This example illustrates how to configure NSS and a Splunk SIEM running version 5.0.3, so that NSS can stream logs to the Splunk SIEM.
To download the Zscaler App from the Splunkbase:
- Log in to Splunk and click Find more apps.
- Search for the Zscaler app.
You can also download the Zscaler app from apps.splunk.com
- When the Zscaler App for Splunk appears, click Install free.
- Enter your Splunk.com username and password and click Login.
- Click Install.
To add the Zscaler NSS as a log source:
- In Splunk, go to Manager > Data Inputs, and then click Add new beside TCP.
- Complete the following in the Add New page:
- Specify the TCP port on which the logs are received.
- For Source Type, choose zscalerweblogs from the source type list.
- Click More Settings to expand the page.
- For Set host, click DNS.
- From the Index list, choose zscalerlogs_index.
- Click Save.
Configure NSS as described in the NSS Configuration Guide, and then add a feed for the Splunk SIEM as described in the following procedure:
- Go to Administration > Settings > Nanolog Streaming Service.
- From the NSS Feeds tab, click Add and complete the following to create a new NSS feed for the Splunk SIEM:
- Enter a name for the feed.
- From the NSS Server menu, select an NSS. If you have only one NSS configured, it is automatically selected.
- Set the SIEM IP Address to the IP address of the Splunk system.
- Set the SIEM TCP Port to the port on which Splunk is expecting the Zscaler logs. (This is the same port that you configured in the previous step.)
- Set the Feed Output Type to Splunk CIM.
- Optionally, complete the other fields. (See NSS Configuration Guide.)
- Click Save and activate the change.