Introduction
The tags beginning with proxy.zscaler identify events generated by Zscaler products belonging to Zscaler.
Valid tags and data tables
...
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
Product / Service
...
Tags
...
Data tables
...
Zscaler Secure Web Gateway (ZSGW)
...
proxy.zscaler.access
...
proxy.zscaler.access
...
proxy.zscaler.access.json_event
...
proxy.zscaler.nss
...
proxy.zscaler.nss
...
proxy.zscaler.nss_firewall.cef
...
Introduction
The tags beginning with proxy.zscaler identify events generated by Zscaler products belonging to Zscaler.
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed asproxy.zscaler. The third level identifies the product or event type, and the rest of them indicate the event subtypes.
These are the valid tags and corresponding data tables that will receive the parsers' data:
| Note |
|---|
Note that you have to properly define the final part of the tag to get you data properly parsed. |
Product / Service | Tags | Data tables |
|---|
Zscaler Secure Web Gateway (ZSGW) | proxy.zscaler.access
| proxy.zscaler.access
|
proxy.zscaler.access.json_event
|
proxy.zscaler.nss
| proxy.zscaler.nss
|
proxy.zscaler.nss_firewall.cef
| proxy.zscaler.nss_firewall
|
proxy.zscaler.nss_firewall.csv
|
proxy.zscaler.nss_firewall.json
|
proxy.zscaler.nss_web.cef
| proxy.zscaler.nss_web
|
proxy.zscaler.nss_web.csv
|
Zscaler Internet Access (ZIA) | proxy.zscaler.zia.alert.syslog
| proxy.zscaler.zia.alert
|
proxy.zscaler.zia.casb
| proxy.zscaler.zia.casb
|
proxy.zscaler.zia.dns.json
| proxy.zscaler.zia.dns
|
proxy.zscaler.zia.firewall.json
| proxy.zscaler.zia.firewall
|
proxy.zscaler.zia.saas_collaboration.json
| proxy.zscaler.zia.saas_collaboration
|
proxy.zscaler.zia.saas_crm.json
| proxy.zscaler.zia.saas_crm
|
proxy.zscaler.zia.saas_email.json
| proxy.zscaler.zia.saas_email
|
proxy.zscaler.zia.saas_file.json
| proxy.zscaler.zia.saas_file
|
proxy.zscaler.zia.saas_itsm.json
| proxy.zscaler.zia.saas_itsm
|
proxy.zscaler.zia.saas_repository.json
| proxy.zscaler.zia.saas_repository
|
proxy.zscaler.zia.tunnel
| proxy.zscaler.zia.tunnel
|
proxy.zscaler.zia.tunnel.json
|
proxy.zscaler.zia.web
| proxy.zscaler.zia.web
|
proxy.zscaler.zia.tunnel.json
|
proxy.zscaler.zia.web
| proxy.zscaler.zia.web
|
proxy.zscaler.zia.web.json
|
...
For more information, read more About Devo tags.
How is the data sent to Devo?
You can forward logs generated by Zscaler in both CEF0 and CSV format using any Syslog drain (for example, Syslog-ng).
| Note |
|---|
Please, contact Devo for support about how to configure Zscaler NSS Web / Firewall feeds' output (for example, fields order for CSV format or csX and cnX fields mapping for CEF format) before starting to use nss_web or nss_firewall parsers. |
Zscaler Internet Access (ZIA)
Logs generated by ZIA must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below and see how to define them here.
