NSS Configuration Example: Splunk


NSS Configuration Example: Splunk

This article shows how to integrate Zscaler's ZIA NSS and ZPA LSS with Splunk.

The app analyzes and reports on event logs from the following services:

  •  ZIA NSS (Nanolog Streaming Service, Proxy, Firewall, and DNS)
  •  ZIA ZA (Zscaler Analyzer)
  •  ZPA LSS (Log Streaming Service)

Zscaler updates this app and enhances functionality as new field types and data feeds become available.

Integration Steps

Configure NSS as described in the NSS Deployment, and then add a feed for the Splunk SIEM for any of the following logs:

The Splunk app and technical add-on expect the following output formats:

  • NSS Web - Splunk CIM
  • NSS Firewall and NSS DNS - Key Value Pairs
  • ZPA LSS - JSON

To configure a ZPA log receiver, see Configuring a Log Receiver.

Zscaler on Splunk comes in two parts: Zscaler Technical Add-On (TA) for Splunk and the Zscaler Splunk App.

The Zscaler TA for Splunk is a required component for the Zscaler Splunk App.

The following are requirements for the Zscaler Splunk App:

The Zscaler Splunk App expects to find data bound to the following source types:

ZIA

Sourcetype Description
zscalernss-web Zscaler Web Proxy Logs (NSS)
zscalernss-fw Zscaler Firewall Logs (NSS)
zscalernss-dns Zscaler DNS Logs (NSS)
zscalernss-alerts Zscaler NSS Alerts 
imap Zscaler DLP Events

ZPA

Sourcetype Description
zscalerlss-zpa-connector Zscaler Connector Logs (LSS)
zscalerlss-zpa-auth Zscaler Auth Logs (LSS)
zscalerlss-zpa-app Zscaler Access Logs (NSS)


Your Splunk administrator may need to create aliases in these fields for data to be presented into the Zscaler Splunk App.

The Zscaler Splunk App requires data to be in the Zscaler Index named zscaler. If your organization places Zscaler data in a different index, you can edit the base macros to reflect your setup. Zscaler requires all field names to use those which are seen in:

  • NSS Web - Splunk CIM
  • NSS Firewall and NSS DNS - Key Value Pairs
  • ZPA LSS - JSON

To add the Zscaler NSS as a log source:

  1. In Splunk, go to Manager > Data Inputs.
  2. Click Add new beside TCP.
  3. Complete the following in the Add New page. Repeat this for each Zscaler sourcetype you'll add in Splunk :
    • Specify the TCP port on which the logs are received.
    • For Source Type, choose the Zscaler sourcetype from the source type list.
      See table.
    • Click More Settings to expand the page.
    • For Set host, click DNS.
    • From the Index list, choose zscaler.
  4. Click Save.
    See image.

DLP Event Information

Zscaler NSS doesn't carry violating content from DLP events, nor does Zscaler store or host violating content. Violating content can be transmitted via ICAP or TLS Encrypted Email. The Zscaler Splunk App is capable of ingesting email-based DLP violation content using the IMAP Mailbox app on Splunk Base. If you have a DLP subscription and want this information on the Zscaler Splunk App, you can log the data via the IMAP Mailbox App.

Various output feeds will need to be configured, and the exact feeds will vary depending on the products subscribed. The table below describes the expected source types:

Product Description Sourcetype Default Output Format
ZIA - NSS (Proxy) Zscaler Web Proxy Logs

zscalernss-web

Splunk CIM
ZIA - NSS (Firewall) Zscaler Firewall Logs

zscalernss-fw

Name Value Pair
ZIA - NSS (Firewall) Zscaler DNS Logs

zscalernss-dns

Name Value Pair
ZIA - NSS (All) Zscaler NSS Alerts

zscalernss-alerts

Default
ZPA - LSS (All) Zscaler Connector Logs

zscalerlss-zpa-connector

JSON
ZPA - LSS (All) Zscaler Auth Logs

zscalerlss-zpa-auth

JSON
ZPA - LSS (All) Zscaler Access Logs

zscalerlss-zpa-app

JSON
ZIA - DLP (Event Info) Zscaler DLP Violation Data (See DLP Event Information)

imap

Email