proxy.zscaler

Introduction

The tags beginning with proxy.zscaler identify events generated by Zscaler products belonging to Zscaler.

Valid tags and data tables

The full tag must have at least 3 levels. The first two are fixed as proxy.zscaler. The third level identifies the product or event type, and the rest of them indicate the event subtypes.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Note that you have to properly define the final part of the tag to get you data properly parsed.

Product / Service	Tags	Data tables
Zscaler Secure Web Gateway (ZSGW)	`proxy.zscaler.access`	`proxy.zscaler.access`
	`proxy.zscaler.access.json_event`	`proxy.zscaler.access`
	`proxy.zscaler.nss`	`proxy.zscaler.nss`
	`proxy.zscaler.nss_firewall.cef`	`proxy.zscaler.nss_firewall`
	`proxy.zscaler.nss_firewall.csv`
	`proxy.zscaler.nss_firewall.json`
	`proxy.zscaler.nss_web.cef`	`proxy.zscaler.nss_web`
	`proxy.zscaler.nss_web.csv`	`proxy.zscaler.nss_web`
Zscaler Internet Access (ZIA)	`proxy.zscaler.zia.alert.syslog`	`proxy.zscaler.zia.alert`
	`proxy.zscaler.zia.casb`	`proxy.zscaler.zia.casb`
	`proxy.zscaler.zia.dns.json`	`proxy.zscaler.zia.dns`
	`proxy.zscaler.zia.firewall.json`	`proxy.zscaler.zia.firewall`
	`proxy.zscaler.zia.saas_collaboration.json`	`proxy.zscaler.zia.saas_collaboration`
	`proxy.zscaler.zia.saas_crm.json`	`proxy.zscaler.zia.saas_crm`
	`proxy.zscaler.zia.saas_email.json`	`proxy.zscaler.zia.saas_email`
	`proxy.zscaler.zia.saas_file.json`	`proxy.zscaler.zia.saas_file`
	`proxy.zscaler.zia.saas_itsm.json`	`proxy.zscaler.zia.saas_itsm`
	`proxy.zscaler.zia.saas_repository.json`	`proxy.zscaler.zia.saas_repository`
	`proxy.zscaler.zia.tunnel`	`proxy.zscaler.zia.tunnel`
	`proxy.zscaler.zia.tunnel.json`	`proxy.zscaler.zia.tunnel`
	`proxy.zscaler.zia.web`	`proxy.zscaler.zia.web`
	`proxy.zscaler.zia.web.json`	`proxy.zscaler.zia.web`

For more information, read more About Devo tags.

How is the data sent to Devo?

You can forward logs generated by Zscaler in both CEF0 and CSV format using any Syslog drain (for example, Syslog-ng).

Please, contact Devo for support about how to configure Zscaler NSS Web / Firewall feeds' output (for example, fields order for CSV format or csX and cnX fields mapping for CEF format) before starting to use nss_web or nss_firewall parsers.

Zscaler Internet Access (ZIA)

Logs generated by ZIA must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below and see how to define them here.

Relay rule 1 - Alerts

Source port → as required
Target tag → proxy.zscaler.zia.alert.syslog
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 2 - DNS

Source port → as required
Target tag → proxy.zscaler.zia.dns.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 4 - Firewall

Source port → as required
Target tag → proxy.zscaler.zia.firewall.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 4 - SaaS Collaboration

Source port → as required
Target tag → proxy.zscaler.zia.saas_collaboration.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 5 - SaaS CRM

Source port → as required
Target tag → proxy.zscaler.zia.saas_crm.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 6 - SaaS Email

Source port → as required
Target tag → proxy.zscaler.zia.saas_email.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 7 - SaaS File

Source port → as required
Target tag → proxy.zscaler.zia.saas_file.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 8 - SaaS ITSM

Source port → as required
Target tag → proxy.zscaler.zia.saas_itsm.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 9 - SaaS Repository

Source port → as required
Target tag → proxy.zscaler.zia.saas_repository.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 10 - Tunnel

Source port → as required
Target tag → proxy.zscaler.zia.tunnel.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

Relay rule 11 - Web

Source port → as required
Target tag → proxy.zscaler.zia.web.json
Max packet size (bytes) → 5120
Select the Sent without syslog tag checkbox.

If you cannot send your events in JSON format, you must define the following template in your environment:

\{"time": "%s{time}", "recordid": %d{recordid}, "login": "%s{login}", "ehost": "%s{ehost}", "sip": "%s{sip}", "cip": "%s{cip}", "cintip": "%s{cintip}", "eurl": "%s{eurl}", "ua": "%s{ua}", "module": "%s{module}", "proto": "%s{proto}", "action": "%s{action}", "reason": "%s{reason}", "appname": "%s{appname}", "appclass": "%s{appclass}", "filetype": "%s{filetype}", "reqsize": %d{reqsize}, "respsize": %d{respsize}, "totalsize": %d{totalsize}, "malwarecat": "%s{malwarecat}", "malwareclass": "%s{malwareclass}", "threatname": "%s{threatname}", "riskscore": %d{riskscore}, "dlpeng": "%s{dlpeng}", "dlpdict": "%s{dlpdict}", "location": "%s{location}", "dept": "%s{dept}", "reqmethod": "%s{reqmethod}", "respcode": "%s{respcode}", "respversion": "%s{respversion}", "urlclass": "%s{urlclass}", "urlsupercat": "%s{urlsupercat}", "urlcat": "%s{urlcat}", "ereferer": "%s{ereferer}", "contenttype": "%s{contenttype}", "unscannabletype": "%s{unscannabletype}", "devicehostname": "%s{devicehostname}", "deviceowner": "%s{deviceowner}", "keyprotectiontype": "%s{keyprotectiontype}"\}

Table structure

These are the fields displayed in these tables: