NSS Output stream - No Syslog TCP default


(Andrew) #1

Hi - I have asked my local TAM, but I’ll ask here anyway to get more eyes across it.

I have deployed an NSS server but the outputs are limited to:

Arcsight CEF
CSV
Custom
LogRhythm SIEM
Microsoft Cloud App Security (MCAS)
QRadar LEEF
RSA Security Analytics
SPLUNK CIM
Symantec MSS
Tab-Seperated.

As you can see there is no native Syslog/TCP

I’m managed to get the NSS server to send data to our local Graylog server by working some magic on the Graylog Inputs, but it’s not an elegant solution and requires me to come up with Regex commands ot extract the fields I need. Laborious at best.

Does anyone else have a better suggestion OR know if Syslog TCP is on the horizon??

Thank you. :slight_smile:


(Lidor Pergament) #2

Hi @afrodsham,

The NSS output transport is always standard Syslog over TCP (RFC 6587). The various NSS “Feed Output Format” you are referring to only affect the formatting (CSV, Tab-delimited, etc.) and desired fields to stream in the content of the syslog messages.

More info about NSS and NSS Feeds here:
https://help.zscaler.com/zia/documentation-knowledgebase/analytics/nss

If you are interested in other types of outputs, several of our customers use the opensource tool FluentD to transform syslog/TCP in to other transport types.

Let us know if you have further questions,

Lidor


(Andrew) #3

Ah, I see… that makes more sense now.

So in theory, if I chose the “custom” format and just enter in a variable like:

%s{login}

I should just get the login name of the user, but encapsulated in Syslog format?
(no other formatting applied)


(Lidor Pergament) #4

Yes, that is correct.


(Andrew) #5

Thank you. I’ve got the data I need now and can split to the correct fields in Graylog. Happy days.