Zscaler logs mapped to ECS

I'm working on ingesting zscaler zia logs and I'm trying to understand the mapping. I'm looking at the following websites:
Zscaler Internet Access | Elastic docs for what happens inside Elastic/Kibana and NSS Feed Output Format: DNS Logs | Zscaler as well as NSS Feed Output Format: Firewall Logs | Zscaler for what zscaler is sending. The problem is while the docs from elastic show the format of the document inside Elastic, it does NOT say which zscaler fields are mapped to which elastic fields. Some you can make an educated guess, but not all are readily apparent.

For example, the zscaler firewall log has csip and ssip (for client source IP and server source ip) but I'm not sure which gets mapped to source.ip in elastic. Or does that become an array where both are mapped?


OK, someone in another forum pointed me to integrations/packages/zscaler_zia at main · elastic/integrations · GitHub and if you look in integrations/default.yml at main · elastic/integrations · GitHub that has the mappings for the firewall.

So if you are not using the elastic agent integration and need to know how to map these fields, this github repo is good to know

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.