Cloud & Branch Connector
NSS Feed Output Format: Metrics Logs
The Metrics NSS feed specifies the data from the Metrics logs that the Nanolog Streaming Service (NSS) sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.
There are three types of Metrics logs that each Zscaler Cloud Connector generates:
- VM: Metrics that are applicable at the virtual machine (VM) level.
- Instance: Metrics that are applicable at the level of an individual data-processing instance. There are multiple data-processing instances in a single Cloud Connector.
- Resource: Metrics that are applicable at an individual resource level. There are physical and logical resources in a Cloud Connector that all data-processing instances use.
The following tables display information about the Metrics fields and possible values for those fields.
VM
VM Metrics logs are applicable to an entire Cloud Connector VM. These metrics are collected at one-minute intervals. There is one log line per minute for each Cloud Connector.
Date/Time
| Field | Description | Example |
| %s{tz} | The time zone. This is the time zone you specified when you configured the NSS feed. | GMT |
| %s{time} | Time at which events are generated | Thu Nov 14 11:39:59 2024 |
| %s{eventtime} | The time and date of the transaction. This excludes the time zone. | Thu Nov 14 11:39:59 2024 |
| %d{inteventtime} | Event time in epoch format | 1691667599 |
| %02d{ss} | Second of timestamp (0–59) | 59 |
| %02d{mm} | Minute of timestamp (0–59) | 39 |
| %02d{hh} | Hour of timestamp (0–23) | 11 |
| %02d{dd} | Day of timestamp (1–31) | 14 |
| %02d{mth} | Month of timestamp (1-12) | 11 |
| %04d{yyyy} | Year of timestamp | 2024 |
| %s{day} | Name of the day | Thu |
| %s{mon} | Name of the month | Nov |
| %s{rtime} | Log time at which NSS receives logs | Thu Aug 14 11:40:33 2024 |
| %02d{rss} | Second of timestamp (0–59) | 33 |
| %02d{rmm} | Minute of timestamp (0–59) | 40 |
| %02d{rhh} | Hour of timestamp (0–23) | 11 |
| %02d{rdd} | Day of timestamp (1–31) | 14 |
| %02d{rmth} | Month of stamp (1-12) | 11 |
| %04d{ryyyy} | Year of timestamp | 2024 |
| %s{rday} | Name of the day | Thu |
| %s{rmon} | Name of the month | Nov |
Metadata
| Field | Description | Example |
| %s{recordid} | Unique record identifier for each log | sys_cloud_branch_id |
| %s{location} | Location name | bc-location-0 |
| %s{group_name} | Group name | bc-group-0 |
| %s{vm_name} | VM name | bc-group-0-VM-yVIbR |
| %s{platform_name} | Platform name | VMware ESXi |
| %s{platformgeo_name} | Platform geolocation name (Cloud Connector only) | N/A |
| %s{region_name} | Region name (Cloud Connector only) | N/A |
| %s{connector_type} | Connector type | Branch Connector |
| %d{resourceno} | Resource number |
Metrics
| Field | Description | Example |
| %s{syscpu} | VM system CPU | 0.09% |
| %s{cpu} | VM overall CPU | 0.21% |
| %s{sendbytes} | Total sent bytes | 11366860611 |
| %s{rcvdbytes} | Total received bytes | 9373237430 |
| %s{totalmem} | Total memory in bytes | 29290921984 |
| %s{memutil} | System memory utilized | 2746220544 |
| %s{totthroughput} | Total throughput in bytes per second | 8978 |
| %s{mgmtcpu} | Control Plane CPU | 0.04% |
| %s{mgmtmem} | Control Plane Memory | 2929092 |
| %s{nodata} | Data not available | True/False |
VM NSS feeds consist of all metrics at the VM level, such as CPU and memory. You can use the VM-level Metrics logs to monitor resource usage at the VM level. For example, you can configure alerts on the SIEM side to monitor the CPU or memory utilization when they cross a defined threshold.
Instance
Each Cloud Connector has between one and three data-processing instances, depending on the form factor. This feed is used for metrics specific to a data-processing instance. These metrics are collected at one-minute intervals. There is one log line per minute for each data-processing instance.
