Adding NSS Feeds for Alerts


Adding NSS Feeds for Alerts

You can configure a separate feed for alerts, so you can monitor the NSS. Note that you can add up to eight NSS feeds for the NSS. You can select the level at which alerts will be sent: Warning and/or Critical. You can select multiple alert levels. The service will send the alerts in RFC 3164-compliant syslog format to the specified IP address and port. The following table lists the alerts that are sent for each level.

Warning Critical

The connection to the SIEM is down

Memory is low

The connection to the Zscaler admin portal is down

Disk space is low

The connection to the Nanolog is down

  • The connection between the NSS and the SIEM is poor. The NSS could drop some logs if connectivity does not improve.
 
  • The CPU utilization is high
 
  • Memory swap is high

To configure a feed for alerts:

  1. Go to Administration > Settings > Nanolog Streaming Service.
  2. From the NSS Feeds tab, click Add NSS Feed and complete the following:
    • Feed Name: Enter or edit the name of the feed. Each feed is a connection between NSS and your SIEM.
    • NSS Type: Select which type of feed you are configuring. NSS for Web is selected by default.
    • NSS Server: Choose an NSS from the list.
    • Status: The NSS feed is Enabled by default. Click Disabled if you want to activate it at a later time.
    • SIEM IP Address and SIEM TCP Port: Enter the IP address and port of the SIEM to which the logs are streamed. Ensure that the SIEM is configured to accept the feed from NSS.
    • Log Type: Choose Alerts.
  3. Select at which levels alerts will be sent: Critical and/or Warn. You can select multiple alert levels.
  4. Click Save and activate the change.
    The service will send the alerts in RFC 3164-compliant syslog format to the specified IP address and port.