Document toolboxDocument toolbox

proxy.zscaler

Introduction

The tags beginning with proxy.zscaler identify events generated by Zscaler products.

Tag structure

The full tag must have 4 levels. The first two are fixed as proxy.zscaler. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

proxy

zscaler

  • access

  • nss

  • nss_web

  • nss_firewall

  • cef

  • csv

  • json

Therefore, the valid tags include:

  • proxy.zscaler.access

  • proxy.zscaler.nss

  • proxy.zscaler.nss_web.cef 

  • proxy.zscaler.nss_firewall.cef

  • proxy.zscaler.nss_web.csv

  • proxy.zscaler.nss_firewall.csv

  • proxy.zscaler.nss_firewall.json

And these are the corresponding data tables:

  • proxy.zscaler.access

  • proxy.zscaler.nss

  • proxy.zscaler.nss_web

  • proxy.zscaler.nss_firewall

How is the data sent to Devo?

You can forward logs generated by Zscaler in both CEF0 and CSV format using any Syslog drain (for example, Syslog-ng).

Please, contact Devo for support about how to configure Zscaler NSS Web / Firewall feeds' output (for example, fields order for CSV format or csX and cnX fields mapping for CEF format) before starting to use nss_web or nss_firewall parsers.