Date/Time
| Field | Description | Example |
| %s{tz} | The time zone. This is the time zone you specified when you configured the NSS feed. | GMT |
| %s{time} | Time at which events are generated | Thu Nov 14 11:39:59 2024 |
| %s{eventtime} | The time and date of the transaction. This excludes the time zone. | Thu Nov 14 11:39:59 2024 |
| %d{inteventtime} | Event time in epoch format | 1691667599 |
| %02d{ss} | Second of timestamp (0–59) | 59 |
| %02d{mm} | Minute of timestamp (0–59) | 39 |
| %02d{hh} | Hour of timestamp (0–23) | 11 |
| %02d{dd} | Day of timestamp (1 –31) | 14 |
| %02d{mth} | Month of timestamp (1-12) | 11 |
| %04d{yyyy} | Year of timestamp | 2024 |
| %s{day} | Name of the day | Thu |
| %s{mon} | Name of the month | Nov |
| %s{rtime} | Log time at which NSS receives logs | Thu Nov 14 11:40:33 2024 |
| %02d{rss} | Second of timestamp (0–59) | 33 |
| %02d{rmm} | Minute of timestamp (0–59) | 40 |
| %02d{rhh} | Hour of timestamp (0–23) | 11 |
| %02d{rdd} | Day of timestamp (1–31) | 14 |
| %02d{rmth} | Month of timestamp (1-12) | 11 |
| %04d{ryyyy} | Year of timestamp | 2024 |
| %s{rday} | Name of the day | Thu |
| %s{rmon} | Name of the month | Nov |
Metadata
| Field | Description | Example |
| %s{recordid} | Unique record identifier for each log | sys_cloud_branch_id |
| %s{location} | Location name | bc-location-0 |
| %s{group_name} | Group name | bc-group-0 |
| %s{vm_name} | VM name | bc-group-0-VM-yVIbR |
| %s{platform_name} | Platform name | VMware ESXi |
| %s{platformgeo_name} | Platform geolocation name | N/A |
| %s{region_name} | Region name | N/A |
| %s{connector_type} | Connector type | Branch Connector |
| %s{instance_name} | Instance name |
|
Metrics
| Field | Description | Example |
| %s{icpu} | CPU utilization for the data-processing instance | 0.12 |
| %s{imem} | Memory utilization for the data-processing instance | 2746220544 |
| %s{ithroughput_tx} | Throughput in bytes per second for the data transferred out from the instance | 2685 |
| %s{ithroughput_rx} | Throughput in bytes per second for the data that the instance received | 3434 |
| %s{ziathroughput_tx} | Throughput in bytes per second for the data sent to Zscaler Internet Access (ZIA) from the instance | 1542 |
| %s{ziathroughput_rx} | Throughput in bytes per second for the data that the instance received from ZIA | 2658 |
| %s{nodata} | Data not available | False |
Instance NSS feeds contain metrics at the instance level. Users can monitor the instance-level resource usage, such as the CPU, memory, and throughput. There is also a %s{nodata} field, which is set to True when no data is available. This value indicates an issue on the connector instance service in which the metrics samples were not collected.
Resource
Each Cloud Connector has physical or logical resources, such as disk partitions and Network Interface Cards (NICs). Resources are used for metrics specific to a resource. These metrics are collected at one-minute intervals. There is one log line per minute for each resource.
The log line for each resource type has a set of applicable metrics. Metrics that are not applicable to that resource are set to zero or absent from the log line. The applicable set of metrics depends on the resource type.
Date/Time
| Field | Description | Example |
| %s{tz} | The time zone. This is the time zone you specified when you configured the NSS feed. | GMT |
| %s{time} | Time at which events are generated | Thu Nov 14 11:39:59 2024 |
| %s{eventtime} | The time and date of the transaction. This excludes the time zone. | Thu Nov 14 11:40:01 2024 |
| %d{inteventtime} | Event time in epoch format | 1691667599 |
| %02d{ss} | Second of timestamp (0–59) | 59 |
| %02d{mm} | Minute of timestamp (0–59) | 39 |
| %02d{hh} | Hour of timestamp (0–23) | 11 |
| %02d{dd} | Day of timestamp (1–31) | 14 |
| %02d{mth} | Month of timestamp (1-12) | 11 |
| %04d{yyyy} | Year of timestamp | 2024 |
| %s{day} | Name of the day | Thu |
| %s{mon} | Name of the month | Nov |
| %s{rtime} | Log time at which NSS receives logs | Thu Nov 14 11:40:33 2024 |
| %02d{rss} | Second of timestamp (0–59) | 33 |
| %02d{rmm} | Minute of timestamp (0–59) | 40 |
| %02d{rhh} | Hour of timestamp (0–23) | 11 |
| %02d{rdd} | Day of timestamp (1–31) | 14 |
| %02d{rmth} | Month of timestamp (1-12) | 11 |
| %04d{ryyyy} | Year of timestamp | 2024 |
| %s{rday} | Name of the day | Thu |
| %s{rmon} | Name of the month | Nov |
Metadata
| Field | Description | Example |
| %d{recordid} | Unique record identifier for each log | sys_cloud_branch_id |
| %s{location} | Location name | bc-location-0 |
| %s{group_name} | Group name | bc-group-0 |
| %s{vm_name} | VM name | bc-group-0-VM-yVIbR |
| %s{platform_name} | Platform name | VMware ESXi |
| %s{platformgeo_name} | Platform geolocation name (Cloud Connector only) | N/A |
| %s{region_name} | Region name (Cloud Connector only) | N/A |
| %s{connector_type} | Connector type | Branch Connector |
| %s{resourcename} | Resource name | FS_ufs_/sc_/dev/vtbd1p1 |
Metrics
| Field | Description | Example |
| %s{rdiskutil} | Resource disk utilized | 30.37% |
| %s{rdiskused} | Disk space used in bytes | 87193907200 |
| %s{rdiskfree} | Disk space free in bytes | 224806400000 |
Resource NSS feeds consist of metrics at the resource level. For example, a resource can be a disk partition. You can set up your SIEM to monitor the usage of disk partitions and send notifications when necessary. Resource Metrics are present in the feed if that counter is applicable to the resource type to which the metric is published. For example, metrics related to disk usage are available for the disk resource type.