cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Zscaler connector

Zscaler connector

We have moved to Zscaler for web filtering and now we are blind in terms of logs...

Tags (1)
14 Comments
Level 16

Zscaler has syslog formats preset for HP, and a few others....   help as this company is growing fast...

Level 16

#bump

Level 16

back from vacation BUMP!!

Product Manager
Product Manager

If you have a sample of the log available you can send that in to support and request that they analyze it and create a connector.

(Keep in mind that not every log can be parsed... Multi line logs for example are notoriously difficult to parse)

In most cases they will be able to look at it and either say we can build a connector or explain why the log is not able to be covered.

Product Manager
Product Manager

LEM includes a Zscaler Web Security/Advanced Security connector out of the box. Have you tried sending your Zscaler logs to LEM & applying the connector?

Level 16

I didn't see the connector when I looked...  Feeling stupid now (nothing new).

Hope to get this working asap...

Is this a new connector?

Product Manager
Product Manager

Cool! It's been around for about a year. Let me know how you get on.

Level 10

How does Zscaler need to be configured in order for the connector to recognize the log? Solarwinds is not an option under the Zscaler configuration jhynds

Product Manager
Product Manager

You will need to add an NSS Feed and make sure to use the LEM IP Address as the 'SIEM IP Address' and Port 514 under 'SIEM Port'.

Using 'LEEF' as the QRadar Output Type should be ok, but we may need to adjust. Can you confirm the other available output types you are seeing?

Level 10

thanks. I had already added the feed and the first part, but i did not try the LEEF output yet; ill try that. attached are the other output types:pastedImage_0.pngpastedImage_1.png