Fortinet black logo

External Systems Configuration Guide

Zscaler Nanolog Streaming Service (NSS)

Vendor: Zscaler

Product Information: https://help.zscaler.com/zia/understanding-nanolog-streaming-service

Support Added: FortiSIEM 7.1.0, FortiSIEM 6.5.0-7.0.2 with latest content updates.

Overview

FortiSIEM supports Zscaler NSS (Nanolog Streaming Service) as a way to ingest log messages from ZScalar services into FortiSIEM.

Topology

Customer NSS Server for Web/Firewall (Log Feed Forward) -> FortiSIEM Collector

  1. Customer Deployed NSS Server communicates with ZScaler service and pulls down logs for configured feeds.

  2. NSS Server forwards these logs in the defined NSS Feed format to the FortiSIEM Collector.

    Note: FortiSIEM expects a particular format configuration for Web and Firewall logs, please reference the instructions below to set up.

What is Monitored

ZScaler NSS for Web Logs Forwarding (syslog)

Log Types:

  • Web Logs - Feed Output Type: Custom

ZScaler NSS for Firewall Logs Forwarding (syslog)

Log Types:

  • Firewall Logs - Feed Output Type: CSV

  • Tunnel Logs - Feed Output Type: JSON

  • DNS Logs - Feed Output Type: JSON

ZScaler NSS Setup

  1. Follow ZScaler instructions on deploying a NSS Server that can forward logs to a FortiSIEM collector. by referencing the following guide:

    https://help.zscaler.com/zia/deploying-nss-virtual-appliances

  2. Adding NSS Feeds: Once an NSS Server is configured, you can configure the following feeds/forwarding for that server.

NSS Web Log Feed Configuration
  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_WebLogs
    NSS Type: NSS for Web
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    Web Log

    Feed Output Type: Custom

    Feed Escape Character:

    "\

    Important Note: This must be specified as the literal " - double quote and \ - backslash without anything else, e.g. "\

    Feed Output Format:

    Paste the following to the Feed Output Format field, but DO NOT include the "#### start of format..." nor the "##### End of format..." lines. It must be pasted exactly as seen. If it is not pasted in exactly as is, parsing may fail.

    ##### Start of format #####

    \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd}%02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","clienttranstime":"%d{ctime}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","servertranstime":"%d{stime}","contenttype":"%s{contenttype}","ssldecrypted":"%s{ssldecrypted}","unscannabletype":"%s{unscannabletype}","md5":"%s{bamd5}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

    ##### End of format #####

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

NSS Firewall Log Feed Configuration
  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_FirewallLogs
    NSS Type: NSS for Firewall
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    Firewall Logs

    Firewall Log type

    Full session logs

    Feed Output Type: CSV

    Feed Escape Character:

    ",

    Important Note: This must be specified as the literal " - double quote and , - comma without anything else, e.g. ",

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

NSS DNS Log Feed Configuration

  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_DNS_Logs
    NSS Type: NSS for Firewall
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    DNS Logs

    Feed Output Type: JSON

    Feed Escape Character:

    "\

    Important Note: This must be specified as the literal " - double quote and \ - backslash without anything else, e.g. "\

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

NSS Tunnel Log Feed Configuration
  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_TunnelLogs
    NSS Type: NSS for Web
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    Tunnel

    Feed Output Type: JSON

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

FortiSIEM Setup

As long as syslog is forwarded to FortiSIEM properly and in the correct log format for each log type, no further setup on FortiSIEM is required.

To validate logs are being received, take the following steps:

  1. Navigate to Analytics.

  2. Run a search for query: Event Type CONTAIN zscaler

Reference Links

https://help.zscaler.com/zia/adding-nss-feeds

https://help.zscaler.com/zia/understanding-nanolog-streaming-service

Vendor: Zscaler

Product Information: https://help.zscaler.com/zia/understanding-nanolog-streaming-service

Support Added: FortiSIEM 7.1.0, FortiSIEM 6.5.0-7.0.2 with latest content updates.

Overview

FortiSIEM supports Zscaler NSS (Nanolog Streaming Service) as a way to ingest log messages from ZScalar services into FortiSIEM.

