proxy.zscaler
- Juan Tomás Alonso Nieto (Deactivated)
- Scott Bronkema
- Former user (Deleted)
Introduction
The tags beginning with proxy.zscaler identify events generated by Zscaler products belonging to Zscaler.
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed as proxy.zscaler. The third level identifies the product or event type, and the rest of them indicate the event subtypes.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Note that you have to properly define the final part of the tag to get you data properly parsed.
Product / Service | Tags | Data tables |
|---|---|---|
Zscaler Secure Web Gateway (ZSGW) |
|
|
| ||
|
| |
|
| |
| ||
| ||
|
| |
| ||
Zscaler Internet Access (ZIA) |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| ||
|
| |
|
For more information, read more About Devo tags.
How is the data sent to Devo?
You can forward logs generated by Zscaler in both CEF0 and CSV format using any Syslog drain (for example, Syslog-ng).
Please, contact Devo for support about how to configure Zscaler NSS Web / Firewall feeds' output (for example, fields order for CSV format or csX and cnX fields mapping for CEF format) before starting to use nss_web or nss_firewall parsers.
Zscaler Internet Access (ZIA)
Logs generated by ZIA must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below and see how to define them here.
If you’re sending data to table proxy.zscaler.zia.web.json and cannot send your events in JSON format, you must define the following template in your environment:
\{"time": "%s{time}", "recordid": %d{recordid}, "login": "%s{login}", "ehost": "%s{ehost}", "sip": "%s{sip}", "cip": "%s{cip}", "cintip": "%s{cintip}", "eurl": "%s{eurl}", "ua": "%s{ua}", "module": "%s{module}", "proto": "%s{proto}", "action": "%s{action}", "reason": "%s{reason}", "appname": "%s{appname}", "appclass": "%s{appclass}", "filetype": "%s{filetype}", "reqsize": %d{reqsize}, "respsize": %d{respsize}, "totalsize": %d{totalsize}, "malwarecat": "%s{malwarecat}", "malwareclass": "%s{malwareclass}", "threatname": "%s{threatname}", "riskscore": %d{riskscore}, "dlpeng": "%s{dlpeng}", "dlpdict": "%s{dlpdict}", "location": "%s{location}", "dept": "%s{dept}", "reqmethod": "%s{reqmethod}", "respcode": "%s{respcode}", "respversion": "%s{respversion}", "urlclass": "%s{urlclass}", "urlsupercat": "%s{urlsupercat}", "urlcat": "%s{urlcat}", "ereferer": "%s{ereferer}", "contenttype": "%s{contenttype}", "unscannabletype": "%s{unscannabletype}", "devicehostname": "%s{devicehostname}", "deviceowner": "%s{deviceowner}", "keyprotectiontype": "%s{keyprotectiontype}"\}Other tables could require other formats. Contact us if you need additional help.
Table structure
These are the fields displayed in these tables: