provide a rich source of data for ingesting into the Splunk platform. This information can then be used to enrich other data sources and generate interesting events related to business services and technology operations.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Getting data in

Source Add-ons and Apps Guidance
Zscaler

Splunk platform

Zscaler Technical Add-On for Splunk

Configuration 

Zscaler and Splunk Deployment Guide

Zscaler data sources

Zscaler can stream logs into customer environments. This is facilitated via Zscaler-supplied virtual machines which execute in a customer’s (or partner’s) hosted compute environment.

These virtual machines attach to the Zscaler cloud via outbound connections and receive encrypted and tokenized logs to stream into customer log collection and SIEM platforms. The log streams are:

Log type Streaming technology Platforms
Proxy NSS - Web VMware, AWS and Azure
Tunnel NSS - Web VMware, AWS and Azure
Firewall NSS - CWF VMware, AWS and Azure
DNS NSS - CWF VMware, AWS and Azure
Alert NSS – CWF/Web VMware, AWS and Azure
App Auth LSS RedHat compatible
App Access LSS RedHat compatible
Browser Access LSS RedHat compatible
Connector LSS RedHat compatible

Source types for the Zscaler Technical Add-On

Several source types are defined in the Zscaler Technical Add-On. Actual use of the source types may vary depending on what bundle and features a Zscaler customer is subscribed to.

There are no pre-configured data inputs. These need to be configured by the Splunk Admin.

Source type Function
zscalernss-web ZIA Proxy Logs
zscalernss-tunnel ZIA Tunnel Logs – up/down events and aggregate traffic stats
zscalernss-fw ZIA Firewall Logs
zscalernss-dns ZIA DNS Logs
zscalernss-alerts System Alerts from Zscaler NSS (Proxy and Firewall)
zscalerlss-zpa-connector ZPA Connector Logs
zscalerlss-zpa-app ZPA Application Access Logs
zscalerlss-zpa-auth ZPA User Authentication Logs
zscalerlss-zpa-bba ZPA Browser Access Logs
zscalerapi-zia-audit ZIA Administrative Audit Logs
zscalerapi-zia-sandbox ZIA detailed Sandbox detonation Logs

Steaming log inputs

Zscaler NSS and LSS streams are typically sent to Splunk via Network Inputs. Zscaler NSS and LSS streams are typically sent to Splunk via Network Inputs. These can be sent directly to the inbuilt Splunk TCP inputs, or pre-processed using Splunk Connect for Syslog (SC4S). For scale and best practice, SC4S is recommended.

Zscaler APIs

Zscaler runs a number of open APIs which include read and write functions. The Zscaler Splunk integration focuses on read functions for Zscaler Sandbox detonation reports and Zscaler Admin Audit logs.Access Zscaler's help portal for full specifications for the Zscaler API.

Modular inputs for Zscaler APIs

This method is used for Admin Audit and Sandbox detonations logs. Use the detailed configuration guides that correspond to cloud and on-prem Zscaler evironments. Splunk Essential Configuration (using NSS VM - stream syslog over tcp) and Splunk Essential Configuration (using Cloud-to-Cloud logging - HTTPS POST) are both available in the appendix of the Zscaler and Splunk Deployment Guide.