| Expand |
|---|
| title | Relay rule 1 - Alerts |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.alert.syslog Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.dns.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 4 - Firewall |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.firewall.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 4 - SaaS Collaboration |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.saas_collaboration.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 5 - SaaS CRM |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.saas_crm.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 6 - SaaS Email |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.saas_email.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 7 - SaaS File |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.saas_file.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 8 - SaaS ITSM |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.saas_itsm.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 9 - SaaS Repository |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.saas_repository.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 10 - Tunnel |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.tunnel.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
|
Source port → as required Target tag → proxy.zscaler.zia.web.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Note |
|---|
If you’re sending data to table proxy.zscaler.zia.web.json and cannot send your events in JSON format, you must define the following template in your environment: | Code Block |
|---|
\{"time": "%s{time}", "recordid": %d{recordid}, "login": "%s{login}", "ehost": "%s{ehost}", "sip": "%s{sip}", "cip": "%s{cip}", "cintip": "%s{cintip}", "eurl": "%s{eurl}", "ua": "%s{ua}", "module": "%s{module}", "proto": "%s{proto}", "action": "%s{action}", "reason": "%s{reason}", "appname": "%s{appname}", "appclass": "%s{appclass}", "filetype": "%s{filetype}", "reqsize": %d{reqsize}, "respsize": %d{respsize}, "totalsize": %d{totalsize}, "malwarecat": "%s{malwarecat}", "malwareclass": "%s{malwareclass}", "threatname": "%s{threatname}", "riskscore": %d{riskscore}, "dlpeng": "%s{dlpeng}", "dlpdict": "%s{dlpdict}", "location": "%s{location}", "dept": "%s{dept}", "reqmethod": "%s{reqmethod}", "respcode": "%s{respcode}", "respversion": "%s{respversion}", "urlclass": "%s{urlclass}", "urlsupercat": "%s{urlsupercat}", "urlcat": "%s{urlcat}", "ereferer": "%s{ereferer}", "contenttype": "%s{contenttype}", "unscannabletype": "%s{unscannabletype}", "devicehostname": "%s{devicehostname}", "deviceowner": "%s{deviceowner}", "keyprotectiontype": "%s{keyprotectiontype}"\} |
Other tables could require other formats. Contact us if you need additional help. |
Table structure
These are the fields displayed in these tables:
| Rw ui tabs macro |
|---|
proxy.zscaler.accessField | Type | Field Transformationtransformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | timestamp | timestamp
| | Code Block |
|---|
ifthenelse(length(timestamp_str) = 19, parse("yyyy/MM/dd hh:mm:ss", timestamp_str), ifthenelse(timestamp_str -> " ", parsedate(timestamp_str, dateformat("MMM D HH:mm:ss YYYY", "UTC")), parsedate(timestamp_str, dateformat("MMM DD HH:mm:ss YYYY", "UTC")))) |
| timestamp_str | | reason | str
| | | | event_id | str
| | | | protocol | str
| | | | action | str
| | | | rulelabel | str
| | | | ruletype | str
| | | | transactionsize | int8
| | | | responsesize | int8
| | | | requestsize | int8
| | | | urlcategory | str
| | | | serverip | ip4
| | | | clienttranstime | int8
| | | | requestmethod | str
| | | | refererurl | str
| | | | useragent | str
| | | | product | str
| | | | productVersion | str
| | | | location | str
| | | | clientIP | ip4
| | | | deviceName | str
| | | | deviceOSType | str
| | | | status | str
| | | | user | str
| | | | url | str
| | | | vendor | str
| | | | hostname | str
| | | | clientpublicIP | ip4
| | | | threatcategory | str
| | | | threatname | str
| | | | threatmd5 | str
| | | | filename | str
| | | | filetype | str
| | | | fileSubtype | str
| | | | contenttype | str
| | | | appname | str
| | | | pagerisk | str
| | | | department | str
| | | | urlsupercategory | str
| | | | appclass | str
| | | | dlpengine | str
