About Nanolog Streaming Service (NSS)


About Nanolog Streaming Service (NSS)

Click to:

  1. Add an NSS Server. See How do I add an NSS Server?
  2. Deploy NSS Virtual Appliance. See How do I download the NSS Virtual Appliance?
  3. Download MIB Files. See About the Zscaler SNMP MIBs.
  4. View a list of all configured NSS Servers.
  5. Download the SSL Certificate.
  6. Edit an NSS Server. See How do I edit, delete, or duplicate items in the admin portal?
  7. Modify the table and its columns. See How do I use tables in the admin portal?
  8. Search for an NSS Server.
  9. Click the NSS Feeds tab to configure NSS Feeds. See About NSS Feeds.

Screenshot of NSS Servers page showing buttons and list used to manage Zscaler NSS servers

The Nanolog Streaming Service (NSS) uses a virtual machine (VM) to stream traffic logs in real time from the Zscaler Nanolog to your security information and event management (SIEM) system, such as Splunk or Arcsight, enabling real-time alerting, correlation with the logs of your other devices, and long-term local log archival. Zscaler offers the following NSS subscriptions:

  • NSS for Web which streams web and mobile traffic logs
  • NSS for Firewall which streams logs from the Zscaler next-generation firewall

As shown in the figure below, the web and mobile traffic logs and the firewall logs are stored in the Nanolog in the Zscaler service cloud. When an organization deploys one NSS for web and mobile logs and another NSS for firewall logs, each NSS opens a secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog then streams copies of the logs to each NSS in a highly compressed format to reduce bandwidth footprint; the original logs are retained on the Nanolog.

When an NSS receives the logs from the Nanolog, it unscrambles them, applies the configured filters to exclude unwanted logs, converts the filtered logs to the configured output format so they can be parsed by your SIEM, and then streams the logs to your SIEM over a raw TCP connection.

Diagram of copies of web and mobile logs and firewall logs being streamed to each NSS in a compressed format

Additionally, if your organization has a Cloud Sandbox subscription, you can open a Sandbox Detail Report based on the MD5 parameter that you retrieve from your logs in the SIEM.

The NSS requires minimal administration. After you deploy it, the NSS automatically polls the Zscaler service for updates and installs them. For monitoring purposes, you can configure a separate feed for NSS alerts. The service sends the alerts in an RFC-compliant syslog format to the specified IP address and port.

Read more about how to configure an NSS.

NSS over Amazon Web Services (AWS)

NSS can also be deployed from Amazon Web Services (AWS).

As shown below, the web and mobile traffic logs and the firewall logs are stored in the Nanolog in the Zscaler service cloud. An organization can deploy the NSS instance either on-premises on an ESX Virtual Machine or on an EC2 Instance, on AWS. When an organization deploys one NSS for web and mobile logs and another NSS for firewall logs, each NSS opens a secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog then streams copies of the logs to each NSS in a highly compressed format to reduce bandwidth footprint; the original logs are retained on the Nanolog.

Diagram of copies of web and mobile logs and firewall logs being streamed to each NSS in a compressed format through AWS