Configure Zscaler Log Collection

Collecting Zscaler logs enables Alert Logic to ingest and parse the data and raise incidents from it. Significant security findings from your Zscaler data create incidents that you can manage in the Alert Logic console.

This integration supports:

  • Internet and SaaS (ZIA)
  • Private Access (ZPA)

To send Zscaler log data to Alert Logic, complete these tasks:

  1. Deploy a Remote Collector or Log Manager.
  2. Configure the Zscaler Nanolog Streaming Service (NSS).
  3. Configure Zscaler to send logs to the designated Alert Logic Log Manager or Remote Collector.
  4. Verify log collection.

Deploy a Remote Collector or Log Manager

To send data from your Zscaler devices to Alert Logic, first install the Remote Collector or deploy the Log Manager virtual machine.

To download and install the Remote Collector:

  1. Review the requirements in Requirements for the Alert Logic Remote Collector and confirm that your environment meets them.
  2. Complete the installation instructions for Linux or Windows. Choose a host in the same network as the Zscaler devices:
    1. Install the Remote Collector for Linux
    2. Install the Remote Collector for Windows
  3. During installation, note the IP address of the host where you installed the collector. You need this IP address when you configure the Zscaler device.

To download and install the Log Manager (data center deployments only):

See Install an Alert Logic Log Manager virtual appliance.

Configure the Zscaler Nanolog Streaming Service

Zscaler requires a Nanolog Streaming Service instance in your environment. This service acts as an intermediary that forwards logs to Alert Logic.

For deployment instructions for SaaS platforms and on-premises environments, see the following Zscaler documentation:

Configure Zscaler to send logs

Configure Zscaler to forward logs to the Remote Collector or Log Manager.

Use the following settings:

  • Protocol: TCP or UDP
  • Remote Collector port: 1515
  • Log Manager port: 514
  • Log format: CEF (required for analytics)
Important: Set Feed Escape Character to \,=. If you do not configure this setting, a high percentage of web logs might not parse correctly.

Verify log collection

After you install the Remote Collector and configure Zscaler, verify that log collection is successful. Alert Logic can take up to 15 minutes to begin receiving logs.

Verify raw messages

  1. In the Alert Logic console, go to Raw messages.
  2. Uncomment one of the two commented lines with SQL parameters.Replace $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the Remote Collector.
  3. Select Search.
  4. Verify that logs display for the Remote Collector.

You should also see a new remote source in the Remote source assets table. The source is usually named Zscaler-nss.

To view the source, go to Investigate > Assets > Remote Sources.

Zscaler analytics

To find the types of incidents Alert Logic can raise, go to Investigate > Threat Intelligence Center > Analytics, and then search for Zscaler.