| | | | urlclass | str
| | | | threatclass | str
| | | | dlpdictionaries | str
| | | | fileclass | str
| | | | fileScannable | str
| | | | bwthrottle | str
| | | | servertranstime | int8
| | | | trafficredirectmethod | str
| | | | ztunnelVersion | str
| | | | sslinspected | str
| | | | ssldecrypted | str
| | | | externalspr | str
| | | | deviceowner | str
| | | | refererURL | str
| | | | datetime | timestamp
| | | | unscannabletype | str
| | | | devicehostname | str
| | | | clienttranstime_str | str
| | | | transactionsize_str | str
| | | | servertranstime_str | str
| | | | responsesize_str | str
| | | | requestsize_str | str
| | | | upload_filename | str
| | | | upload_filetype | str
| | | | upload_fileclass | str
| | | | upload_filesubtype | str
| | | | upload_doctypename | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | time | str
| | login | str
| | proto | str
| | eurl | str
| | action | str
| | appname | str
| | appclass | str
| | reqsize | int8
| | respsize | int8
| | stime | int8
| | ctime | int8
| | urlclass | str
| | urlsupercat | str
| | urlcat | str
| | malwarecat | str
| | threatname | str
| | riskscore | str
| | dlpeng | str
| | dlpdict | str
| | location | str
| | dept | str
| | cip | ip4
| | sip | ip4
| | reqmethod | str
| | respcode | str
| | ua | str
| | ereferer | str
| | ruletype | str
| | rulelabel | str
| | contenttype | str
| | unscannabletype | str
| | deviceowner | str
| | devicehostname | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | hostchain | str
| ✓ | tag | str
| ✓ | cefVersion | str
| | embDeviceVendor | str
| | embDeviceProduct | str
| | deviceVersion | str
| | signatureID | str
| | name | str
| | severity | str
| | time | str
| | login | str
| | dept | str
| | location | str
| | cdport | str
| | csport | str
| | sdport | str
| | ssport | str
| | csip | ip4
| | cdip | ip4
| | ssip | ip4
| | sdip | ip4
| | tsip | ip4
| | tsport | str
| | ttype | str
| | action | str
| | dnat | str
| | nwsvc | str
| | nwapp | str
| | ipproto | str
| | ipcat | str
| | destcountry | str
| | avgduration | int4
| | rulelabel | str
| | inbytes | int4
| | outbytes | int4
| | duration | int4
| | durationms | int4
| | numsessions | int4
| | ipsrulelabel | str
| | threatcat | str
| | threatname | str
| | recordid | str
| | eedone | str
| | devicehostname | str
| | devicemodel | str
| | devicename | str
| | deviceostype | str
| | deviceosversion | str
| | deviceowner | str
| | deviceappversion | str
| | ztunnelversion | str
| | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | cefVersion | str
| | embDeviceVendor | str
| | embDeviceProduct | str
| | deviceVersion | str
| | signatureID | str
| | name | str
| | severity | str
| | time | str
| | login | str
| | proto | str
| | eurl | str
| | action | str
| | reason | str
| | appname | str
| | appclass | str
| | reqsize | int8
| | respsize | int8
| | urlclass | str
| | urlsupercat | str
| | urlcat | str
| | malwarecat | str
| | threatname | str
| | riskscore | str
| | dlpeng | str
| | dlpdict | str
| | location | str
| | dept | str
| | cip | ip4
| | sip | ip4
| | reqmethod | str
| | respcode | str
| | ua | str
| | ereferer | str
| | ruletype | str
| | rulelabel | str
| | contenttype | str
| | unscannable | str
| | deviceowner | str
| | devicehostname | str
| | ologin | str
| | throttlereqsize | str
| | throttlerespsize | str
| | bwthrottle | str
| | bwclassname | str
| | bwrulename | str
| | module | str
| | bamd5 | str
| | dlpdicthitcount | str
| | dlpidentifier | str
| | dlpmd5 | str
| | fileclass | str
| | filetype | str
| | filesubtype | str
| | filename | str
| | reqdatasize | str
| | reqhdrsize | str
| | respdatasize | str
| | resphdrsize | str
| | totalsize | str
| | reqversion | str
| | respversion | str
| | referer | str
| | uaclass | str
| | ua_token | str
| | host | str
| | ehost | str
| | refererhost | str
| | erefererpath | str
| | eurlpath | str
| | erefererhost | str
| | url | str
| | df_hostname | str
| | mobappname | str
| | mobappcat | str
| | mobdevtype | str
| | cintip | ip4
| | trafficredirectmethod | str
| | ssldecrypted | str
| | clientsslcipher | str
| | clienttlsversion | str
| | clientsslsessreuse | str
| | srvsslcipher | str
| | srvtlsversion | str
| | srvocspresult | str
| | srvcertchainvalpass | str
| | srvwildcardcert | str
