Configuring Zscaler for Cyfin Syslog

Zscaler uses a virtual machine, Nanolog Streaming Service (NSS), to stream logs from the Zscaler service and deliver them to Cyfin Syslog.

To collect logs for Zscaler Web Security, perform these steps detailed in the following sections:

  1. Configure Zscaler NSS.
  2. Connect the Zscaler NSS feed to Cyfin Syslog.

 

Configure Zscaler NSS

NSS is maintained and distributed by Zscaler as an Open Virtual Application (OVA). To stream logs to Cyfin Syslog, follow the steps outlined in the NSS Configuration Guide at https://support.zscaler.com/hc/en-us…guration-Guide.

 

Connect the Zscaler NSS Feed to Cyfin Syslog

Once you have configured the Zscaler NSS, now add a feed to send logs to Cyfin Syslog using the following steps.

  1. Log into your Zscaler NSS system.
  2. Go to Administration – Settings – Nanolog Streaming Service.
  3. From the NSS Feeds tab, click Add.
  4. In the Add NSS Feed dialog:
    • Feed Name. Enter a name for your NSS feed.
    • NSS Server. Select None.
    • SIEM IP Address. Enter the Cyfin IP address.
    • Log Type. Select Web Log.
    • Feed Output Type. QRadar LEEF is the default.
    • NSS Type. NSS for Web is the default.
    • Status. Select Enabled.
    • SIEM TCP Port. Enter the Cyfin Syslog TCP port number.
    • Feed Escape Character. Leave this field blank.
    • Feed Output Format. The LEEF format is displayed.
    • User Obfuscation. Select Disabled.
    • Duplicate Logs. Disabled by default.
    • Timezone. Set to GMT by default.
  5. Click Save.