Document toolboxDocument toolbox

cef0.zscaler

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Feb 17, 2022
2 min read

Introduction

The tables beginning with cef0.zscaler identify events in CEF format generated by Zscaler products.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

  • cef0.zscaler.nssweblog 

  • cef0.zscaler.nssfwlog 

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to each of the cef0.zscaler data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.zscaler.nssweblog

<12>2021-01-01 01:00:30.000 localhost=127.0.0.1 CEF: 0|Zscaler|NSSWeblog|4.1|Allowed|Allowed|3|act=Allowed app=SSL cat=Corporate Marketing dhost=web-50.koch.com dst=186.5.87.182 src=39.87.236.101 in=5546 outcome=NA out=2241 request=web-50.koch.com rt=Mar 17 2021 21:40:13 GMT sourceTranslatedAddress=39.87.236.101 requestClientApplication=Windows Microsoft Windows 10 Enterprise ZTunnel/dev/jason07/attorney/will/wonder.numbers requestMethod=NA suser=starkmackenzie spriv=Road Warrior externalId=6940741080096702554 fileType=None reason=Allowed destinationServiceName=OneDrive cn1=0 cn1Label=risks core cs1=Contact Centre IIC cs1Label=dept cs2=Business and Economy cs2Label=urlsupercat cs3=File Share cs3Label=appclass cs4=None cs4Label=malwarecat cs5=None cs5Label=threatname cs6=None cs6Label=dlpeng ZscalerNSSWeblogURLClass=Business Use ZscalerNSSWeblogDLPDictionaries=None requestContext=None

And this is how the logs would be parsed:

Field

Value

Type

Extra field

hostchain

localhost=127.0.0.1

str

priorityCode

24

str


cefTag

CEF

str


cefVersion

0

str


embDeviceVendor

Zscaler

str


embDeviceProduct

NSSWeblog

str


deviceVersion

4.1

str


signatureID

Allowed

str


name

Allowed

str


severity

3

str


_cefVer

null

str


act

Allowed

str


app

SSL

str


cat

Corporate Marketing

str


cn1Label

risks core

str


cn1

0

int


cs1Label

dept

str


cs1

Contact Centre IIC

str


cs2Label

urlsupercat

str


cs2

Business and Economy

str


cs3Label

appclass

str


cs3

File Share

str


cs4Label

malwarecat

str


cs4

None

str


cs5Label

threatname

str


cs5

None

str


cs6Label

dlpeng

str


cs6

None

str


destinationServiceName

OneDrive

str


dhost

web-50.koch.com

str


dst

186.5.87.182

ip


externalId

6940741080096702554

int


fileType

None

str


in

5546

int


outcome

NA

str


out

2241

int


reason

Allowed

str


requestClientApplication

Windows Microsoft Windows 10 Enterprise ZTunnel/dev/jason07/attorney/will/wonder.numbers

str


requestMethod

NA

str


request

web-50.koch.com

str


rt

Mar 17 2021 21:40:13 GMT

str


sourceTranslatedAddress

39.87.236.101

ip


spriv

Road Warrior

str


src

39.87.236.101

ip


spt

null

int


suser

starkmackenzie

str


ZscalerNSSWeblogDLPDictionaries

None

str


ZscalerNSSWeblogURLClass

Business Use

str


requestContext

None

str


rawMessage

CEF: 0|Zscaler|NSSWeblog|4.1|Allowed|Allowed|3|act=Allowed app=SSL cat=Corporate Marketing dhost=web-50.koch.com dst=186.5.87.182 src=39.87.236.101 in=5546 outcome=NA out=2241 request=web-50.koch.com rt=Mar 17 2021 21:40:13 GMT sourceTranslatedAddress=39.87.236.101 requestClientApplication=Windows Microsoft Windows 10 Enterprise ZTunnel/dev/jason07/attorney/will/wonder.numbers requestMethod=NA suser=starkmackenzie spriv=Road Warrior externalId=6940741080096702554 fileType=None reason=Allowed destinationServiceName=OneDrive cn1=0 cn1Label=risks core cs1=Contact Centre IIC cs1Label=dept cs2=Business and Economy cs2Label=urlsupercat cs3=File Share cs3Label=appclass cs4=None cs4Label=malwarecat cs5=None cs5Label=threatname cs6=None cs6Label=dlpeng ZscalerNSSWeblogURLClass=Business Use ZscalerNSSWeblogDLPDictionaries=None requestContext=None