| | serversslsessreuse | str
| | srvcertvalidationtype | str
| | srvcertvalidityperiod | str
| | malwareclass | str
| | devicemodel | str
| | devicename | str
| | deviceostype | str
| | deviceosversion | str
| | deviceappversion | str
| | ztunnelversion | str
| | recordid | str
| | productversion | str
| | nsssvcip | str
| | eedone | str
| | stime | int8
| | ctime | int8
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | facility | str
| | | level | str
| | | message | str
| rawMessage | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | sourcetype | str
| | time | timestamp
| | ss | int4
| | mm | int4
| | hh | int4
| | dd | int4
| | mth | int4
| | yyyy | int4
| | reqrulelabel | str
| | reqaction | str
| | resrulelabel | str
| | resaction | str
| | login | str
| | dept | str
| | cip | str
| | durationms | int8
| | sip | str
| | recordid | str
| | location | str
| | req | str
| | resp | str
| | domcat | str
| reqtype | str
| sport | str
| user | str
| category | str
| deviceowner | str
| devicehostname | str
| event | json
| str
| | reqtype | str
| | sport | str
| | user | str
| | category | str
| | deviceowner | str
| | devicehostname | str
| | event | json
| | tz | str
| ✓ | ss | int4
| ✓ | mm | int4
| ✓ | hh | int4
| ✓ | dd | int4
| ✓ | mth | int4
| ✓ | yyyy | int4
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate |
timestamp
| | hostname | str
| | sourcetype | str
| | datetime | timestamp
| time | csip | ip4
| | csport | int4
| | cdip | ip4
| | cdport | int4
| | timestamp
| | | | hostname | str
| | | | sourcetype | str
| | | | datetime | timestamp
| | Code Block |
|---|
parsedate(replace(time_str, " ", " "), dateformat("ddd MMM DD HH:mm:ss YYYY", "UTC")) |
| time_str | | csip | ip4
| | | | csport | int4
| | | | cdip_string | str
| | | | cdip | ip4
| | | | cdip_ipv6 | ip6
| | | | cdport | int4
| | | | tsip | ip4
|
| | | | tunsport | int4
| | tsport | | locationname | str
| | location | | tuntype | str
| | ttype | | threatcat | str
|
| | | | ipsrulelabel | str
| | | | sdip_string |
| | | | | | | | | proto | str
| | ipproto | | destcountry | str
|
| | | | user | str
| | login | | department | str
| | dept | | devicehostname | str
|
| | Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesize | int8
| | filemd5 | str
| | collabscope | str
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | filetypecategory | str
| | component | str
| | sha | str
| | internal_recptnames | str
| | external_recptnames | str
| | ointernal_recptnames | str
| | oexternal_recptnames | str
| | sharedchannel_hostname | str
| | sender | str
| | osender | str
| | esender | str
| | channel_name | str
| | ochannel_name | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesize | int8
| | filemd5 | str
| | collabscope | str
| | fullurl | str
| | suburl | str
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | num_internal_collab | str
| | num_external_collab | str
| | objectname | str
| | objecttype | str
| | file_msg_id | str
| | filetypecategory | str
| | hostname2 | str
| | ohostname | str
| | ofullurl | str
| | internal_collabnames | str
| | external_collabnames | str
| | ointernal_collabnames | str
| | oexternal_collabnames | str
| | file_msg_mod_time | str
| | filepath | str
| | component | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | filedownloadtimems | str
| | filescantimems | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | epochlastmodtime | timestamp
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | sender | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | filedownloadtimems | str
| | filescantimems | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesource | str
| | filesize | int8
| | lastmodtime | str
| | epochlastmodtime | timestamp
| | filemd5 | str
| | collabscope | str
| | fullurl | str
| | suburl | str
| | department | str
| | user | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | filetypecategory | str
| | hostname2 | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | filedownloadtimems | str
| | filescantimems | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesource | str
| | filesize | int8
| | lastmodtime | str
| | epochlastmodtime | timestamp
| filemd5 | str
| collabscope | str
| fullurl | str
| suburl | str
| department | str
| user | str
| policy | str
