NSS Logs forwarding to Sumo Logic directly

logging
(jacky) #1

Hi Team,

Can we ingest the logs to Sumo Logic directly?

PlanA:
[Zscaler]—>[NSS]—>[Sumo Logic]

I know I can ingest the logs to Sumo Logic via server.

PlanB:
[Zscaler]—>[NSS]—>[Installed collector server]—>[Sumo Logic]

But I need to manage and maintenance additional server in PlanB,
so I want to know the way to send the logs to Sumo Logic directly.

To send the logs to Sumo Logic directly,

  1. NSS need to add the Token(random ID) to each syslog
  2. NSS need to send logs via TLS.

Are these features supported in Zscaler?

Thanks,
Jacky

(Scott Bullock) #2

hi @jacky,
Today your PlanB would the the solution, NSS is required to detokenise the logs and convert to a machine readable TCP stream. The idea of cloud-to-cloud logging is something that’s under consideration. Can you please DM your organisation information and I’ll add you to the relevant ER.

Many thanks,
@skottieb

(Ken Kakihara) #3

Hi @skottieb

Are there some room for installing log processor such as fluentd into nanolog streaming service and letting the fluetnd agent to write log to S3? By this way, @jacky might be able to reduce number of servers he has to keep them up and running. What do you think about this option?

Best regards,
Ken

(Scott Bullock) #4

Hi @Ken_Kakihara, welcome to the Zscaler Community.

What you suggest is feasible and a most worthy suggestions. We’ve looked @ fluentd for a number of use cases, however, it’s not currently part of the NSS builds and as such subject to similar considerations as native S3 logging.

(Lidor Pergament) #5

Hi @Ken_Kakihara,

A few of our customers use FluentD for transforming TCP to a different type of transport, however, we do not recommend installing any additional software on the NSS VM itself. The NSS VM is a pacakged ZscalerOS (FreeBSD based) + NSS software that is QA’d as a closed system - without 3rd party software. While you could try installing FluentD on the NSS VM, please note this caveat and that our Support team may not be fully equipped to troubleshoot issues.

(Ken Kakihara) #6

Hi @skottieb, @lpergament,

Many thanks for your warm on boarding messages.

Thank you for your comments and letting me know of the consequences of taking this fluend option.