str


tag

CEF

str

raw

2021-03-23 12:04:11.738 localhost=127.0.0.1 24 CEF: 0|Zscaler|NSSWeblog|4.1|Allowed|Allowed|3|act=Allowed app=SSL cat=Corporate Marketing dhost=web-50.koch.com dst=186.5.87.182 src=39.87.236.101 in=5546 outcome=NA out=2241 request=web-50.koch.com rt=Mar 17 2021 21:40:13 GMT sourceTranslatedAddress=39.87.236.101 requestClientApplication=Windows Microsoft Windows 10 Enterprise ZTunnel/dev/jason07/attorney/will/wonder.numbers requestMethod=NA suser=starkmackenzie spriv=Road Warrior externalId=6940741080096702554 fileType=None reason=Allowed destinationServiceName=OneDrive cn1=0 cn1Label=risks core cs1=Contact Centre IIC cs1Label=dept cs2=Business and Economy cs2Label=urlsupercat cs3=File Share cs3Label=appclass cs4=None cs4Label=malwarecat cs5=None cs5Label=threatname cs6=None cs6Label=dlpeng ZscalerNSSWeblogURLClass=Business Use ZscalerNSSWeblogDLPDictionaries=None requestContext=None

str

cef0.zscaler.nssfwlog

<24>2021-01-01 01:00:30.000 localhost=127.0.0.1 CEF: 0|Zscaler|NSSFWlog|5.1|Allow|Allow|3|act=Allow suser=seanknight cs1=Manila BPO spriv=US-MA-ANDV-B->Osprey-Citrix/dev/seat.mp4 dst=10.90.134.181 src=140.113.241.238 spt=52618 dpt=80 sourceTranslatedAddress=106.149.65.128 destinationTranslatedAddress=10.90.134.181 destinationServiceName=HTTP app=ofw_tcp_bypass proto=TCP in=65054 out=1583 cn1=368 cn2=1105 cn3=3 cs2=Yes cs3=Other cs3Label=Country cs4=Zscaler Bypass Traffic cat=Miscellaneous or Unknown

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

hostchain

localhost=127.0.0.1

str

priorityCode

24

str


cefTag

CEF

str


cefVersion

0

str


embDeviceVendor

Zscaler

str


embDeviceProduct

NSSFWlog

str


deviceVersion

5.1

str


signatureID

Allow

str


name

Allow

str


severity

3

str


_cefVer

null

str


act

Allow

str


app

ofw_tcp_bypass

str


cat

Miscellaneous or Unknown

str


cn1

368

int


cn2

1105

int


cn3

3

int


cs1

Manila BPO

str


cs2

Yes

str


cs3Label

Country

str


cs3

Other

str


cs4

Zscaler Bypass Traffic

str


destinationServiceName

HTTP

str


destinationTranslatedAddress

10.90.134.181

ip


dst

10.90.134.181

ip


dpt

80

int


in

65054

int


out

1583

int


proto

TCP

str


sourceTranslatedAddress

106.149.65.128

ip


spriv

US-MA-ANDV-B->Osprey-Citrix/dev/seat.mp4

str


src

140.113.241.238

ip


spt

52618

int


suser

seanknight

str


tagCEFstr

rawMessage

CEF: 0|Zscaler|NSSFWlog|5.1|Allow|Allow|3|act=Allow suser=seanknight cs1=Manila BPO spriv=US-MA-ANDV-B->Osprey-Citrix/dev/seat.mp4 dst=10.90.134.181 src=140.113.241.238 spt=52618 dpt=80 sourceTranslatedAddress=106.149.65.128 destinationTranslatedAddress=10.90.134.181 destinationServiceName=HTTP app=ofw_tcp_bypass proto=TCP in=65054 out=1583 cn1=368 cn2=1105 cn3=3 cs2=Yes cs3=Other cs3Label=Country cs4=Zscaler Bypass Traffic cat=Miscellaneous or Unknown

str

raw

2021-03-23 12:14:05.382 localhost=127.0.0.1 24 CEF: 0|Zscaler|NSSFWlog|5.1|Allow|Allow|3|act=Allow suser=seanknight cs1=Manila BPO spriv=US-MA-ANDV-B->Osprey-Citrix/dev/seat.mp4 dst=10.90.134.181 src=140.113.241.238 spt=52618 dpt=80 sourceTranslatedAddress=106.149.65.128 destinationTranslatedAddress=10.90.134.181 destinationServiceName=HTTP app=ofw_tcp_bypass proto=TCP in=65054 out=1583 cn1=368 cn2=1105 cn3=3 cs2=Yes cs3=Other cs3Label=Country cs4=Zscaler Bypass Traffic cat=Miscellaneous or Unknown

str