Zscaler Nanolog Streaming Service (NSS)
Vendor: Zscaler
Product Information: https://help.zscaler.com/zia/understanding-nanolog-streaming-service
Support Added: FortiSIEM 7.1.0, FortiSIEM 6.5.0-7.0.2 with latest content updates.
Overview
FortiSIEM supports Zscaler NSS (Nanolog Streaming Service) as a way to ingest log messages from ZScalar services into FortiSIEM.
Topology
Customer NSS Server for Web/Firewall (Log Feed Forward) -> FortiSIEM Collector
-
Customer Deployed NSS Server communicates with ZScaler service and pulls down logs for configured feeds.
-
NSS Server forwards these logs in the defined NSS Feed format to the FortiSIEM Collector.
Note: FortiSIEM expects a particular format configuration for Web and Firewall logs, please reference the instructions below to set up.
What is Monitored
ZScaler NSS for Web Logs Forwarding (syslog)
Log Types:
-
Web Logs - Feed Output Type: Custom
ZScaler NSS for Firewall Logs Forwarding (syslog)
Log Types:
-
Firewall Logs - Feed Output Type: CSV
-
Tunnel Logs - Feed Output Type: JSON
-
DNS Logs - Feed Output Type: JSON
ZScaler NSS Setup
-
Follow ZScaler instructions on deploying a NSS Server that can forward logs to a FortiSIEM collector. by referencing the following guide:
https://help.zscaler.com/zia/deploying-nss-virtual-appliances
-
Adding NSS Feeds: Once an NSS Server is configured, you can configure the following feeds/forwarding for that server.
NSS Web Log Feed Configuration
-
Navigate to Administration > Nanolog Streaming Service.
-
In the NSS Feeds tab, click Add NSS Feed.
The Add NSS Feed window appears. Enter the following information:
Field
Input
Feed Name: FortiSIEM_NSS_WebLogs NSS Type: NSS for Web NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.> Status: Enabled SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.) SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.) SIEM TCP Port: 514 SIEM Rate:
Unlimited
Log Type:
Web Log
Feed Output Type: Custom Feed Escape Character:
"\
Important Note: This must be specified as the literal " - double quote and \ - backslash without anything else, e.g. "\
Feed Output Format:
Paste the following to the Feed Output Format field, but DO NOT include the "#### start of format..." nor the "##### End of format..." lines. It must be pasted exactly as seen. If it is not pasted in exactly as is, parsing may fail.
##### Start of format #####
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd}%02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","clienttranstime":"%d{ctime}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","servertranstime":"%d{stime}","contenttype":"%s{contenttype}","ssldecrypted":"%s{ssldecrypted}","unscannabletype":"%s{unscannabletype}","md5":"%s{bamd5}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
##### End of format #####
Timezone:
<Set as desired, ideally UTC time.>
Duplicate Logs:
Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>
-
Click Save when done.
NSS Firewall Log Feed Configuration
-
Navigate to Administration > Nanolog Streaming Service.
-
In the NSS Feeds tab, click Add NSS Feed.
The Add NSS Feed window appears. Enter the following information:
Field
Input
Feed Name: FortiSIEM_NSS_FirewallLogs NSS Type: NSS for Firewall NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.> Status: Enabled SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.) SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.) SIEM TCP Port: 514 SIEM Rate:
Unlimited
Log Type:
Firewall Logs
Firewall Log type
Full session logs
Feed Output Type: CSV Feed Escape Character:
",
Important Note: This must be specified as the literal " - double quote and , - comma without anything else, e.g. ",
Timezone:
<Set as desired, ideally UTC time.>
Duplicate Logs:
Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>
-
Click Save when done.
NSS DNS Log Feed Configuration
-
Navigate to Administration > Nanolog Streaming Service.
-
In the NSS Feeds tab, click Add NSS Feed.
The Add NSS Feed window appears. Enter the following information:
Field
Input
Feed Name: FortiSIEM_NSS_DNS_Logs NSS Type: NSS for Firewall NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.> Status: Enabled SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.) SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.) SIEM TCP Port: 514 SIEM Rate:
Unlimited
Log Type:
DNS Logs
Feed Output Type: JSON Feed Escape Character:
"\
Important Note: This must be specified as the literal " - double quote and \ - backslash without anything else, e.g. "\
Timezone:
<Set as desired, ideally UTC time.>
Duplicate Logs:
Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>
-
Click Save when done.
NSS Tunnel Log Feed Configuration
-
Navigate to Administration > Nanolog Streaming Service.
-
In the NSS Feeds tab, click Add NSS Feed.
The Add NSS Feed window appears. Enter the following information:
Field
Input
Feed Name: FortiSIEM_NSS_TunnelLogs NSS Type: NSS for Web NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.> Status: Enabled SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.) SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.) SIEM TCP Port: 514 SIEM Rate:
Unlimited
Log Type:
Tunnel
Feed Output Type: JSON Timezone:
<Set as desired, ideally UTC time.>
Duplicate Logs:
Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>
-
Click Save when done.
FortiSIEM Setup
As long as syslog is forwarded to FortiSIEM properly and in the correct log format for each log type, no further setup on FortiSIEM is required.
To validate logs are being received, take the following steps:
-
Navigate to Analytics.
-
Run a search for query:
Event Type CONTAIN zscaler
Reference Links
https://help.zscaler.com/zia/adding-nss-feeds
https://help.zscaler.com/zia/understanding-nanolog-streaming-service