NSS Feed Output Format: Web Logs


NSS Feed Output Format: Web Logs

The following tables display information about the web log fields and possible values for those fields.

Date/Time

Field Description Example

%s{time}

Time and date of the transaction. This excludes the time zone.    

Thu Sep 6 22:55:48 2012

%s{tz}    

The time zone. This is the same as the time zone you specified when you configured the NSS feed.

GMT

%d{ss}    

Seconds (0-59)

48

%d{mm}

Minutes (0-59)

55

%d{hh}

Hours (0-23)

22

%d{dd}

Day of the month (1-31)

16

%d{mth}

Month of the year

9

%s{mon}

Name of the month

Jan

%d{yyyy}

Year

2012

%s{day}

Day of the week

Mon

%d{stime}

Round trip time between the ZEN request to the server until the response back

 

%d{epochtime}

Epoch time of the transaction

 

User Information

Field Description Example

%s{dept}

The department of the user    

Sales

%s{login}

The user's login name, in email address format

jdoe@safemarch.com

%s{ologin}

If obfuscation is enabled, this displays a random string. If obfuscation is disabled, then this is blank.    

4094304256

Bandwidth Control

Field Description Example

%d{throttlereqsize}

Throttled transaction size in the Uplink direction (Upload) in bytes

5

%d{throttlerespsize}

Throttled transaction size in the Downlink direction (Download) in bytes

7

%s{bwthrottle}

Indicates whether the transaction was throttled due to a configured Bandwidth policy   

yes

%s{bwclassname}

Bandwidth class name

  • Entertainment, General Surfing, Office Apps
  • Full list is under the Bandwidth Classes field in the Bandwidth Control page (Policy > Bandwidth Control).

%s{bwrulename}

Bandwidth rule name

  • Office 365
  • Any name under Rule Name column in the Bandwidth Control page (Policy >  Bandwidth Control).

Cloud Application

Field Description Example

%s{appname}

Cloud application name

  • Acrobat Connect, Craigslist, Dropbox
  • Full list in under the Cloud Application filter in the Web Insights page (Analytics > Web Insights).
  • Applications are listed under each category in Cloud App Categories.

%s{appclass}

The web application class of the application that was accessed. Equivalent to module.

  • Administration, Collaboration, Web Mail
  • Full list in under the Cloud Application Class filter in the Web Insights page (Analytics > Web Insights).

%s{module}

The web application class of the application that was accessed. Equivalent to appclass.

  • Administration, Collaboration, Web Mail
  • Full list in under the Cloud Application Class filter in the Web Insights page (Analytics > Web Insights).

Cloud Sandbox

Field Description Example

%s{bamd5}

The MD5 hash of the malware file that was detected in the transaction or the md5 of the file that was sent for analysis to the Sandbox engine

196a3d797bfee07fe4596b69f4ce1141

DLP

Field Description Example

%s{dlpdict}

The DLP dictionaries that were matched, if any

  • Credit Cards, Gambling, MRN Numbers
  • Full list is under Name column in the DLP Dictionaries page (Administration > DLP Dictionaries & Engines).
  • Full list is in About DLP Dictionaries.

%s{dlpeng}

The DLP engine that was matched, if any

  • HIPAA, PCI, Social Security Numbers
  • Full list is under Name column in the DLP Engines page (Administration > DLP Dictionaries & Engines).
  • Full list is in About DLP Engines.

File Type Control

Field Description Example

%s{fileclass}

The type of file associated with the transaction

  • Active Web Contents, Archive Files, Audio
  • Full list is under the File Type field in the File Type Control page (Policy > File Type Control).

%s{filetype}

The type of file associated with the transaction

  • RAR Files, ZIP, Windows Executables
  • Full list is under the File Type field in the File Type Control page (Policy > File Type Control).

%s{filesubtype}

File subtype name (extension name)  

  • rar, exe, ppt
  • Subtypes are in parentheses under the File Types field in the File Type Control page (Policy > File Type Control).

%s{filename}

The name of the file associated with the transaction

nssfeed.txt

HTTP Transaction

Field Description Example

%d{reqdatasize}

Size, in bytes, of the HTTP Request payload, excluding the headers   

1000

%d{reqhdrsize}

Size, in bytes, of the HTTP Request header  

300

%d{reqsize}

Request size in bytes 

1300

%d{respdatasize}

Size, in bytes, of the HTTP Response payload, excluding the headers 

10000

%d{resphdrsize}

Size, in bytes, of the HTTP Response header   

500

%d{respsize}

Total size, in bytes, of the HTTP response, includes the header and payload    

10500

%d{totalsize}

Total size, in bytes, of the HTTP transaction; sum of the total request size and total response size.   

