Elastic Integration with Zscaler NSS service


New here so apologies if this has been asked before? Has anyone integrated their stack with Zscalers Nanolog or NSS service for SIEM? If so is there any beats advice for connectivity, normalisation or community rules?

Zscalers website talks a lot about integrations with Splunk, Qradar, SUMO Logic etc but I cannot find anything on there regarding whether it is just a syslog forwarder or something specific that is needed.

Any help is really appreciated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.


I haven't used ZScalar with Elastic, but I did use logstash at a previous gig to pull in logs with a couple of clients. IIRC it was a syslog input, but I don't have access to the configs anymore. Are you able to look at the configuration in the Zscalar gui?

My suggestion would be to get the logging setup with logstash, write it to a text file and then you can decide if logstash, filebeats, ingest pipelines, or other mechanisms would be best for the ingest.

If you get some log examples feel free to post here and we can give you some suggestions on parsing, and converting to ECS format to work with the SIEM (there a webinar coming up February 20th on this exact topic, tho I'll be using Meraki as an example)


1 Like