NSS Configuration Example: Splunk

NSS Configuration Example: Splunk

This example illustrates how to configure NSS and a Splunk SIEM running version 5.0.3, so that NSS can stream logs to the Splunk SIEM.

To download the Zscaler App from the Splunkbase:

  1. Log in to Splunk and click Find more apps.
  2. Search for the Zscaler app.
    You can also download the Zscaler app from apps.splunk.com
  3.  When the Zscaler App for Splunk appears, click Install free.
  4. Enter your Splunk.com username and password and click Login.
  5. Click Install. 

To add the Zscaler NSS as a log source:

  1. In Splunk, go to Manager > Data Inputs, and then click Add new beside TCP.
  2. Complete the following in the Add New page:
    • Specify the TCP port on which the logs are received.
    • For Source Type, choose zscalerweblogs from the source type list.
    • Click More Settings to expand the page.
    • For Set host, click DNS.
    • From the Index list, choose zscalerlogs_index.

Screenshot of Splunk Add New page  with fields used to add Zscaler NSS as a log source

  1. Click Save.

Configure NSS as described in the NSS Configuration Guide, and then add a feed for the Splunk SIEM as described in the following procedure:

  1. Go to Administration > Settings > Nanolog Streaming Service.
  2. From the NSS Feeds tab, click Add and complete the following to create a new NSS feed for the Splunk SIEM:
    • Enter a name for the feed.
    • From the NSS Server menu, select an NSS. If you have only one NSS configured, it is automatically selected.
    • Set the SIEM IP Address to the IP address of the Splunk system.
    • Set the SIEM TCP Port to the port on which Splunk is expecting the Zscaler logs. (This is the same port that you configured in the previous step.)
    • Set the Feed Output Type to Splunk CIM.
    • Optionally, complete the other fields. (See NSS Configuration Guide.)
  3. Click Save and activate the change.