11800

%s{reqmethod}

The HTTP request method   

invalid, get, connect

%s{reqversion}    

The HTTP request version

1.1

%s{respcode}

The HTTP response code sent to the client. The service generates a "403-Forbidden" response for blocked transactions.    

  • 100 - Continue
  • 202 - Accepted
  • 305 - Use Proxy
  • 403 - Forbidden
  • 500 - Internal Server Error

%s{respversion}

HTTP response version  

1.0

%s{referer} 

The HTTP referer URL

www.google.com

%s{uaclass}

User agent class

Firefox, Chrome, Safari

%s{ua} 

The user-agent string that the browser included in its GET request. The user-agent string contains browser and system information that the destination server can use to provide appropriate content. We display a reduced version of the string.

  • EZ Agent (2.0)
  • Google Chrome (0.x)
  • Mozilla (5.0) is the reduced version. The full string can be Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0).

%s{host}

The destination host name

mail.google.com

%s{ehost}

The encoded version of the destination host name

 

%s{eurl}

The encoded version of the destination URL

www.trythisencodeurl.com/index%1A%09

%s{ereferer}

The encoded version of the HTTP referer URL

 

%s{contenttype}

Content type name. We display a reduced version of the string (e.g. We will display "Flash" instead of "application/x-shockwave-flash").

 

%s{refererhost}

The host name of the referer URL

www.example.com for http://www.example.com/index.html

%s{erefererpath}

Encoded referer path

 

%s{eurlpath}

Encoded URL path

 

%s{erefererhost}

Encoded referer host name

 

%s{url}

The destination URL. It excludes the protocol identifier, such as http:// or https://

www.trythisencodeurl.com/index

Mobile Application

Field Description Example

%s{mobappname}

The name of the mobile app, if any   

  • Adobe Reader, Amazon, Dropbox
  • Full list is under the Mobile Application filter in the Mobile Insights page (AnalyticsMobile Insights).

%s{mobappcat}

The mobile app type, if any

  • Communication, Education, Games
  • Full list is under the Mobile Application filter in the Mobile Insights page (Analytics > Mobile Insights).

%s{mobdevtype}

Mobile device type name

  • iOS, Google Android, Apple iPhone
  • Full list is under the Mobile Device Type filter in the Mobile Insights page (Analytics > Mobile Insights).

Network

Field Description Example

%s{cip}

The IP address of the user. It can be the internal IP address if it's visible.
(e.g. traffic sent through a GRE tunnel or an internal IP address indicated using XFF). Otherwise, same as cintip.

203.0.113.5, 192.168.2.200

%s{cintip}

The client Internet (NATted Public) IP address. This is different from the cip value if the internal IP address is visible. Otherwise, same as cip.

203.0.113.5

%s{sip}

The destination server IP address. Displays 0.0.0.0 if the request was blocked.

1.1.1.1

%s{proto}

The protocol type of the transaction

HTTP, FTP

%s{trafficredirectmethod}

Traffic forwarding method to Zscaler's enforcement nodes (ZENs)

  • DNAT (Destination Translation)
  • GRE (GRE Tunnel)
  • IPSEC (IPSEC Tunnel)
  • PBF (Policy Based Forwarding)
  • PAC (PAC File)
  • PAC_GRE (PAC File over GRE Tunnel)
  • PAC_IPSEC (PAC File over IPSEC Tunnel)
  • Z_APP (Zscaler App)

%s{location}

The gateway location or sublocation of the source

Headquarters

Policy

Field Description Example

%s{rulelabel}

The name of the rule that was applied to the transaction (applies only to Block rules, not Allow) 

URL_Filtering_1, URL_Filtering_2

%s{ruletype}

The policy type (applies only to Block rules, not Allow)

  • File Type Control, Data Loss Prevention, Sandbox
  • Full list in Viewing Web Logs.

%s{reason}

The action that the service took and the policy that was applied, if the transaction was blocked

  • Virus/Spyware/Malware Blocked
  • Not allowed to browse this category
  • File Attachment not allowed
  • This page is unsafe (high PageRisk index)
  • Denied due to SSL connection to the server failing or a firewall policy
  • Destination contains potential phishing content
  • File Attachment Cautioned
  • Recipient is a redirect
  • Spam UWL
  • Full list in Policy Reasons.

