How to send logs from Zscaler to API/Database?

rysiek · November 7, 2022, 10:43am

Hi,
we have a requirement to store connection details logs in our database.
Is there any way to send logs to our API endpoint or even directly to MySQL database?

Pat_Nicholson · November 7, 2022, 1:49pm

Hello,

I located this, but doesn’t appear there is anything around what you are requesting - About the Cloud Service and Cloud Sandbox Submission APIs | Zscaler

Pat

rysiek · November 7, 2022, 1:58pm

Yes, that’s not what I looking for. I made my own investigation and I see there are 2 options:

create application as a TCP server and add it as log receiver(About the Log Streaming Service | Zscaler), modify data in my program and send it to DB.
use NSS with fluentd(Sending logs to S3 directly - #3 by ramesh) - but in our organization it’s not allowed.
I’m wondering if there is any other option?

Pat_Nicholson · November 7, 2022, 2:04pm

Tom, which platform are you running? NSS would be for ZIA, and LSS is for ZPA. For ZIA, NSS is an additional license, but sounds like that’s not an option. Can you tell me why? If you have a SIEM and NSS license you should be able to locate what it is you are looking for.

I personally can’t think of another way myself. Hoping someone else jumps on your question.

Pat

rysiek · November 7, 2022, 3:07pm

Hi Pat,
We are using ZPA, so NSS won’t be a case for us. Sorry for misleading.

Pat_Nicholson · November 7, 2022, 3:26pm

No sweat Tom

Are you using a SIEM? If so, you can either set up an App Connector to be a dedicated LSS Log Receiver or you can elect an App Connector that’s in service to send logs. I personally like to elect a dedicated App Connector to send logs.

Take a quick look at this doc. It should get you started - About the Log Streaming Service | Zscaler

This sub-section may get you what you are looking for - About User Activity Log Fields | Zscaler

Hopefully we are getting closer

Pat

rysiek · November 8, 2022, 6:43am

Yes, we use Graylog, but additionally we need to save some of the logs into our DB. So my idea is:

Write .NET application, which will be TCP server. The application will receive logs in JSON format, select/filter/parse them to required data format and finally insert into MySQL DB.
Add this application as Log Receiver in Zscaler.

Pat_Nicholson · November 9, 2022, 4:05pm

Yeah, that’s a good idea Tom. Any updates?

Pat

rysiek · December 30, 2022, 10:23am

Hi Pat,
Sorry for the long waiting time, but I’ve been working on other tasks.
Today I tested this solution and it works. I created TCP server, set it as a Log Receiver and now I’m able to: receive logs, format and save into our DB.

Thanks for help,
Tom

Pat_Nicholson · January 3, 2023, 2:36pm

Nice work Tom! Hopefully others in the community will benefit from your testing

system · January 8, 2023, 2:37pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.