Experience Center
NSS Feed Output Format: DNS Logs
The DNS NSS Feed specifies the data from the DNS logs that the Nanolog Streaming Service (NSS) sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.
The following tables display information about the DNS fields and possible values for those fields.
Date/Time
| Field | Description | Example |
|---|---|---|
| %s{eventtime} | The time and date the transaction happened. This excludes the time zone. | Mon Oct 28 22:55:48 2024 |
| %s{time} | The date and time the event was logged. | Mon Oct 28 22:55:53 2024 |
| %s{tz} | The time zone. This is the same as the time zone you specified when you configured the NSS feed. | GMT |
| %02d{ss} | Second of timestamp (0–59) | 48 |
| %02d{mm} | Minute of timestamp (0–59) | 55 |
| %02d{hh} | Hour of timestamp (0–23) | 22 |
| %02d{dd} | Day of timestamp (1–31) | 28 |
| %02d{mth} | Month of timestamp (1-12) | 10 |
| %04d{yyyy} | Year of timestamp | 2024 |
| %s{mon} | The name of the month | Oct |
| %s{day} | The day of the week | Mon |
Transaction Action
| Field | Description | Example |
|---|---|---|
| %s{req_rulename} | Name of the rule that was applied to the DNS request | ZPA Resolver |
| %s{req_action} | Name of the action that was applied to the DNS request | REQ_ALLOW REQ_BLOCK |
| %s{res_rulename} | Name of the rule that was applied to the DNS response | Default Connector DNS Rule |
| %s{res_action} | Name of the action that was applied to the DNS response | Allow |
Transaction Information
| Field | Description | Example |
|---|---|---|
| %d{inbytes} | Number of bytes sent from the server to the client. | 10000 |
| %d{outbytes} | Number of bytes sent from the client to the server. | 10000 |
| %s{clt_ip} | The IP address of the user. This can be the internal IP address if it is visible—for example, traffic sent through a GRE tunnel or an internal IP address indicated using XFF. Otherwise, it's the client internet (NATted Public) IP address. | 192.0.2.135 |
| %ld{req_duration} | Duration of the DNS request in milliseconds | 65 |
| %s{resolver} | Server IP address of the request | 203.0.113.200 |
| %ld{recordid} | Unique record identifier for each log | sys_cloud_branch_id |
| %s{location} | Gateway location or sublocation of the source | Headquarters |
| %s{dom_str} | Fully Qualified Domain Name (FQDN) in the DNS request | mail.safemarch.com |
| %s{odom_str} | Obfuscated FQDN in the DNS request | |
| %s{res_type} | Response type | |
| %s{resp_val_str} | Response value | 51.xx.192.49 blob.xxz21prdxxxx7a.store.core.windows.net |
| %{oresp_val_str} | Obfuscated response value | |
| %s{req_type} | DNS record being requested | A record |
| %d{srv_port} | Server port of the request | 80 |
| %d{num_resp} | Number of DNS responses | 52 |
| %s{dns_err} | DNS error, if any |
|
| %s{protocol} | Protocol used |
|
| %s{dnsgw_flags} | Flags indicating the DNS Gateway status |
|
| %s{dnsgw_slot} | DNS Gateway rule |
Cloud Connector or Branch Connector Information
| Field | Description | Example |
|---|---|---|
| %s{name} | Cloud Connector or Branch Connector name | CC_304 |
| %s{vm_name} | Cloud Connector or Branch Connector virtual machine (VM) name | zs-cc-vpc-xxxx |
| %s{group_name} | Cloud Connector or Branch Connector group name | zs-cc-vpc-xxxx-us-west-2x |
| %s{region_name} | Cloud Connector or Branch Connector region name | (US) West US 2 |
| %s{platform_name} | Cloud Connector or Branch Connector platform name | Azure |
| %s{platformgeo_name} | Cloud Connector or Branch Connector platform geolocation name (availability zone) | San Jose, United States |
| %s{account_id} | AWS account ID, or Azure subscription ID, or GCP project ID |
|
Base64 Fields
A SIEM can have parsing issues whenever a string field has nonprintable or delimiter characters. For that reason, the Zscaler service has URL encoding for fields such as dom_str. Several other fields have the same parsing issue, but URL encoding is not suitable. Such fields are encoded using Base64.
Turning on Base64 encoding for all supported fields may result in approximately a 20% drop in performance.
The following fields have been added as Base64 fields:
- b64dom_str
- b64resp_val_str
Hex-Encoded Fields
When the Zscaler service sends logs to the NSS, it hex encodes all nonprintable ASCII characters that are in URLs. Any URL character that is less than or equal to 0x20, or greater than or equal to 0x7F, is encoded as %HH. This ensures that your SIEM parses the URLs that contain control characters. For example, a \n character in a URL is encoded as 0A, and a space is encoded as %20.
The following field has been added as a hex-encoded field:
- edom_str