%s{action}

The action that the service took on the transaction

Allowed, Blocked

SSL Ciphers

Client

Field  Description Example
%s{clientsslcipher} Negotiated cipher suite for communication between the client and Zscaler  SSL3_CK_RSA_NULL_MD5, SSL3_CK_RSA_NULL_SHA
%s{clienttlsversion} TLS version used for communication between the client and Zscaler
  • SSL2
  • SSL3
  • TLS1_1
%s{clientsslsessreuse}  Client cipher reuse information
  • Unknown
  • No
  • Yes

Server

Field Description Example
%s{srvsslcipher}  Negotiated cipher suite for communication between Zscaler and the server SSL3_CK_RSA_NULL_MD5, SSL3_CK_RSA_NULL_SHA
%s{srvtlsversion} TLS/SSL version used for communication between the ZEN and the server SSL2, SSL3, TLS1_1
%s{srvocspresult} OCSP result/Certificate Revocation result
  • Good
  • Revoked
  • Unknown
%s{srvcertchainvalpass}  Certificate Chain Validation
  • Unknown
  • Fail
  • Pass
%s{srvwildcardcert}  Server Wildcard Certificate
  • Unknown
  • No
  • Yes
%s{serversslsessreuse}  Cipher Reuse Information
  • Unknown
  • No
  • Yes
%s{srvcertvalidationtype} Server Certificate Validation method (Extended Validation/Domain Validation/Organization Validation)
  • EV
  • OV
  • DV
%s{srvcertvalidityperiod} Server Certificate Expiry
  • Short
  • Medium
  • Long

Threat Protection

Field Description Example

%d{riskscore}

The Page Risk Index score of the destination URL. The service computes risk for each page by weighing several factors, including page locations, reputation of destination, and content that may look suspicious. The range is 0 - 100, from the lowest to the highest risk.   

10

%s{threatname}

The name of the virus that the service detected in the transaction, if any

EICAR Test File

%s{malwareclass}

The class of malware that was detected in the transaction, if any

  • Malware, Sandbox, Spyware, Virus
  • Full list is under the Threat Super Category filter in the Web Insights page (AnalyticsWeb Insights).

%s{malwarecat}

The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis.

  • Adware, Backdoor, Trojan
  • Sandbox Adware, Sandbox Anonymizer, Sandbox Malware, Sent for Analysis
  • Full list is under the Threat Category filter in the Web Insights page (AnalyticsWeb Insights).

URL Categorization

Field Description Example

%s{urlclass}

The class of the destination URL

  • Bandwidth Loss, General Surfing, Privacy Risk
  • URL classes are listed in About URL Categories.
  • Full list is in the URL Categories page (Administration > URL Categories).

%s{urlsupercat}

The super category of the destination URL   

  • Entertainment/Recreation, Travel, Security
  • URL super categories are listed in About URL Categories.
  • Full list is in the URL Categories page (Administration > URL Categories).

%s{urlcat}

The category of the destination URL

  • Entertainment, Adult Themes, Games
  • Spyware Callback
  • URL categories are listed in About URL Categories.
  • Full list is in the URL Categories page (Administration > URL Categories).
  • Also includes the Advanced Super Threat Category. Full list is under the Advanced Super Threat Category filter in the Web Insights page (AnalyticsWeb Insights).

Miscellaneous

Field Description Example

%d{recordid}

Unique record identifier for each log

 

%s{productversion}

The current version of the product. Useful for SIEMs whose format requires the product internal version to be sent in the log output. 

5.0.902.95524_04

%s{nsssvcip}

The service IP address of the NSS. Useful for syslog-format logs that require the origin host IP address to be specified.

10.10.102.300

%s{eedone}

Indicates if the characters specified in the Feed Escape Character field of the NSS Feed Configuration page were hex encoded.

YES

b64 Fields

SIEM has parsing issues whenever some string field has non-printable or delimiter characters in it. We have URL encoding for URL fields like url, referer, and hostname. However, there are several other fields which have the same issue and for which URL encoding is not suitable. Such fields are not encoded using b64. Turning on this encoding for all supported fields may result in approximately a 20% drop in performance.

The following fields have been added as b64 fields:

  • b64ua                                                  
  • b64filename
  • b64threatname
  • b64mobappname
  • b64host
  • b64url
  • b64referer
  • b64login
  • b64location
  • b64dept
  • b64urlcat
  • b64rulelabel