Zscaler Splunk App

One of the major advantages to the Zscaler cloud is the ability to get a consolidated view of your organization. The logs are stored in the region of your choosing, and the Central Authority lets you drill into your overall data set. You can see your top users, top policy actions, and drill down to find out an individual user and device to locate and issue.

But we also know that Zscaler is only one part of your organization’s technology stack. You have logs from servers, cloud hosts, and apps all generating logs as well. The question then is how do you consolidate and view those logs in a single location?

With Zscaler’s log solutions you can download those logs to your organization. The Nanolog Streaming Service (NSS) for Zscaler Internet Access (ZIA) and Log Streaming Service (LSS) for Zscaler Private Access (ZPA) let you bring those logs in house. But you’ll still need to merge these logs into a Security information and event management (SIEM), one of the most popular being Splunk.

I’ve written a Splunk application that lets you consolidate the streams from NSS and LSS, allowing you a full view of your logs across your Zscaler platform. In this video I’ll go over what how the Zscaler Splunk app version 2 works, what you can do with it, and some notes on where the app is going.

1 Like

You can find detailed documented on the Splunk App architecture in here —> Zscaler Splunk App - Design and Installation documentation


Hi Scott,

Thanks for the detailed information.

  • On ZPA portal I can see that we can go back until 14 days before, contrary to ZIA. Is there a way to lengthen it to 6 months?

  • Antoher question is regarding to logs retrieval from LSS in case of connectors are unreachable then rolled back.
    How many days of logs are retrieved?


On ZPA portal I can see that we can go back until 14 days before

This is correct. In service retention for ZPA detailed logging is 14 days. LSS is the solution for longer term storage.

How many days of logs are retrieved?

Logs are live streams, there’s no historical dump. This is why we recommend at least to LSS’s be deployed for resilience

@kshah, are there points of clarification you’d like to include here?


1 Like

So, what are the adds-on with LSS in term of long term storage (days, months, …) and historical dump?


LSS should plug into your logging or SIEM infrastructure. This could be a commercial offering like Splunk or LogRythym, or open tools such as syslog-ng or logstash. These solutions then control the data lifecycle and log rotation.