Cloud Connector supports the Nanolog Streaming Service (NSS) for ZIA use-cases. NSS uses a virtual machine (VM) to stream traffic logs in real time to your Security Information and Event Management (SIEM) system (such as Splunk or ArcSight), enabling real-time alerting and correlation of logs with your other devices. NSS can be configured from the Cloud Connector or ZIA portal, but the NSS infrastructure must be set up as part of a separate workflow/subscription.
In this video, we’ll explore the components involved in NSS as well as its basic configuration:
[0:00 to 1:41] Overview of NSS
[1:41 to 4:15] Deploying NSS
[4:15 to 4:55] Key Takeaways
Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.
In this video, we’ll discuss how to leverage NSS logging for Zscaler Cloud Connector.
Before we get started, have a look at the Logging Insights and Filtering video within this series. This video will familiarize you with the type of logging collected by Cloud Connector appliances and, hence, what can be made available to NSS for exporting to a SIEM or other event collector.
The Nanolog Streaming Service (NSS) uses a virtual machine (VM) to stream traffic logs in real time from the Zscaler Nanolog to your security information and event management (SIEM) system, such as Splunk or ArcSight, enabling real-time alerting, correlation with the logs of other devices, and long-term local log archival.
Keep in mind that, in the absence of a Cloud Connector, NSS can be used to send ZIA traffic logs to your SIEM. All traffic flowing through ZIA, regardless of how it was delivered there, can be sent to NSS. Cloud Connector simply adds additional data points to this logging - particularly network-level information collected as the traffic was leaving the source cloud - which can be useful when correlating meta events.
Zscaler offers the following NSS subscriptions:
NSS for Web: which streams web and mobile traffic logs.
NSS for Firewall: which streams logs from solutions like Cloud Connector.
Organizations can optionally subscribe to Cloud NSS, which allows direct cloud-to-cloud log streaming. Rather than deploying, managing, and monitoring NSS VMs, you can simply configure an HTTPS API feed that will push logs into the cloud SIEM.
For the purposes of this video, we’ll focus only on NSS for Firewall, however, since (at the creation time of this video) it is the only type supported.
You can configure the Nanolog Streaming Service for Cloud Connector using the ZIA portal. Future revisions will allow you to also configure this functionality from the Cloud Connector portal as well, but for now, in the ZIA portal, navigate to the Administration tab, followed by Nanolog Streaming Service.
Here, we already have a few NSS servers deployed. For sake of example, however, we’ll add another. Click the Deploy NSS Virtual Appliance link. Select NSS for Firewall, Cloud, and Branch Connector. In the remaining fields, enter the information as it pertains to your organization. This will help size the VM appropriately. Select your platform and click the Compute button. The recommended VM specs will be displayed along with a link to download the appropriate image.
Next, click the Add NSS Server button. A dialog box then appears where you can name your new NSS integration. Once complete, download the certificate bundle that appears on the right of your screen.
In the interest of time, this video will not focus on deploying the NSS virtual machine in your hypervisor. You can visit the link on your screen, however, for step-by-step instructions. In a nutshell, when the VM is deployed, you will use its console to set its IP address and import the certificate bundle you just downloaded.
Assuming the certificate has been installed and network connectivity from the VM to the NSS service is good, the integration should transition to a healthy state, as shown here.
Now, we’re ready to add an NSS feed. Click the tab at the top of the screen. Again, in a production environment, you may already have feeds for Firewall and Web as well, but this video will focus on Cloud Connector.
Under the NSS Type dropdown, select NSS for Firewall, Cloud, and Branch Connector.
Cloud Connector will export two types of logs: Session and DNS. Here, we’ll create a Session Log feed. Select your NSS for Firewall VM in the NSS Server dropdown.
Enter the IP or FQDN and port number of the SIEM your NSS VM will export logs to. Remember, the SIEM will need to be configured to listen on these ports as well.
You can choose to rate-limit logs in the next field, though here, we’ll leave it at unlimited. For Log Domain, select Cloud/Branch Connector. Leave the Log Type as Session and change the Session Log Type to “Both Session and Aggregate Logs.”
You have the option of changing the output feed type as well, but in our example, we’ll leave it as CSV.
In the remaining options, you can select the timezone for the logs, as well as create a Filter to narrow down which logs get sent to the SIEM.
Click the Save button to continue.
If applicable, click the Add NSS Feed button again and create a feed for DNS Logs.
The final step is to activate your changes!
– You can use Nanolog Streaming Service (NSS) to export Cloud Connector logs to an external event collector for further processing
– Nanolog Streaming Service uses a VM to capture, aggregate, and export logs from Cloud Connector appliances
– Cloud Connector appliances export both Session and DNS Logs
– NSS can export logs from all types of traffic crossing ZIA, regardless of how the traffic arrived. Cloud Connector simply augments this data with network-level statistics from the source workload and cloud