Zscaler Web Proxy

Nanolog Streaming Service (NSS)

Zscaler offers a virtual appliance, called Nanolog Streaming Service (NSS) to stream web logs to external SIEM via syslog. NSS is maintained and distributed by Zscaler as an Open Virtual Application (OVA).

When an NSS receives the logs from the Nanolog, it decompresses and detokenizes them, applies the configured filters to exclude unwanted logs, converts the filtered logs to the configured output format so they can be consumed and parsed by your SIEM, then streams the logs to your SIEM over a raw TCP connection.

SIEM Integration for NSS

This example illustrates how to configure NSS and a Blusapphire SIEM, so that NSS can stream logs to the Blusapphire SIEM.

Adding NSS Server

To add an NSS server:

Go to Administration > Nanolog Streaming Service.

From the NSS Servers tab, click Add NSS Server.

The Add NSS Server window appears.

In the Add NSS Server window, enter a name for the NSS.

NSS for Web is selected by default. If you are configuring an NSS for firewall logs, select NSS for Firewall.

The NSS is Enabled by default.

Click Save

Adding NSS Feeds | Zscaler

To configure a feed for web logs:

Go to Administration > Nanolog Streaming Service.

In the NSS Feeds tab, click Add NSS Feed.

The Add NSS Feed window appears.

In the Add NSS Feed window:

Feed Name: Enter a name for your NSS feed.

NSS Type: NSS for Web is selected by default.

NSS Server: Choose an NSS from the list.

Status: The NSS feed is Enabled by default.

SIEM Destination Type: The type of destination.

SIEM IP Address: Enter the IP address as

SIEM TCP Port: Enter the port number as shared by BluSapphire engineer

Log Type: Choose Web Log.

SIEM Rate Limit (Events per Second): Leave as unrestricted, unless you need to throttle the

output stream due to licensing or other constraints.

Feed Output Type: Select Arcsight CEF.

Feed Escape Character: Leave Blank.

Feed Output Format: Will be auto- populated. Leave it as default.

User Obfuscation: Disabled by default.

Time zone: By default, this is set to the organization's time zone.

Duplicate Logs: Disabled by default.

Click on Save.

Same procedure is to be followed for configuring NSS Feed for Firewall Logs and others.