icon-unified.svg
Experience Center

NSS Feed Output Format: DNS Logs

The DNS Nanolog Streaming Service (NSS) feed specifies the data from the DNS logs that the NSS sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.

  • "Mon Jun 20 14:56:51 2022","gurmeet@gsk.com","Service Admin","Road Warrior","Allow","Allow","DNS_1","Zscaler Bypass Traffic","AAAA","wpad.test.com","EMPTY_RESP","53","0","10.66.16.9","10.66.69.21","Corporate Marketing","Other","Zscaler","DESKTOP-J1E9T1L"
    Close

The following tables display information about the DNS fields and possible values for those fields.

Fields that support obfuscation are documented in the following tables with the prefix o (e.g., %s{odomcat}). To obfuscate a field, manually add the prefix o before the field name in the Feed Output Format in the Admin Portal.

Date/Time

FieldDescriptionExample
%s{time}The time and date of the transaction. This excludes the time zone.Mon Oct 16 22:55:48 2023
%s{tz}The time zone. This is the same as the time zone you specified when you configured the NSS feed.GMT
%02d{ss}Seconds (0–59)48
%02d{mm}Minutes (0–59)55
%02d{hh}Hours (0–23)22
%02d{dd}The day of the month (1–31)16
%02d{mth}The month of the year10
%04d{yyyy}Year2023
%s{mon}The name of the monthOct
%s{day}The day of the weekMon
%d{epochtime}The epoch time of the transaction1578128400

Transaction Action

FieldDescriptionExample
%s{reqrulelabel}The name of the rule that was applied to the DNS request
%s{reqaction}The name of the action that was applied to the DNS requestREQ_ALLOW
RES_BLOC
%s{resrulelabel}The name of the rule that was applied to the DNS response
%s{resaction}The name of the action that was applied to the DNS response
%s{ecs_slot}The name of the EDNS Client Subnet (ECS) rule that was applied to the DNS transactionECS Slot #17
%s{dnsgw_slot}The name of the DNS Gateway ruleDNS GATEWAY Rule 1

Transaction Information

FieldDescriptionExample
%d{istcp}Indicates if the DNS transaction uses TCP
  • 1 = Yes
  • 0 = No
%s{cip}The IP address of the user. This can be the internal IP address if it is visible (e.g., traffic sent through a GRE tunnel or an internal IP address indicated using XFF). Otherwise, it's the client's internet (NATed Public) IP address.203.0.113.5, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{ocip}The obfuscated version of the client source IP address. This field displays a random string.

9960223283

%d{durationms}The duration of the DNS request in milliseconds
%s{sip}The server IP address of the request192.168.2.200, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{recordid}The unique record identifier for each log
%s{pcapid}The path of the packet capture (PCAP) file that captured the transaction. The PCAP ID has the following format: <Company ID>/<Directory>/<PCAP File Name>. The company ID is the internal ID of an organization and can be found on the Company Profile page. The directory is the log type. To download the PCAP file, go to the Capture column on the DNS Insights Logs page.43139974/dns/663ba8fd30b50001.pcap
%s{location}The gateway location or sub-location of the sourceHeadquarters
%s{req}The Fully Qualified Domain Name (FQDN) in the DNS requestmail.safemarch.com
%s{res}The resolved IP or NAME in the DNS response192.168.2.200, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1, EMPTY_RESP
%s{domcat}The URL Category of the FQDN in the DNS requestProfessional Services
%s{odomcat}The obfuscated version of the FQDN in the DNS request4951704103
%s{respipcat}The URL Category of the FQDN in the DNS responseAdult Themes
%s{reqtype}The DNS request typeA record
%s{restype}The DNS response type. The means or format of the response.IPv4, IPv6
%d{sport}The server port of the request
%s{eedone}Indicates if the characters specified in the Feed Escape Character field of the NSS configuration page were hex encoded
%s{error}The DNS error code. Usually an incomplete or failed transaction.EMPTY_RESP
%s{ecs_prefix}The EDNS Client Subnet (ECS) prefix used in the DNS request. This field displays a numeric string.192.168.0.0
%s{dnsgw_srv_proto}The DNS Gateway server protocolTCP, UDP, HTTP
%s{dnsgw_flags}Flags indicating the DNS Gateway status for the transaction
  • PRIMARY_SERVER_RESPONSE_PASS (i.e., Primary Server Attempted)
  • SECONDARY_SERVER_RESPONSE_PASS (i.e., Secondary Server Attempted)
  • FO_DEST_PASS (i.e., Query Forwarded to Destination)
  • FO_DEST_ERR (i.e., Error Response Returned to Client)
  • FO_DEST_DROP (i.e., Query Dropped)
  • None
%s{http_code}The HTTP return code100 - Continue
%s{dnsappcat}The DNS tunnel or network application category
  • Network Service
  • The full list is under the DNS Tunnel & Network App Categories filter in the DNS Insights page
%s{dnsapp}The type of DNS tunnel or network application
  • Google DNS
  • The full list is under the DNS Tunnels & Network Apps filter in the DNS Insights page
%s{protocol}The protocol type
  • TCP
  • UDP
  • DoH (DNS over HTTP)

User Information

FieldDescriptionExample
%s{login}The login name in email address formatjdoe@safemarch.com
%s{dept}The departmentSales
%s{company}The company nameZscaler
%s{cloudname}The Zscaler cloud namezscaler.net

Zscaler Client Connector Device Information

FieldDescriptionExample
%s{devicehostname}The hostname of the deviceTHINKPADSMITH
%s{odevicehostname}The obfuscated version of the hostname of the device. This field displays a random string.2168890624
%s{devicename}The name of the deviceadmin
%s{odevicename}The obfuscated version of the name of the device. This field displays a random string.2175092224
%s{deviceowner}The owner of the devicejsmith
%s{odeviceowner}The obfuscated version of the owner of the device.This field displays a random string.10831489
%s{devicemodel}The model of the deviceVMware7,1
%s{deviceosversion}The OS version that the device usesMicrosoft Windows 10 Enterprise;64 bit
%s{deviceostype}The OS type of the deviceWindows OS
%s{deviceappversion}The app version that the device uses4.3.0.18
%s{devicetype}The type of deviceZscaler Client Connector

Data Center

FieldDescriptionExample
%s{datacenter}The name of the data centerCA Client Node DC
%s{datacentercity}The city where the data center is locatedSa
%s{datacentercountry}The country where the data center is locatedUS

Hex-Encoded Fields

The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends logs to the NSS. Any URL character that is less than or equal to 0x20, or greater than or equal to 0x7F, is encoded as %HH. This ensures that your SIEM can parse the URLs that contain control characters. For example, a \n character in a URL is encoded as %0A, and a space is encoded as %20.

The following fields have been added as hex-encoded fields:

  • elocation
  • edepartment
  • erulelabel
  • ethreatname
  • elogin
  • edevicehostname
Related Articles
General Guidelines for NSS Feeds and Feed FormatsNSS Feed Output Format: Web LogsNSS Feed Output Format: Firewall LogsNSS Feed Output Format: DNS LogsNSS Feed Output Format: Tunnel LogsNSS Feed Output Format: SaaS Security LogsNSS Feed Output Format: SaaS Security Activity LogsNSS Feed Output Format: Admin Audit LogsNSS Feed Output Format: Endpoint DLP LogsNSS Feed Output Format: Email DLP Logs