Vendor - Zscaler
Product - ZIA
The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page
26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize
the IP or host name of the SC4S instance and port 514
Ref |
Link |
Splunk Add-on |
https://splunkbase.splunk.com/app/3865/ |
Product Manual |
https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 |
Sourcetypes
sourcetype |
notes |
zscalernss-alerts |
Requires format customization add \tvendor=Zscaler\tproduct=alerts immediately prior to the \n in the NSS Alert Web format. See Zscaler manual for more info. |
zscalernss-dns |
Requires format customization add \tvendor=Zscaler\tproduct=dns immediately prior to the \n in the NSS DNS format. See Zscaler manual for more info. |
zscalernss-web |
None |
zscalernss-fw |
Requires format customization add \tvendor=Zscaler\tproduct=fw immediately prior to the \n in the Firewall format. See Zscaler manual for more info. |
Sourcetype and Index Configuration
key |
sourcetype |
index |
notes |
zscaler_alerts |
zscalernss-alerts |
main |
none |
zscaler_dns |
zscalernss-dns |
netdns |
none |
zscaler_fw |
zscalernss-fw |
netfw |
none |
zscaler_web |
zscalernss-web |
netproxy |
none |
zscaler_zia_audit |
zscalernss-zia-audit |
netops |
none |
zscaler_zia_sandbox |
zscalernss-zia-sandbox |
main |
none |
Filter type
MSG Parse: This filter parses message content
Setup and Configuration
- Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
- Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
- Refer to the Splunk TA documentation for the specific customer format required for proxy configuration
- Select TCP or SSL transport option
- Ensure the format of the event is customized per Splunk documentation
Options
Variable |
default |
description |
SC4S_LISTEN_ZSCALER_NSS_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_ZSCALER_NSS_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_ZSCALER_NSS |
no |
Enable archive to disk for this specific source |
SC4S_DEST_ZSCALER_NSS_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification
An active proxy will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=zscalernss-* | stats count by host
Product - LSS
The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page
26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the LSS to utilize
the IP or host name of the SC4S instance and port 514
Ref |
Link |
Splunk Add-on |
https://splunkbase.splunk.com/app/3865/ |
Product Manual |
https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 |
Sourcetypes
sourcetype |
notes |
zscalerlss-zpa-app |
None |
zscalerlss-zpa-auth |
None |
zscalerlss-zpa-bba |
None |
zscalerlss-zpa-connector |
None |
Sourcetype and Index Configuration
key |
sourcetype |
index |
notes |
zscaler_lss |
zscalerlss_zpa-app |
netproxy |
none |
zscaler_lss |
zscalerlss_zpa_auth |
netproxy |
none |
zscaler_lss |
zscalerlss_zpa_auth |
netproxy |
none |
zscaler_lss |
zscalerlss_zpa_connector |
netproxy |
none |
Filter type
MSG Parse: This filter parses message content
Setup and Configuration
- Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
- Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
- Refer to the Splunk TA documentation for the specific customer format required for proxy configuration
- Select TCP or SSL transport option
- Ensure the format of the event is customized per Splunk documentation
Options
Variable |
default |
description |
SC4S_LISTEN_ZSCALER_LSS_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_ZSCALER_LSS_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_ZSCALER_LSS |
no |
Enable archive to disk for this specific source |
SC4S_DEST_ZSCALER_LSS_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification
An active proxy will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=zscalernss-* | stats count by host