Reporting on Log Volume Sent to NSS (Nanolog)

Hello Zscaler Community,

Our client is generating around 40TB of logs a month through their ZIA solution which is being fed through the Nanolog (NSS Feeds) service and then ingested into a SIEM solution.

The issue is, that quantity of data is exceeding their log quota by about 75% so we’re drastically trying to reduce that amount.

Does anyone know of any reports or ways to identify what the bulk of the logging is, i.e.

  1. Are there any reports that show the highest logging rules - i.e. Cloud App or URL Filtering Rules?

  2. I can see there are reports that show “Top Media Streaming Applications” or “Top Social Networking Applications”, this shows the overall volume of data in bytes, that the Zscaler is processing, how can I understand how much “Log Volume” this is, i.e. how many TBs/GBs of logs is going via NSS feeds?

  3. What other reporting options do we have to look for highest volume / lowest value logs?

  4. What other advice do you have to reduce the log volume?

We did raise a ticket with Zscaler and their support engineer showed us some example reports, like the ones I mentioned in point 2 but the trouble is, we don’t have the “Log Volume” as I’ve described.

From looking at the reports Zscaler shared with us, we can see some Social Networking Applications are utilising a high portion of data and we could potentially look to exclude that in the NSS Feed configuration. The other challenge with that is, Zscaler have already confirmed “as of now Zscaler feeds are inclusive rather than exclusive format”, which means we would have to include ALL applications and exclude the ones we don’t want in the logs, this also introduces an element of risk as a threat could pass through an application we’ve excluded and won’t be triggered in the SIEM.

Does anyone have any experience or faced the same dilemma, any help would be greatly appreciated.

Many thanks,

Kevin

Just BUMPING this post as no replies thus far :pensive:

Anyone?

Many thanks,

@lpergament Can you please help?

You could split your logs across multiple feeds. This would help you identify which logs are generating the most traffic.

Don’t send the logs you don’t need.