| rulelabel | str
| ruletype | str
| malware | str
| threatname | str
| malwareclass | str
| dlpdictnames | str
| dlpenginenames | str
| dlpidentifier | str
| severity | str
| dlpdictcount | str
| filetypecategory | str
| hostname2 | str
| sha | str
| datacenter | str
| datacentercity | str
| datacentercountry | str
| hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.saas_repository |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| hostname | str
| tenant | str
| applicationname | str
| time | timestamp
| epochtime | timestamp
| recordid | str
| filename | str
| filetypename | str
| filesize | int8
| lastmodtime | str
| filemd5 | str
| collabscope | str
| department | str
| policy | str
| rulelabel | str
| ruletype | str
| malware | str
| threatname | str
| malwareclass | str
| dlpdictnames | str
| dlpenginenames | str
| dlpidentifier | str
| severity | str
| dlpdictcount | str
| num_external_collab | str
| filetypecategory | str
| external_collabnames | str
| oexternal_collabnames | str
| filepath | str
| sha | str
| datacenter | str
| datacentercity | str
| datacentercountry | str
| hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
proxy.zscaler.zia.tunnel
Field | Type | Field Transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | datetime | timestamp
| | Code Block |
|---|
parsedate(replace(datetime_tmp, " ", " "), dateformat("ddd MMM DD HH:mm:ss YYYY", "UTC", "en-US")) |
| datetime_tmp | tunnelactionname | str
| | | vpncredentialname | str
| | | locationname | str
| | | destvip | str
| | | sourceip | str
| | | tunneltype | str
| | | event | str
| | | eventreason | str
| | | srcport | str
| | | recordid | str
| | | txbytes | int8
| | | rxbytes | int8
| | | txpackets | int4
| | | rxpackets | int4
| | | dpdrec | str
| | | lifetime | str
| | | spi_in | str
| | | spi_out | str
| | | dstport | str
| | | algo | str
| | | authentication | str
| | | authtype | str
| | | vendorname | str
| | | ikeversion | str
| | | spi | str
| | | destipstart | str
| | | destipend | str
| | | srcipstart | str
| | | srcipend | str
| | | srcportstart | str
| | | destportstart | str
| | | lifebytes | str
| | | tunnelprotocol | str
| | | protocol | str
| | | hostchain | str
| | | ✓ |
tag | str
| | | ✓ |
rawMessage | str
| | | ✓ |
proxy.zscaler.zia.web
Field | Type | Field Transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | sourcetype | str
| | | time | timestamp
| | | datetime | timestamp
| | | tz | str
| | | ss | int4
| | | mm | int4
| | | hh | int4
| | | dd | int4
| | | mth | int4
| | | mon | str
| | | yyyy | int4
| | | day | str
| | | epochtime | timestamp
| | | department | str
| | dept | user | str
| | login | throttlereqsize | int8
| | | throttlerespsize | int8
| | | bwthrottle | str
| | | bwclassname | str
| | | bwrulename | str
| | | appname | str
| | | appclass | str
| | | module | str
| | | bamd5 | str
| | | datacenter | str
| | | datacentercity | str
| | | datacentercountry | str
| | | dlpdictionaries | str
| | dlpdict | dlpdicthitcount | str
| | | dlpengine | str
| | dlpeng | dlpidentifier | int8
| | | dlpmd5 | str
| | | fileclass | str
| | | filetype | str
| | | filesubtype | str
| | | filename | str
| | | upload_fileclass | str
| | | upload_filetype | str
| | | upload_filename | str
| | | upload_filesubtype | str
| | | upload_doctypename | str
| | | unscannable | str
| | | unscannabletype | str
| | | reqdatasize | int8
| | | reqhdrsize | int8
| | | requestsize | str
| | reqsize | respdatasize | int8
| | | resphdrsize | int8
| | | responsesize | str
| | respsize | transactionsize | str
| | totalsize | requestmethod | str
| | reqmethod | reqversion | str
| | | status | str
| | respcode | respversion | str
| | | referer_url | str
| | referer | uaclass | str
| | | useragent | str
| | ua | ua_token | str
| | | event__hostname | str
| | host | ehost | str
| | | eurl | str
| | | ereferer | str
| | | contenttype | str
| | | refererhost | str
| | | erefererpath | str
| | | eurlpath | str
| | | erefererhost | str
| | | url | str
| | | df_hostname | str
| | | mobappname | str
| | | mobappcat | str
| | | mobdevtype | str
| | | clientpublicIP | ip4
| | cip | ClientIP | ip4
| | cintip | serverip | ip4
| | sip | protocol | str
| | proto | trafficredirectmethod | str
| | | location | str
| | | rulelabel | str
