icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Adding Cloud NSS Feeds for Admin Audit Logs

It can take up to two hours for the audit logs to start streaming to Cloud NSS and your security information and event management (SIEM) system after the feed is configured.

To configure a Cloud NSS feed for Admin Audit logs:

  1. Go to Administration > Nanolog Streaming Service.

  2. In the Cloud NSS Feeds tab, click Add Cloud NSS Feed.

    The Add Cloud NSS Feed window appears.

  3. In the Add Cloud NSS Feed window:
    • Feed Name: Enter the name of the feed. Each feed is a connection between the NSS and your SIEM.
    • NSS Type: NSS for Web is selected by default.
    • Status: The NSS feed is Enabled by default. Choose Disabled if you want to activate it at a later time.
    • SIEM Rate: Leave as Unlimited, unless you need to throttle the output stream due to SIEM licensing or other constraints.
      • SIEM Rate (Events per Second): Enter an appropriate rate limit for the events per second that you want to be streamed to your SIEM. A limit that is too low for the traffic volume can cause log loss. This field is available only if you have selected Limited in the SIEM Rate field.
    • SIEM Type: Choose a SIEM type from the list.
    • OAuth 2.0 Authentication: This setting is enabled by default if it is applicable to the SIEM type.
    • Max Batch Size: Enter a size limit for an individual HTTP request payload to the SIEM's best practice.
    • API URL: Enter the HTTPS URL of the SIEM log collection API endpoint.
    • HTTP Headers: Enter HTTP header information:
      • Key 1: Enter the key for the HTTP header.
      • Value 1: Enter the token value for the HTTP header.
      • Add HTTP Header: Click to add more HTTP headers (keys and values).
    • Log Type: Choose Admin Audit.

    • Feed Output Type: The output is JSON by default. Choose Tab-separated to create a tab-separated list. Choose Custom to use a different delimiter, such as a dash, and enter the delimiter when you specify the feed output format.

      If you select JSON as the Feed Output Type, special characters such as \ present in string fields may cause a parsing issue for your SIEM. To prevent the issue, enter ,\" as the Feed Escape Character and use hex encoded fields (e.g., %s{elogin}instead of %s{login}) in the Feed Output Format.

    • JSON Array Notation: When JSON is selected, the JSON Array Notation setting is enabled by default. This setting allows the NSS to stream a batch of logs in a JSON Array format: Individual logs are ordered in a list, separated by commas, and surrounded by square brackets (e.g., [\{JSON1},\{JSON2}]). You can disable this setting.
    • Feed Escape Character: The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends logs to the NSS. Any URL character that is less than 0x21, or above 0x7E, is encoded as %HH. This ensures that your SIEM is able to parse the URLs in case they contain non-printable characters. For example, a \n char in a URL is encoded as %0A, and a space is encoded as %20. In this field, you can specify additional characters that you want to encode. For example, type a comma (,) to encode it as %2C. This is useful if you are using this character as your delimiter and want to ensure it does not cause erroneous delimitation. Note that the service encodes characters in URLs, hostnames, and referrer URLs only. If custom encoding was done for a record, the %s{eedone} field is YES for that record.
    • Feed Output Format: These are the fields that are displayed in the output. You can edit the default list and if you choose Custom as the Feed Output Type, change the delimiter as well. See NSS Feed Output Format: Admin Audit Logs for information about the available fields and their syntax.
    • Time Zone: By default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone database. Direct GMT offsets can also be specified.
  4. Define the filter:
    • Application: Filter logs based on the specific application. You can specify multiple applications.
      • Branch Connector Portal Audit Log: Allows real-time streaming of the Zscaler Cloud & Branch Connector Admin Portal audit logs to SIEM.
      • Client Connector Portal Audit Log: Allows real-time streaming of the Zscaler Client Connector Portal audit logs to SIEM.
      • Risk360 Admin Portal Audit Log: Allows real-time streaming of the Risk360 Admin Portal audit logs to SIEM.
      • ZDX Portal Audit Log: Allows real-time streaming of the ZDX Admin Portal audit logs to SIEM.
      • ZIA Portal Audit Log: Allows real-time streaming of the ZIA Admin Portal audit logs to SIEM.
  5. Click Save and activate the change.
Related Articles
Adding Cloud NSS FeedsAdding Cloud NSS Feeds for Web LogsAdding Cloud NSS Feeds for Firewall LogsAdding Cloud NSS Feeds for DNS LogsAdding Cloud NSS Feeds for Tunnel LogsAdding Cloud NSS Feeds for SaaS Security LogsAdding Cloud NSS Feeds for SaaS Security Activity LogsAdding Cloud NSS Feeds for Admin Audit LogsAdding Cloud NSS Feeds for Endpoint DLP LogsAdding Cloud NSS Feeds for Email DLP Logs