> For the complete documentation index, see [llms.txt](https://docs.blusapphire.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.blusapphire.io/log-forwarding/03_log-forwarding-guide/log-forward/zscaler/zscaler-web-proxy.md).

# Zscaler Web Proxy

### Nanolog Streaming Service (NSS)

Zscaler offers a virtual appliance, called Nanolog Streaming Service (NSS) to stream web logs to external SIEM via syslog. NSS is maintained and distributed by Zscaler as an Open Virtual Application (OVA).

When an NSS receives the logs from the Nanolog, it decompresses and detokenizes them, applies the configured filters to exclude unwanted logs, converts the filtered logs to the configured output format so they can be consumed and parsed by your SIEM, then streams the logs to your SIEM over a raw TCP connection.

<figure><img src="/files/C0QYbxMwOo4K70injcEH" alt=""><figcaption></figcaption></figure>

### SIEM Integration for NSS

This example illustrates how to configure NSS and a Blusapphire SIEM, so that NSS can stream logs to the Blusapphire SIEM.&#x20;

#### Adding NSS Server

To add an NSS server:

Go to Administration > Nanolog Streaming Service.

From the NSS Servers tab, click Add NSS Server.

The Add NSS Server window appears.

<figure><img src="/files/4n4dUmP01upX4mggLovn" alt=""><figcaption></figcaption></figure>

In the **Add NSS Server** window, enter a name for the NSS.

**NSS for Web** is selected by default. If you are configuring an NSS for firewall logs, select **NSS for Firewall.**

The NSS is Enabled by default.

Click **Save**

#### Adding NSS Feeds | Zscaler

To configure a feed for web logs:

Go to **Administration** > **Nanolog Streaming Service**.

In the **NSS Feeds** tab, click **Add NSS Feed**.

The **Add NSS Feed** window appears.

In the **Add NSS Feed** window:

<figure><img src="/files/wtYMYsqPZ2nS60ruug6j" alt=""><figcaption></figcaption></figure>

**Feed Name:** Enter a name for your NSS feed.

**NSS Type:** NSS for Web is selected by default.

**NSS Server:** Choose an NSS from the list.

**Status:** The NSS feed is Enabled by default.

**SIEM Destination Type:** The type of destination.

**SIEM IP Address:** Enter the IP address as

**SIEM TCP Port:** Enter the port number as shared by BluSapphire engineer

**Log Type:** Choose Web Log.

**SIEM Rate Limit (Events per Second):** Leave as unrestricted, unless you need to throttle the

output stream due to licensing or other constraints.

**Feed Output Type:** Select Arcsight CEF.

**Feed Escape Character:** Leave Blank.

**Feed Output Format:** Will be auto- populated. Leave it as default.

**User Obfuscation:** Disabled by default.

**Time zone:** By default, this is set to the organization's time zone.

**Duplicate Logs:** Disabled by default.

Click on **Save**.

Same procedure is to be followed for configuring NSS Feed for Firewall Logs and others.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blusapphire.io/log-forwarding/03_log-forwarding-guide/log-forward/zscaler/zscaler-web-proxy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.