We have moved to Zscaler for web filtering and now we are blind in terms of logs...
Zscaler has syslog formats preset for HP, and a few others.... help as this company is growing fast...
#bump
back from vacation BUMP!!
If you have a sample of the log available you can send that in to support and request that they analyze it and create a connector.
(Keep in mind that not every log can be parsed... Multi line logs for example are notoriously difficult to parse)
In most cases they will be able to look at it and either say we can build a connector or explain why the log is not able to be covered.
LEM includes a Zscaler Web Security/Advanced Security connector out of the box. Have you tried sending your Zscaler logs to LEM & applying the connector?
I didn't see the connector when I looked... Feeling stupid now (nothing new).
Hope to get this working asap...
Is this a new connector?
How does Zscaler need to be configured in order for the connector to recognize the log? Solarwinds is not an option under the Zscaler configuration jhynds
You will need to add an NSS Feed and make sure to use the LEM IP Address as the 'SIEM IP Address' and Port 514 under 'SIEM Port'.
Using 'LEEF' as the QRadar Output Type should be ok, but we may need to adjust. Can you confirm the other available output types you are seeing?