| | | ruletype | str
| | | reason | str
| | | action | str
| | | ssldecrypted | str
| | | clientsslcipher | str
| | | clienttlsversion | str
| | | clientsslsessreuse | str
| | | srvsslcipher | str
| | | srvtlsversion | str
| | | srvocspresult | str
| | | srvcertchainvalpass | str
| | | srvwildcardcert | str
| | | serversslsessreuse | str
| | | srvcertvalidationtype | str
| | | srvcertvalidityperiod | str
| | | pagerisk | str
| | riskscore | threatname | str
| | | threatclass | str
| | malwareclass | threatcategory | str
| | malwarecat | urlclass | str
| | | urlsupercategory | str
| | urlsupercat | urlcategory | str
| | urlcat | devicehostname | str
| | | devicemodel | str
| | | devicename | str
| | | deviceostype | str
| | | deviceosversion | str
| | | deviceowner | str
| | | deviceappversion | ip4
| | | ztunnelversion | str
| | | recordid | int8
| | | event_id | str
| | recordid | product | str
| | | productversion | str
| | | vendor | str
| | | nsssvcip | ip4
| | | eedone | str
| | | keyprotectiontype | str
| | | event | json
| | | hostchain | str
| | | ✓ |
tag | str
| | | ✓ |
rawMessage | str
| | | ✓ |
How is the data sent to Devo?
You can forward logs generated by Zscaler in both CEF0 and CSV format using any Syslog drain (for example, Syslog-ng).
| Note |
|---|
Please, contact Devo for support about how to configure Zscaler NSS Web / Firewall feeds' output (for example, fields order for CSV format or csX and cnX fields mapping for CEF format) before starting to use nss_web or nss_firewall parsers. |
Zscaler Internet Access (ZIA)
Logs generated by ZIA must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below and see how to define them here.
| Expand |
|---|
| title | Relay rule 1 - Alerts |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.alert.syslog Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.dns.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 4 - Firewall |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.firewall.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 4 - SaaS Collaboration |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.saas_collaboration.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 5 - SaaS CRM |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.saas_crm.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 6 - SaaS Email |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.saas_email.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 7 - SaaS File |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.saas_file.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 8 - SaaS ITSM |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.saas_itsm.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 9 - SaaS Repository |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.saas_repository.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
| title | Relay rule 10 - Tunnel |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.tunnel.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox.
|
| Expand |
|---|
|
Source Port → as required Target Tag → proxy.zscaler.zia.web.json Max packet size (bytes) → 5120 Select the Sent without syslog tag checkbox. | | filemd5 | str
| | collabscope | str
| | fullurl | str
| | suburl | str
| | department | str
| | user | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | filetypecategory | str
| | hostname2 | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesize | int8
| | lastmodtime | str
| | filemd5 | str
| | collabscope | str
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | num_external_collab | str
| | filetypecategory | str
| | external_collabnames | str
| | oexternal_collabnames | str
| | filepath | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | datetime | timestamp
| | Code Block |
|---|
parsedate(replace(datetime_tmp, " ", " "), dateformat("ddd MMM DD HH:mm:ss YYYY", "UTC", "en-US")) |
| datetime_tmp | | tunnelactionname | str
| | | | vpncredentialname | str
| | | | locationname | str
| | | | destvip | str
| | | | sourceip | str
| | | | tunneltype | str
| | | | event | str
| | | | eventreason | str
| | | | srcport | str
| | | | recordid | str
| | | | txbytes | int8
| | | | rxbytes | int8
| | | | txpackets | int4
| | | | rxpackets | int4
| | | | dpdrec | str
| | | | lifetime | str
