NSS Configuration Example: QRadar

NSS Configuration Example: QRadar

This example illustrates how to configure NSS and a QRadar SIEM, so that NSS can stream logs to the QRadar SIEM.

 To install the DSM RPM file:

  1. Log in to the QRadar server.
  2. Install the DSM RPM file. You can use the following command:
    rpm Uvh <Zscaler-DSM>.rpm
  3. Log in to the QRadar application and go to the Admin tab.
  4. Click Deploy changes.

 To add the Zscaler NSS as a log source:

  1. Log in to QRadar and go to the Admin tab.
  2. From the Data Sources > Events section, click Log Sources > Add.
  3. In the Add a log source dialog box, complete the following:
    • Log Source Name: Enter a name for NSS.
    • Log Source Description: Enter a description.
    • Log Source Type: Choose Zscaler NSS.
    • Protocol Configuration: Choose Syslog.
    • Log Source Identifier: Enter zscaler-nss.
    • Coalescing Events: Uncheck this option
  4. Click Save.

Screenshot of QRadar Add a log source page with fields used to add Zscaler NSS as a log source

NSS streams a number of fields to the SIEM. Specify which fields you want to view by adding each one as a custom event property. To add a field, enter its output format as a regular expression. For example, to add the Referer URL:

  1. In QRadar, go to the Admin tab.
  2. From the Data Sources > Events section, go to Custom Event Properties and click Add.
  3. In the Custom Event Properties window, do the following in each section:
    • Property Type Selection
      • Click Regex Based.
    • Property Definition
      • Click New Property and enter a name for the field, such as Referer URL.
    • Property Expression Definition
      • Log Source Type: Choose Zscaler NSS.
      • RegEX: Enter referer=([^\t]+).
  4. Click Save.

Configure an NSS server as described in the NSS Configuration Guide, and then add a feed for the Splunk SIEM as described in the following procedure:

  1. Go to Administration > Settings > Nanolog Streaming Service.
  2. From the NSSFeeds tab, click Add and complete the following to create a new NSS feed for the Splunk SIEM:
    • Enter a name for the feed.
    • From the NSSServer menu, select an NSS. If you have only one NSS configured, it is automatically selected.
    • Set the SIEM IP Address to the IP address of the QRadar system.
    • Set the SIEM TCP Port to port 514.
    • Set the Feed Output Type to QRadar LEEF.
      The Feed Output Format is automatically populated with the appropriate string.
    • Optionally, complete the other fields.
  3. Click Save and activate the change.