Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Zscaler Configuration

            Modified on Fri, 10 Jan at 1:34 PM

            TABLE OF CONTENTS


            Overview

            This KBA will provide information on prerequisites and how to configure a Zscaler to forward events or audit logs to a Syslog server.


            Before configuring a Zscaler to forward logs to Syslog, ensure that you:

            • Have network connectivity between the Zscaler and the Syslog server on the port (514) Syslog is listening to.
            • Use UDP protocol on the Syslog server's configuration.


            Steps of Configuration 

            1. Go to Orchestrate > SIEM Integrations.
            2. Click Add Integration, and select Syslog from the drop-down menu.
            3. In the Syslog Details window
              • Name: Enter a name for the Syslog SIEM integration.
              • Enable: Select to enable SIEM integration.
              • Service Connector: Select a Service Connector from the drop-down menu:
                • If you select a Service Connector that is configured on the Zscaler Deception Admin Portal, the portal sends logs to Syslog.
                • If you select a Service Connector that is configured on a Decoy Connector, the selected Decoy Connector sends logs to Syslog.
              • Type of logs: Select an option from the drop-down menu.
                • Events: Send events to Syslog.
                • Audit Logs: Send audit logs to Syslog.
              • Include Safe Events: Enable to forward the events that are marked as safe to Syslog.
              • Filter: Specify a query if you want to send filtered event logs to Syslog. If this field is blank, all event logs are sent to Syslog.
                Note: The Filter option is available only for event logs.
              • Host: Enter the CCE IP address.
              • Port: Enter the 514 port.
              • Transport: Select UDP.
              • Facility: Select a facility code (e.g., System) from the drop-down menu. Each event is labeled with a facility code, indicating the type of software generating the event logs.
              • Severity: Select a severity level (e.g., Critical). Each event is labeled with a severity, indicating the severity of the tool generating the event logs.
              • App Name: Enter a log identifier (e.g., Zscaler Deception).
            4. Click Save.

            The Syslog server integration is added.


            Verification

            1. Log in to UI >> System.
            2. Go to Log/Flow Collection Status.
            3. To verify the source device IP from the UI:
              • Log in to the user interface.
              • Navigate to the "SYSTEM" section.
              • Look for the "SOURCE DEVICE IP".
              • Check the IP Address that is displayed.
              • Compare the IP address displayed against the expected source device IP.


            This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address.


            On the CCE

            Run the command on the CCE server to check if you start getting logs from the device:

            sudo tcpdump -i any port 514 and host <Device IP>





            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0