Export Zscaler Client Connector logs remotely with PowerShell

Hi,

Is it possible to export the Zscaler Client Connector logs remotely with PowerShell? I currently have my customers manually export the logs which delays my workflow.

Thanks all for the help!
Steve

Steve - not sure about PowerShell exporting, but you can have your customers use LSS (Log Streaming Service) on their instances to your SIEM (standard CSV format or formatted for all the major SIEM vendors). LSS Subscription required of course which should be available with Business Edition and above, but can be added as an option to Essentials Pack.

Why don’t you use the “fetch logs remotely” capability directly from the Zscaler Client Connector admin portal?

@Charles_Repain Because “fetch logs” is completely useless?

Did not retry for several week. Right now it failed with “error fetching logs” so I cannot verify if logs are still encrypted.

BR
Manuel

Last time I tried (with Windows and ZCC 3.8) it was working fine for me, sorry to hear you have different experience.

For the moment I am unable to fetch any logs, on all clients we see “Error while fetching logs”.

Just double checked: Last time we successfully fetched logs and received well known “enc2”-encrypted files was back in July this year.

Edit: all Windows, all 3.8.x (whatever was latest GA back then)

You have been in contact with Zscaler support on this? Would love to find a resolution for this. Thanks @manuel for the update

Hey Steve,

depends on what environments you and your customers use. With intune or any other popular MDM you can quite easily deploy powershell scripts to particular clients and run them on demand. The problem here (or at least with intune) is this “on demand”-thing which involves some work in automation/flow designs. Clever usage/automation/integration of servicedesk-systems or e.g. monitoring a mailbox as trigger in combination with PowerAutomate may help here (provided you and your customers make use of these shiny and fancy “cloudservices” ;-)).

BR
Manuel

Just checked today - the download link received is an enc2.

Which … as Manuel already stated makes the whole feature pretty useless as only ZScaler can decrypt them.

Plus the fact that it might take 1-1.5 hours after clicking on fetch logs before you get the mail with the download link.

So as such a feature which could be extremely handy, but the implementation is ‘meeeh!’

Proposal:
Have the ‘fetch log’ button trigger three actions:
a) Instruct the client to upload it’s logs as password-protected zip.
b) Show a randomized 16+ chars password.
c) instruct the client to encrypt the zip file with the password from b)

With that i could trigger such a log upload, copy the password and can decrypt the zip file as soon as the client uploaded it.