Loginsoft, as part of its Technology Engagement in delivering comprehensive cybersecurity services, has successfully implemented the Zscaler Nanolog Streaming Service (NSS) for one of its Enterprise Cloud SIEM clients. By deploying a virtual appliance, its Content Pack engineers enabled real-time streaming of security information and access event logs detected by Zscaler. These logs are seamlessly configured to integrate with the client’s Enterprise Cloud SIEM, enhancing their customer’s ability to monitor, analyze, and respond to security incidents effectively. 

 Deploying Zscaler NSS: A Step-by-Step Guide 

 Requirements: 

• An active NSS license and access to the Zscaler NSS web administration interface. 

• Identify each log type that you want to monitor such as Web, Firewall, DNS and destinations required for your organization. 

Setup/ Configuring ZScaler NSS using VMware:

1. Deploy the NSS Virtual Appliance-on-premises or in the cloud as per requirement.  

2. Here we have three platforms to choose from – VMWare, AWS and Azure. This section has instructions for VMWare.

3. Download the virtual appliance and register VM in ESXi with the OVA file.   

4. Configure network connectivity and upload the required certificates for secure communication.  

5. Add NSS Feed by defining SIEM IP address, port number, log format, output format.

‍Log Formats: CEF, Syslog, LEEF  

‍Sample Web Logs: ‍

Syslog
<14>1 2024-12-24T12:01:00Z host.domain.com NSS - - - action=blocked app_name=HTTP dst_ip=203.0.113.20 dst_port=80 proto=TCP src_ip=192.0.2.15 src_port=54321 bytes=12345 duration=15 rule_label=Block_HTTP rule_id=102 category=Web_Browsing url=http://blocked-site.com 

CEF
CEF:0|Zscaler|NSS|1.0|102|Web Browsing|8|act=blocked app=HTTP dst=203.0.113.20 dpt=80 proto=TCP src=192.0.2.15 spt=54321 cs1Label=Rule_Label cs1=Block_HTTP cs2Label=Category cs2=Web_Browsing cs3Label=URL cs3=http://blocked-site.com rt=2024-12-24T12:01:00Z in=12345 out=0 du=15 

LEEF
LEEF:2.0|Zscaler|NSS|1.0|102|devTime=2024-12-24T12:01:00Z src=192.0.2.15 dst=203.0.113.20 dpt=80 proto=TCP spt=54321 app=HTTP cat=Web_Browsing rule=Block_HTTP action=blocked bytesIn=12345 duration=15 url=http://blocked-site.com 

Verify Ingestion on your cloud SIEM

• Verify that the SIEM configuration is functioning correctly, including the launch of the input with the appropriate type, protocol, and port.  

• Secure transmission can be ensured with the availability of TSL/SSL certificates.

• Create test scenarios from the Zscaler NSS Troubleshooting section on the admin portal.  

• To identify transmission errors, we can examine the Zscaler NSS logs.

• Using SIEM search queries like 'source:' and 'action:' can validate logs.  

• Logs can be validated by using queries in SIEM search like  source:"<NSS hostname>" AND action:*