NSS feeds for tunnel logs
Only for NSS web server.
You can select up to 4 tunnel log record types to send in a single NSS feed:
IPSec Phase 1 Events (applies to IPSec tunnels only)
IPSec Phase 2 Events (applies to IPSec tunnels only)
Tunnel Event: Status change events (applies to both GRE and IPSec)Â
Tunnel Samples: Statistics collected in 60-second samples windows (applies to both GRE and IPSec)
You can configure common filters that apply to all record types based on locations, VPN credentials, source, and destination IPs.
To configure a feed for tunnel logs:
- Go to Administration → Nanolog Streaming Service.
- On the NSS Feeds tab, click Add NSS Feed. The Add NSS Feed window appears.
On the Add NSS Feed window, enter the following information:
Field Information Feed Name Enter or edit the name of the feed. Each feed is a connection between NSS and your Devo Relay. NSS Type Select which type of feed you are configuring. NSS for Web is selected by default. NSS Server Choose an NSS from the list. Status The NSS feed is Enabled by default. Click Disabled if you want to activate it later. SIEM Destination Type The type of destination. Choose between:
SIEM IP Address - Enter the IP address of the Devo Relay to which the logs are streamed.Â
FQDN - (optional) Enter the destination for the TCP connection to which the logs are streamed. This allows failover from one IP to the other without manual intervention, but rather relying on updating the DNS entry. NSS will re-resolve the FQDN only when the existing connection goes down. This feature cannot be used for DNS-based load balancing.
SIEM TCP Port Enter the port number of the Devo Relay to which the logs are streamed. Ensure that the Devo Relay is configured to accept the feed from the NSS. If you are using the proposed TCP configuration, type 13007. SIEM Rate (Events per Second) Leave as unrestricted, unless you need to throttle the output stream due to licensing or other constraints. A limit that is too low for the traffic volume will cause log loss. Log Type Choose Tunnel. Record Type Select all items.
IKE Phase 1 and Phase 2 Events (applies to IPsec tunnels only)
Tunnel Event: Status change events (applies to both GRE and IPSec)Â
Tunnel Samples: Statistics collected in 60-second sample windows (applies to both GRE and IPSec)
Feed Output Type Choose Custom. Feed Output Format Copy and Paste the following Output Formats for each option:
IKE Phase 1:
\{"datetime":"%s{datetime}","tunnelactionname":"%s{tunnelactionname}","vpncredentialname":"%s{vpncredentialname}","locationname":"%s{locationname}","destvip":"%s{destvip}","sourceip":"%s{sourceip}","lifetime":%d{lifetime},"spi_in":%lu{spi_in},"spi_out":%lu{spi_out},"srcport":%d{srcport},"dstport":%d{dstport},"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","vendorname":"%s{vendorname}","ikeversion":%d{ikeversion},"recordid":%d{recordid}\}\n
IKE Phase 2:
\{"datetime":"%s{datetime}","tunnelactionname":"%s{tunnelactionname}","vpncredentialname":"%s{vpncredentialname}","locationname":"%s{locationname}","destvip":"%s{destvip}","sourceip":"%s{sourceip}","lifetime":%d{lifetime},"spi":%d{spi},"algo":"%s{algo}","authentication":"%s{authentication}","authentication":"%s{authentication}","authtype":"%s{authtype}","destipstart":"%s{destipstart}","destipend":"%s{destipend}","srcipstart":"%s{srcipstart}","srcipend":"%s{srcipend}","srcportstart":%d{srcportstart},"destportstart":%d{destportstart},"lifebytes":%d{lifebytes},"tunnelprotocol":"%s{tunnelprotocol}","protocol":"%s{protocol}","ikeversion":%d{ikeversion},"recordid":%d{recordid}\}\n
Tunnel Event:
\{"datetime":"%s{datetime}","tunnelactionname":"%s{tunnelactionname}","vpncredentialname":"%s{vpncredentialname}","locationname":"%s{locationname}","destvip":"%s{destvip}","sourceip":"%s{sourceip}","tunneltype":"%s{tunneltype}","event":"%s{event}","eventreason":"%s{eventreason}","srcport":%d{srcport},"recordid":%d{recordid}\}\n
Sample:
\{"datetime":"%s{datetime}","tunnelactionname":"%s{tunnelactionname}","locationname":"%s{locationname}","destvip":"%s{destvip}","sourceip":"%s{sourceip}","tunneltype":"%s{tunneltype}","txbytes":%lu{txbytes},"rxbytes":%lu{rxbytes},"txpackets":%d{txpackets},"rxpackets":%d{rxpackets},"dpdrec":%d{dpdrec},"srcport":%d{srcport},"recordid":%d{recordid}\}\n
Timezone By default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone Database. Direct GMT offsets can also be specified. Duplicate Logs To ensure that no logs are skipped during any downtime, specify the number of minutes that the NSS will send duplicate logs. Zscaler recommends setting the number to 60. This allows the NSS to send one-hour logs to the Devo Relay after the connection between the NSS and Devo Relay recovers. - Click Save and activate the change.
Available filters
Tunnel Type
You can limit the logs based on the tunnel types (GRE, IPSec IKEv1, or IPSec IKEv2).
Location:Â Use this filter to limit the logs to specific locations from which transactions were generated. You can search for locations. There is no limit on the number of locations that you can select. Locations that are deleted after they are selected appear with a strikethrough line.
VPN Credentials:Â For IPSec tunnels, you can limit the logs to specific tunnel VPN credentials. You can search for VPN credentials. There is no limit to the number of VPN credentials that you can select. VPN credentials that are deleted after they are selected appear with a strikethrough line.
Source IPs:Â You can limit the logs based on the tunnel's source IP address. You can enter:
An IP address (198.51.100.100)
A range of IP addresses 192.0.2.1-192.0.2.10
An IP address with a netmask 203.0.113.0/24
You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
Destination VIPs
You can limit the logs based on the tunnel's destination VIP address. You can enter:
An IP address (198.51.100.100)
A range of IP addresses 192.0.2.1-192.0.2.10
An IP address with a netmask 203.0.113.0/24
You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.