Topology

Customer NSS Server for Web/Firewall (Log Feed Forward) -> FortiSIEM Collector

  1. Customer Deployed NSS Server communicates with ZScaler service and pulls down logs for configured feeds.

  2. NSS Server forwards these logs in the defined NSS Feed format to the FortiSIEM Collector.

    Note: FortiSIEM expects a particular format configuration for Web and Firewall logs, please reference the instructions below to set up.

What is Monitored

ZScaler NSS for Web Logs Forwarding (syslog)

Log Types:

  • Web Logs - Feed Output Type: Custom

ZScaler NSS for Firewall Logs Forwarding (syslog)

Log Types:

  • Firewall Logs - Feed Output Type: CSV

  • Tunnel Logs - Feed Output Type: JSON

  • DNS Logs - Feed Output Type: JSON

ZScaler NSS Setup

  1. Follow ZScaler instructions on deploying a NSS Server that can forward logs to a FortiSIEM collector. by referencing the following guide:

    https://help.zscaler.com/zia/deploying-nss-virtual-appliances

  2. Adding NSS Feeds: Once an NSS Server is configured, you can configure the following feeds/forwarding for that server.

NSS Web Log Feed Configuration
  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_WebLogs
    NSS Type: NSS for Web
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    Web Log

    Feed Output Type: Custom

    Feed Escape Character:

    "\

    Important Note: This must be specified as the literal " - double quote and \ - backslash without anything else, e.g. "\

    Feed Output Format:

    Paste the following to the Feed Output Format field, but DO NOT include the "#### start of format..." nor the "##### End of format..." lines. It must be pasted exactly as seen. If it is not pasted in exactly as is, parsing may fail.

    ##### Start of format #####

    \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd}%02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","clienttranstime":"%d{ctime}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","servertranstime":"%d{stime}","contenttype":"%s{contenttype}","ssldecrypted":"%s{ssldecrypted}","unscannabletype":"%s{unscannabletype}","md5":"%s{bamd5}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

    ##### End of format #####

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

NSS Firewall Log Feed Configuration
  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_FirewallLogs
    NSS Type: NSS for Firewall
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    Firewall Logs

    Firewall Log type

    Full session logs

    Feed Output Type: CSV

    Feed Escape Character:

    ",

    Important Note: This must be specified as the literal " - double quote and , - comma without anything else, e.g. ",

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

NSS DNS Log Feed Configuration

  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_DNS_Logs
    NSS Type: NSS for Firewall
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    DNS Logs

    Feed Output Type: JSON

    Feed Escape Character:

    "\

    Important Note: This must be specified as the literal " - double quote and \ - backslash without anything else, e.g. "\

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

NSS Tunnel Log Feed Configuration
  1. Navigate to Administration > Nanolog Streaming Service.

  2. In the NSS Feeds tab, click Add NSS Feed.

    The Add NSS Feed window appears. Enter the following information:

    Field

    Input

    Feed Name: FortiSIEM_NSS_TunnelLogs
    NSS Type: NSS for Web
    NSS Server: <Select from drop-down, the NSS server you deployed in ZScaler NSS Setup step #1.>
    Status: Enabled
    SIEM Destination Type: IP (If you have a resolvable FQDN for SIEM collector, you can use this.)
    SIEM IP Address: x.x.x.x (The FortiSIEM collector you would like to send the forwarded logs.)
    SIEM TCP Port: 514

    SIEM Rate:

    Unlimited

    Log Type:

    Tunnel

    Feed Output Type: JSON

    Timezone:

    <Set as desired, ideally UTC time.>

    Duplicate Logs:

    Disabled <You can optionally set this, this states if the connection is down, on recovery, Zscaler will resend the logs that were not sent. This may result in duplicate logs coming in.>

  3. Click Save when done.

FortiSIEM Setup

As long as syslog is forwarded to FortiSIEM properly and in the correct log format for each log type, no further setup on FortiSIEM is required.

To validate logs are being received, take the following steps:

  1. Navigate to Analytics.

  2. Run a search for query: Event Type CONTAIN zscaler

Reference Links

https://help.zscaler.com/zia/adding-nss-feeds

https://help.zscaler.com/zia/understanding-nanolog-streaming-service