Page Comparison

...

These are the valid tags and corresponding data tables that will receive the parsers' data:

Note
Note that you have to properly define the final part of the tag to get you data properly parsed.

Product / Service	Tags	Data tables
Zscaler Secure Web Gateway (ZSGW)	`proxy.zscaler.access`	`proxy.zscaler.access`
	`proxy.zscaler.access.json_event`	`proxy.zscaler.access`
	`proxy.zscaler.nss`	`proxy.zscaler.nss`
	`proxy.zscaler.nss_firewall.cef`	`proxy.zscaler.nss_firewall`
	`proxy.zscaler.nss_firewall.csv`
	`proxy.zscaler.nss_firewall.json`
	`proxy.zscaler.nss_web.cef`	`proxy.zscaler.nss_web`
	`proxy.zscaler.nss_web.csv`	`proxy.zscaler.nss_web`
Zscaler Internet Access (ZIA)	`proxy.zscaler.zia.alert.syslog`	`proxy.zscaler.zia.alert`
	`proxy.zscaler.zia.casb`	`proxy.zscaler.zia.casb`
	`proxy.zscaler.zia.dns.json`	`proxy.zscaler.zia.dns`
	`proxy.zscaler.zia.firewall.json`	`proxy.zscaler.zia.firewall`
	`proxy.zscaler.zia.saas_collaboration.json`	`proxy.zscaler.zia.saas_collaboration`
	`proxy.zscaler.zia.saas_crm.json`	`proxy.zscaler.zia.saas_crm`
	`proxy.zscaler.zia.saas_email.json`	`proxy.zscaler.zia.saas_email`
	`proxy.zscaler.zia.saas_file.json`	`proxy.zscaler.zia.saas_file`
	`proxy.zscaler.zia.saas_itsm.json`	`proxy.zscaler.zia.saas_itsm`
	`proxy.zscaler.zia.saas_repository.json`	`proxy.zscaler.zia.saas_repository`
	`proxy.zscaler.zia.tunnel`	`proxy.zscaler.zia.tunnel`
	`proxy.zscaler.zia.tunnel.json`	`proxy.zscaler.zia.tunnel`
	`proxy.zscaler.zia.web`	`proxy.zscaler.zia.web`
	`proxy.zscaler.zia.web.json`	`proxy.zscaler.zia.web`

...

Note
Please, contact Devo for support about how to configure Zscaler NSS Web / Firewall feeds' output (for example, fields order for CSV format or csX and cnX fields mapping for CEF format) before starting to use `nss_web` or `nss_firewall` parsers.

Zscaler Internet Access (ZIA)

...

Expand

title	Relay rule 11 - Web

Source port → as required
Target tag → proxy.zscaler.zia.web.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Note

If you’re sending data to table proxy.zscaler.zia.web.json and cannot send your events in JSON format, you must define the following template in your environment:

Code Block

\{"time": "%s{time}", "recordid": %d{recordid}, "login": "%s{login}", "ehost": "%s{ehost}", "sip": "%s{sip}", "cip": "%s{cip}", "cintip": "%s{cintip}", "eurl": "%s{eurl}", "ua": "%s{ua}", "module": "%s{module}", "proto": "%s{proto}", "action": "%s{action}", "reason": "%s{reason}", "appname": "%s{appname}", "appclass": "%s{appclass}", "filetype": "%s{filetype}", "reqsize": %d{reqsize}, "respsize": %d{respsize}, "totalsize": %d{totalsize}, "malwarecat": "%s{malwarecat}", "malwareclass": "%s{malwareclass}", "threatname": "%s{threatname}", "riskscore": %d{riskscore}, "dlpeng": "%s{dlpeng}", "dlpdict": "%s{dlpdict}", "location": "%s{location}", "dept": "%s{dept}", "reqmethod": "%s{reqmethod}", "respcode": "%s{respcode}", "respversion": "%s{respversion}", "urlclass": "%s{urlclass}", "urlsupercat": "%s{urlsupercat}", "urlcat": "%s{urlcat}", "ereferer": "%s{ereferer}", "contenttype": "%s{contenttype}", "unscannabletype": "%s{unscannabletype}", "devicehostname": "%s{devicehostname}", "deviceowner": "%s{deviceowner}", "keyprotectiontype": "%s{keyprotectiontype}"\}

Other tables could require other formats. Contact us if you need additional help.

Table structure

These are the fields displayed in these tables:

...

Versions Compared

Old Version 13

New Version Current

Key

Zscaler Internet Access (ZIA)

Table structure