Document toolboxDocument toolbox

Zscaler Audit Logs collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
6 min read
[ 1 Service description ] [ 2 Data source description ] [ 3 Setup ] [ 4 Run the collector ] [ 5 API limitations ]

Service description

Zscaler is a cloud service that offers a centralized door for all the business applications and networks, making easy to control and secure all the data, connecting all the user and employees regardless the location or platform used.

Zscaler records the login name and IP address of every admin who logs in to the ZIA Admin Portal and changes policies or configuration settings. Audit logs display an admin's login and logout record (timestamps, actions, IP, etc.) and any configuration changes they completed. If an admin account makes five unsuccessful attempts to log in within one minute, the account will be locked out for five minutes and the failed attempts will be recorded. The audit logs are stored for up to 6 months.

Data source description

The Zscaler audit logs allow retrieving activities for these resources:

Resource

Description

Devo tables

Resource

Description

Devo tables

Audit logs



  • Timestamp - The local time of the admin's last login or last logout.

  • User - Account associated to the Zscaler service.

  • Action - The action performed by the admin in the ZIA Admin Portal or API.

    • List of all potential actions.

  • AA in Cloud - Zscaler domain where the data is collected, as an example zscaler<something>.net

  • Result - The outcome of an action.

    • Successful

    • Failure

  • Client IP - The source IP address for the admin.

  • Interface - The means by which the user performed their actions.

    • The interface will either be the Admin UI or an API.

  • Category - A location in the ZIA Admin Portal where the action was performed.

    • List of all potential categories.

  • Sub-Category

    • List of all potential sub-categories.

  • Resource - The specific location within a sub-category.

  • Pre Action - Action programmed to happen before the event.

  • Post Action - Action programmed to happen after the event.

my.app.zscaler.audit_logs

Setup

  1. Go to the Zscaler site https://admin.<Zscaler Cloud Name>.net

  2. Enter your Login ID and Password and click the Sign In button.

  3. Click on the Administration menu on the left. Then, select API Key Management.

  4. Click on Add API Key. We will use this key to get the Audit logs.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

API limitations

The API limitations can be seen in the next table: 

Resource URI

GET

POST

PUT

DELETE

Resource URI

GET

POST

PUT

DELETE

/auditlogEntryReport

2/sec and 1000/hr

10/min and 40/hour

-

2/sec and 1000/hr

/auditlogEntryReport/download

2/sec and 1000/hr

-

-

-