icon-unified.svg
Experience Center

NSS Feed Output Format: DNS Logs

The DNS NSS Feed specifies the data from the DNS logs that the Nanolog Streaming Service (NSS) sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.

The following tables display information about the DNS fields and possible values for those fields.

Date/Time

FieldDescriptionExample
%s{eventtime}The time and date the transaction happened. This excludes the time zone.Mon Oct 28 22:55:48 2024
%s{time}The date and time the event was logged.Mon Oct 28 22:55:53 2024
%s{tz}The time zone. This is the same as the time zone you specified when you configured the NSS feed.GMT
%02d{ss}Second of timestamp (0–59)48
%02d{mm}Minute of timestamp (0–59)55
%02d{hh}Hour of timestamp (0–23)22
%02d{dd}Day of timestamp (1–31)28
%02d{mth}Month of timestamp (1-12)10
%04d{yyyy}Year of timestamp2024
%s{mon}The name of the monthOct
%s{day}The day of the weekMon

Transaction Action

FieldDescriptionExample
%s{req_rulename}Name of the rule that was applied to the DNS requestZPA Resolver
%s{req_action}Name of the action that was applied to the DNS requestREQ_ALLOW
REQ_BLOCK
%s{res_rulename}Name of the rule that was applied to the DNS responseDefault Connector DNS Rule
%s{res_action}Name of the action that was applied to the DNS responseAllow

Transaction Information

FieldDescriptionExample
%d{inbytes}Number of bytes sent from the server to the client.10000
%d{outbytes}Number of bytes sent from the client to the server.10000
%s{clt_ip}The IP address of the user. This can be the internal IP address if it is visible—for example, traffic sent through a GRE tunnel or an internal IP address indicated using XFF. Otherwise, it's the client internet (NATted Public) IP address.192.0.2.135
%ld{req_duration}Duration of the DNS request in milliseconds65
%s{resolver}Server IP address of the request203.0.113.200
%ld{recordid}Unique record identifier for each logsys_cloud_branch_id
%s{location}Gateway location or sublocation of the sourceHeadquarters
%s{dom_str}Fully Qualified Domain Name (FQDN) in the DNS requestmail.safemarch.com
%s{odom_str}Obfuscated FQDN in the DNS request
%s{res_type}Response type
%s{resp_val_str}Response value

51.xx.192.49

blob.xxz21prdxxxx7a.store.core.windows.net

%{oresp_val_str}Obfuscated response value
%s{req_type}DNS record being requestedA record
%d{srv_port}Server port of the request80
%d{num_resp}Number of DNS responses52
%s{dns_err}DNS error, if any
  • DNS server not available
  • NXDOMAIN
  • SERVFAIL
%s{protocol}Protocol used
  • TCP
  • UDP
  • DOH
%s{dnsgw_flags}Flags indicating the DNS Gateway status
  • PRIMARY_SERVER_RESPONSE_PASS
  • FO_DEST_ERR
%s{dnsgw_slot}DNS Gateway rule

Cloud Connector or Branch Connector Information

FieldDescriptionExample
%s{name}Cloud Connector or Branch Connector nameCC_304
%s{vm_name}Cloud Connector or Branch Connector virtual machine (VM) namezs-cc-vpc-xxxx
%s{group_name}Cloud Connector or Branch Connector group namezs-cc-vpc-xxxx-us-west-2x
%s{region_name}Cloud Connector or Branch Connector region name(US) West US 2
%s{platform_name}Cloud Connector or Branch Connector platform nameAzure
%s{platformgeo_name}Cloud Connector or Branch Connector platform geolocation name (availability zone)San Jose, United States
%s{account_id}AWS account ID, or Azure subscription ID, or GCP project ID
  • 506xxx032xxx (AWS)
  • f60abxxx-bb7d-43xx-84xx-4axxxx7xxxxx (Azure)
  • gcs-xxx-cc-gcp-project (GCP)

Base64 Fields

A SIEM can have parsing issues whenever a string field has nonprintable or delimiter characters. For that reason, the Zscaler service has URL encoding for fields such as dom_str. Several other fields have the same parsing issue, but URL encoding is not suitable. Such fields are encoded using Base64.

Turning on Base64 encoding for all supported fields may result in approximately a 20% drop in performance.

The following fields have been added as Base64 fields:

  • b64dom_str
  • b64resp_val_str

Hex-Encoded Fields

When the Zscaler service sends logs to the NSS, it hex encodes all nonprintable ASCII characters that are in URLs. Any URL character that is less than or equal to 0x20, or greater than or equal to 0x7F, is encoded as %HH. This ensures that your SIEM parses the URLs that contain control characters. For example, a \n character in a URL is encoded as 0A, and a space is encoded as %20.

The following field has been added as a hex-encoded field:

  • edom_str
Related Articles
General Guidelines for NSS Feeds and Feed FormatsNSS Feed Output Format: Session LogsNSS Feed Output Format: DNS LogsNSS Feed Output Format: Event LogsNSS Feed Output Format: Metrics Logs