Zscaler connector

How does Zscaler need to be configured in order for the connector to recognize the log? Solarwinds is not an option under the Zscaler configuration jhynds​

You will need to add an NSS Feed and make sure to use the LEM IP Address as the 'SIEM IP Address' and Port 514 under 'SIEM Port'.

Using 'LEEF' as the QRadar Output Type should be ok, but we may need to adjust. Can you confirm the other available output types you are seeing?

thanks. I had already added the feed and the first part, but i did not try the LEEF output yet; ill try that. attached are the other output types:

Unfortunately that output did not work.the LEEF output type would generated the below:

Upon further inspection, it looks like the Zscaler is expecting logs in CSV format. Can you change the output type to CSV and confirm if you're then seeing the logs in LEM? There's a chance you may see unmatched data, which we can fix based on a log sample and connector update. We'll get the logs into LEM first.

Upon further inspection, it looks like the Zscaler is expecting logs in CSV format. Can you change the output type to CSV and confirm if you're then seeing the logs in LEM? There's a chance you may see unmatched data, which we can fix based on a log sample and connector update. We'll get the logs into LEM first.

Unfortunately this is still not working. I set the feed type to CSV, refreshed the 'tool maintenance by alias' report after about 30 minutes for the last 24 hours, and no unmatched data. I have also ran an ndepth report for the connector name "zscaler" (that is the name i provided to the connector), and no results other than internal tool offline/online "started fast reader". I also have a ticket open with support, but no solution as of yet as they also wanted to see log output but all i have is the feed output format below/documented.

Would you mind sending me your Case ID for the open support ticket?