| | | | spi_in | str
| | | | spi_out | str
| | | | dstport | str
| | | | algo | str
| | | | authentication | str
| | | | authtype | str
| | | | vendorname | str
| | | | ikeversion | str
| | | | spi | str
| | | | destipstart | str
| | | | destipend | str
| | | | srcipstart | str
| | | | srcipend | str
| | | | srcportstart | str
| | | | destportstart | str
| | | | lifebytes | str
| | | | tunnelprotocol | str
| | | | protocol | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
Field | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | sourcetype | str
| | | | time | timestamp
| | Code Block |
|---|
parsedate(replace(time_str, " ", " "), dateformat("ddd MMM DD HH:mm:ss YYYY", "UTC")) |
| time_str | | datetime | timestamp
| | Code Block |
|---|
ifthenelse(isnull(datetime_), parsedate(replace(datetime_str, " ", " "), dateformat("ddd MMM DD HH:mm:ss YYYY", "UTC")), datetime_) |
| datetime_ datetime_str | | tz | str
| | | | ss | int4
| | | | mm | int4
| | | | hh | int4
| | | | dd | int4
| | | | mth | int4
| | | | mon | str
| | | | yyyy | int4
| | | | day | str
| | | | epochtime | timestamp
| | | | department | str
| | dept | | user | str
| | login | | throttlereqsize | int8
| | | | throttlerespsize | int8
| | | | bwthrottle | str
| | | | bwclassname | str
| | | | bwrulename | str
| | | | appname | str
| | | | appclass | str
| | | | module | str
| | | | bamd5 | str
| | | | datacenter | str
| | | | datacentercity | str
| | | | datacentercountry | str
| | | | dlpdictionaries | str
| | dlpdict | | dlpdicthitcount | str
| | | | dlpengine | str
| | dlpeng | | dlpidentifier | int8
| | | | dlpmd5 | str
| | | | fileclass | str
| | | | filetype | str
| | | | filesubtype | str
| | | | filename | str
| | | | upload_fileclass | str
| | | | upload_filetype | str
| | | | upload_filename | str
| | | | upload_filesubtype | str
| | | | upload_doctypename | str
| | | | unscannable | str
| | | | unscannabletype | str
| | | | reqdatasize | int8
| | | | reqhdrsize | int8
| | | | requestsize | str
| | reqsize | | respdatasize | int8
| | | | resphdrsize | int8
| | | | responsesize | str
| | respsize | | transactionsize | str
| | totalsize | | requestmethod | str
| | reqmethod | | reqversion | str
| | | | status | str
| | respcode | | respversion | str
| | | | b64referer | str
| | | | b64url | str
| | | | b64ua | str
| | | | referer_url | str
| | referer | | uaclass | str
| | | | useragent | str
| | ua | | ua_token | str
| | | | event__hostname | str
| | host | | ehost | str
| | | | eurl | str
| | | | ereferer | str
| | | | contenttype | str
| | | | refererhost | str
| | | | erefererpath | str
| | | | eurlpath | str
| | | | erefererhost | str
| | | | url | str
| | | | df_hostname | str
| | | | mobappname | str
| | | | mobappcat | str
| | | | mobdevtype | str
| | | | client_ipv4 | ip4
| | cip | | client_ipv6 | ip6
| | | | client_public_ipv4 | ip4
| | cintip | | client_public_ipv6 | ip6
| | | | serverip | ip4
| | sip | | server_ipv4 | ip4
| | sip | | server_ipv6 | ip6
| | | | protocol | str
| | proto | | trafficredirectmethod | str
| | | | location | str
| | | | rulelabel | str
| | | | ruletype | str
| | | | reason | str
| | | | action | str
| | | | ssldecrypted | str
| | | | clientsslcipher | str
| | | | clienttlsversion | str
| | | | clientsslsessreuse | str
| | | | srvsslcipher | str
| | | | srvtlsversion | str
| | | | srvocspresult | str
| | | | srvcertchainvalpass | str
| | | | srvwildcardcert | str
| | | | serversslsessreuse | str
| | | | srvcertvalidationtype | str
| | | | srvcertvalidityperiod | str
| | | | pagerisk | str
| | riskscore | | threatname | str
| | | | threatclass | str
| | malwareclass | | threatcategory | str
| | malwarecat | | urlclass | str
| | | | urlsupercategory | str
| | urlsupercat | | urlcategory | str
| | urlcat | | devicehostname | str
| | | | devicemodel | str
| | | | devicename | str
| | | | deviceostype | str
| | | | deviceosversion | str
| | | | deviceowner | str
| | | | deviceappversion | str
| | | | ztunnelversion | str
| | | | recordid | int8
| | | | event_id | str
| | recordid | | product | str
| | | | productversion | str
| | | | vendor | str
| | | | nsssvcip | ip4
| | | | eedone | str
| | | | keyprotectiontype | str
| | | | event | json
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
|
