icon-zpa.svg
Secure Private Access (ZPA)

About the Log Streaming Service

Watch a video about the Log Streaming Service.

The Log Streaming Service (LSS) provides a better understanding of the information coming from the ZPA service by allowing you to create log receivers that receive information about App Connectors and users.

The LSS provides the following benefits and enables you to:

  • Forward your diagnostics and status logs to a SIEM.
  • Store logs for longer than the cloud retention period.
  • Create analytical charts and graphs using your own in-house SIEM.
  • Create events and alerts using third-party log correlation.

Zscaler retains User Activity, User Status, and App Connector log information for rolling periods of at least 14 days during the subscription term. Zscaler retains Audit log information for at least 6-month periods during the subscription term. For access to logs beyond the 14 days they are available in the ZPA Admin Portal, setting up the LSS is necessary.

LSS is deployed using two components: a log receiver and a ZPA App Connector. LSS resides in ZPA and initiates a log stream through a ZPA Public Service Edge. The App Connector resides in your company's enterprise environment. It receives the log stream and then forwards it to a log receiver.

Zscaler supports third-party SIEM integrations for the LSS. To learn more, see the ZPA and Splunk Deployment Guide and Zscaler and Splunk Deployment Guide.

While the LSS is used to capture log data about App Connectors and users in ZPA using a log receiver, the Nanolog Streaming Service (NSS) resides in Zscaler Internet Access (ZIA) and allows streaming of traffic logs from the Zscaler Nanolog to your SIEM. To learn more, see About Nanolog Streaming Service.

Log Streaming Service Deployment

Your App Connectors must be deployed prior to configuring a log receiver. To learn more, see the App Connector Deployment Guides for Supported Platforms.

It is possible to use mutual TLS encryption between the log receiver and the App Connector, which you can enable when configuring a log receiver. LSS traffic only occurs between the App Connector and the log receiver after mutual authentication is established. This requires them to exchange certificates. The App Connector trusts a certificate signed by a public root certificate authority (CA) in addition to certificates signed privately by a custom CA, which it gets automatically when the App Connector is deployed. The log receiver must have a certificate signed by a public root certificate authority (CA).

To use TLS encryption, you must meet the requirements to ensure successful communication:

  • Log receiver:
    • Supports TLS communication.
    • Has a client certificate for mutual TLS encryption that uses a public root CA.

App Connectors trust certificates that are signed by a public or custom root CA.

  • Validates the chain of trust to the App Connector’s enrollment certificate. One way to enable the log receiver to validate the chain of trust is to add the App Connector’s enrollment certificate in the log receiver’s certificate trust store.
  • App Connector: Automatically receives a root certificate during deployment. The App Connector is designed to trust log receiver certificates that are either signed by the global public root CAs, or signed by custom root CAs that are used as the App Connector's enrollment certificate.

A log receiver can capture the following log types:

After you select which log type to capture, you can configure a streaming policy for the information.

The LSS does not transmit any log data generated during a connection loss between ZPA and the App Connectors. After the connection is restored, it can retransmit the last 15 minutes of the log data. However, the delivery of that log data is not guaranteed. With the exception of Audit Log data, the LSS does not transmit any log data generated during a connection loss between the App Connector and the SIEM.

About the Log Receivers Page

On the Log Receivers page (Configuration & Control > Private Infrastructure > Log Streaming Service > Log Receivers), you can do the following:

  1. Expand all of the rows in the table to see more information about each log receiver.
  2. Add a new log receiver.
  3. View a list of all log receivers that are configured for your organization. For each receiver, you can see:
    • Name: The name of the receiver.
    • Domain Name or IP Address: The domain name or IP address for the receiver.
    • TCP Port: The TCP port number for the receiver.
    • TLS Encryption: Indicates that TLS encryption is enabled or disabled for the receiver.
    • Log Type: The log type the receiver is capturing (i.e., User Activity, User Status, App Connector Status, Browser Access).
  4. Copy a log receiver's configuration and use it to create a new configuration.
  5. Edit an existing log receiver.
  6. Delete a log receiver.

If a log receiver is configured using Zscaler Deception, then the copy, edit, and delete options are unavailable.

  1. Go to the App Connector Groups page to view and configure the App Connector groups that are specifically associated with your log receivers.

Log Receiver Page within the ZPA Admin Portal

Related Articles
About the Log Streaming ServiceConfiguring a Log ReceiverAbout User Activity Log FieldsAbout User Status Log FieldsAbout App Connector Metrics Log FieldsAbout App Connector Status Log FieldsAbout Private Service Edge Metrics Log FieldsAbout Private Service Edge Status Log FieldsAbout Audit Log FieldsAbout Browser Access Log FieldsAbout AppProtection Log FieldsUnderstanding Private Cloud Controller Metrics Log FieldsUnderstanding Private Cloud Controller Status Log FieldsUnderstanding the Log Stream Content Format