Log Format for zScaler
Zscaler acts as a cloud-based proxy and firewall, routing all traffic through its software to apply security policies. To configure Skyhigh Cloud Connector Log Settings in the Skyhigh CASB UI, configure zScaler log format for Skyhigh Cloud Connector.
zScaler configuration
For zScaler, configure the following log format for Skyhigh Cloud Connector.
- In the zScaler Admin Portal, go to Nanolog server settings.
- Add a new NSS Feed with the following options:
- Feed Name. Skyhigh CASB Log Feed
- SIEM IP Address. Enter the IP Address of Skyhigh CASB Log Processor (for example, 10.1.1.3).
- SIEM TCP Port. Enter the port number of Skyhigh CASB Syslog Server on the Log Processor server (for example, 514).
- Log Type. Web Log.
- Status. Enabled.
- Feed Output Type. Tab-Separated.
- Feed Output Format. Enter the following line. (You can also download this as a text file to easily copy and paste: zScalerNSSFormat.txt )
IMPORTANT: Make sure this field does not contain any line breaks or empty lines.
%02d{mth}/%02d{dd}/%d{yyyy}\t%02d{hh}:%02d{mm}:%02d{ss}\t%s{action}\t%s{host}\t%s{proto}\t%s{sip}\t%s{filetype}\t%s{urlcat}\t%s{cip}\t%s{login}\t%s{ologin}\t%s{dept}\t%s{bwthrottle}\t%s{location}\t%d{ctime}\t%d{reqdatasize}\t%s{reqmethod}\t%d{reqsize}\t%s{respcode}\t%d{respdatasize}\t%d{respsize}\t%d{totalsize}\t%s{ua}\t%s{eurl}\t%s{ereferer}\t%s{filename}\t%s{nsssvcip}\t%s{productversion}
- Click Save.
Skyhigh Cloud Configuration
Attached is a Log Config with preprocessor rules for this configuration as Skyhigh_zScaler_Log_Config.txt. This can be configured in the Skyhigh Cloud Connector Log Settings in Skyhigh CASB. This matches the custom NSS log format mentioned above. If you have a different log format configured at NSS, then please contact Skyhigh Security Support with a log sample
preprocessor.rules={"dateFormat":"MM/dd/yyyy HH:mm:ss","topRule":{"type":"chain","rules":[{"type":"select","index":"0","trim":"true"},{"type":"csv","on":"\\\\t","escape":"\\\\u0000","trim":"true"}]},"fields":{"date":{"type":"select","index":"1"},"time":{"type":"select","index":"2"},"action":{"type":"select","index":"3"},"destination_host":{"type":"select","index":"4"},"protocol":{"type":"select","index":"5"},"destination_ip":{"type":"select","index":"6"},"mime_type":{"type":"select","index":"7"},"source_ip":{"type":"select","index":"9"},"source_user":{"type":"select","index":"10"},"custom1":{"type":"select","index":"12"},"custom2":{"type":"select","index":"14"},"method":{"type":"select","index":"17"},"source_bytes":{"type":"select","index":"18"},"http_status":{"type":"select","index":"19","replacePattern":".*([0-9]{3}).*","replaceWith":"$1"},"destination_bytes":{"type":"select","index":"21"},"user_agent":{"type":"select","index":"23","trim":"true"},"url":{"type":"select","index":"24","trim":"true"},"referral":{"type":"select","index":"25"}}}
It uses two custom fields from zScaler:
- custom1 --> zScaler field "department"
- custom2 --> zScaler field "location"