Errors with TA-Zscaler_CIM

After setting up the TA and Add-on, plus configuring the various inputs including the Admin and Sandbox via the API call I don’t appear to be getting any data for those (I am receiving data for NSS logs via TCP) and can see a number of errors in the Splunk logs related to the zscaler_audit_logs.py script.

Not sure where to go to from here, running the TA-Zscaler_CIM v3.0.2 which appears to be the latest version.

Ok, so I have since worked out that the Splunk version we are using is too old for the current TA and add-on so have removed those and installed the compatible versions, then reconfigured the TCP and modular inputs.

We are still getting data from the TCP inputs but still don’t seem to be getting anything from the modular inputs. I am suspecting this may be a firewall issue but need to confirm what my firewall policy setttings need to be for those inputs to work (IP address and port to enable through the FW).

I have configured the firewall to open port 443/tcp to admin.zscaler.net (IP addresss) but still nothing. Any suggestions on what I might be doing wrong?

As a next step, I’d suggest you try connecting to the API from the command line, at the least, can you curl to the api endpoint?

Also, you an use the command to look at what the modular inputs are logging, you may need to tweak the SPL for your environment. Troubleshooting Splunk API Calls to Zscaler

Thanks for the advice Scott. I have attempted to connect via cmdline (curl -X GET “https://admin.zscaler.net/api/version”) which returns what appears to be the Zscaler Cloud Portal html page.

Running the search in Splunk shows only the connection attempts to localhost and DEBUG → Starting new HTTPS connection (1): admin.zscaler.net.

I have set the log level to DEBUG but seem to be stuck. I haven’t done API troubleshooting before so may need more specific examples of what to run.

Looking at the Audit Logs in the cloud portal I can see a Sign In followed by Activate and then Sign Out every 30 mins on Interface ‘API’ with a successful result. This all occurs within 1 minute which would indicate to me that the account is authenticating correctly but not retrieving any data as that seems to be too short a period.

Hi @skottieb,

With help from a colleague we have tested the API from the command line with successful results. Even with the logs set to debug I am not seeing any errors in the logs and checking the audit log in the portal shows no connection events from this server.

2021-03-17 15:07:49,952 INFO pid=4309 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2021-03-17 15:08:00,368 INFO pid=4309 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2021-03-17 15:08:08,090 INFO pid=4309 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2021-03-17 15:08:18,573 INFO pid=4309 tid=MainThread file=base_modinput.py:log_info:293 | Login to Zscaler API: a*****@aaa.com
2021-03-17 15:08:18,716 DEBUG pid=4309 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): admin.zscaler.net

We are using version 2.1.4 of the TA so unsure if there is something different in the various scripts being used to obfuscate the credentials.

Seem to have fixed it, had to manually configure proxy info as mentioned in Zscaler Splunk App - Design and Installation documentation - #14 by joe0815

I can’t find the code in the latest TA release either so unsure if this has been fixed for future versions.