cef0.zscaler
Introduction
The tables beginning with cef0.zscaler identify events in CEF format generated by Zscaler products.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
cef0.zscaler.nssweblog
cef0.zscaler.nssfwlog
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Log samples
The following are sample logs sent to each of the cef0.zscaler data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
cef0.zscaler.nssweblog
<12>2021-01-01 01:00:30.000 localhost=127.0.0.1 CEF: 0|Zscaler|NSSWeblog|4.1|Allowed|Allowed|3|act=Allowed app=SSL cat=Corporate Marketing dhost=web-50.koch.com dst=186.5.87.182 src=39.87.236.101 in=5546 outcome=NA out=2241 request=web-50.koch.com rt=Mar 17 2021 21:40:13 GMT sourceTranslatedAddress=39.87.236.101 requestClientApplication=Windows Microsoft Windows 10 Enterprise ZTunnel/dev/jason07/attorney/will/wonder.numbers requestMethod=NA suser=starkmackenzie spriv=Road Warrior externalId=6940741080096702554 fileType=None reason=Allowed destinationServiceName=OneDrive cn1=0 cn1Label=risks core cs1=Contact Centre IIC cs1Label=dept cs2=Business and Economy cs2Label=urlsupercat cs3=File Share cs3Label=appclass cs4=None cs4Label=malwarecat cs5=None cs5Label=threatname cs6=None cs6Label=dlpeng ZscalerNSSWeblogURLClass=Business Use ZscalerNSSWeblogDLPDictionaries=None requestContext=None
And this is how the logs would be parsed:
Field | Value | Type | Extra field |
---|---|---|---|
hostchain |
|
| ✓ |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
act |
|
| |
app |
|
| |
cat |
|
| |
cn1Label |
|
| |
cn1 |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs3 |
|
| |
cs4Label |
|
| |
cs4 |
|
| |
cs5Label |
|
| |
cs5 |
|
| |
cs6Label |
|
| |
cs6 |
|
| |
destinationServiceName |
|
| |
dhost |
|
| |
dst |
|
| |
externalId |
|
| |
fileType |
|
| |
in |
|
| |
outcome |
|
| |
out |
|
| |
reason |
|
| |
requestClientApplication |
|
| |
requestMethod |
|
| |
request |
|
| |
rt |
|
| |
sourceTranslatedAddress |
|
| |
spriv |
|
| |
src |
|
| |
spt |
|
| |
suser |
|
| |
ZscalerNSSWeblogDLPDictionaries |
|
| |
ZscalerNSSWeblogURLClass |
|
| |
requestContext |
|
| |
rawMessage |
|
| |
tag |
|
| ✓ |
raw |
|
| ✓ |
cef0.zscaler.nssfwlog
<24>2021-01-01 01:00:30.000 localhost=127.0.0.1 CEF: 0|Zscaler|NSSFWlog|5.1|Allow|Allow|3|act=Allow suser=seanknight cs1=Manila BPO spriv=US-MA-ANDV-B->Osprey-Citrix/dev/seat.mp4 dst=10.90.134.181 src=140.113.241.238 spt=52618 dpt=80 sourceTranslatedAddress=106.149.65.128 destinationTranslatedAddress=10.90.134.181 destinationServiceName=HTTP app=ofw_tcp_bypass proto=TCP in=65054 out=1583 cn1=368 cn2=1105 cn3=3 cs2=Yes cs3=Other cs3Label=Country cs4=Zscaler Bypass Traffic cat=Miscellaneous or Unknown
And this is how the logs would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
hostchain |
|
| ✓ |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
act |
|
| |
app |
|
| |
cat |
|
| |
cn1 |
|
| |
cn2 |
|
| |
cn3 |
|
| |
cs1 |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs3 |
|
| |
cs4 |
|
| |
destinationServiceName |
|
| |
destinationTranslatedAddress |
|
| |
dst |
|
| |
dpt |
|
| |
in |
|
| |
out |
|
| |
proto |
|
| |
sourceTranslatedAddress |
|
| |
spriv |
|
| |
src |
|
| |
spt |
|
| |
suser |
|
| |
tag | CEF | str | ✓ |
rawMessage |
|
| ✓ |
raw |
|
| ✓ |