# Collect data from Zscaler

{% hint style="info" %}
See the changelog of the **HTTP** Listener [here](/listeners/http-listener.md).
{% endhint %}

## Overview

The following article outlines a basic data flow from **Zscaler's Nanolog Streaming Service (NSS)** to the Onum **HTTP** Listener.

## Prerequisites

[Contact Onum](/support/support.md) to get the cert information needed for TLS communication, which will be needed on the Listener setup.

## Zscaler NSS Setup

Identify the NSS Feeds you want to send in the [Zscaler documentation](https://help.zscaler.com/zia/documentation-knowledgebase/analytics/nss/nss-feeds/adding-nss-feeds). Configure the required ingestion setup following the steps in the documentation.

#### <i class="fa-triangle-exclamation" style="color:red;">:triangle-exclamation:</i>  **Important notes**

* The **SIEM type** will be `Other`.
* You must generate a **JWT token** and add it as an HTTP header. Add the word `Bearer` before the token value (`Bearer <token>`). The corresponding secret value will be added in the Onum configuration later.

{% hint style="warning" %}
[Contact us](/support/support.md) if you cannot generate a JWT token.
{% endhint %}

<figure><img src="/files/27bn4za9Wj6qWladTW3n" alt="" width="563"><figcaption></figcaption></figure>

## Important Considerations Regarding Cloud Listeners

* In cloud-based Onum installations, the **TLS** configuration section of the HTTP Listener is not visible and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your HTTP Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions [in this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation).
* If you are defining this Listener in a cloud instance, Onum will automatically provide the **Port** and **TLS** configuration.&#x20;
* Cloud Listeners have an additional step in their creation process: **Network configuration**. Use these details to configure your data source to communicate with Onum. Click **Download certificate** to get the required certificate for the connection. You can also download it from the Listener details once it is created.
* When configuring a Listener in a Cloud tenant, the **port** will be `443`. In on-prem, the selected port must fall within the range of `1024` to `10000`.
* Cloud Listener endpoints are created in Onum's DNS. This process is usually fast, and Listeners are normally available immediately. However, note that this may last up to 24-48 hours, depending on your organization's DNS configuration.
* Your data input must use the **Server Name Indication (SNI)** method, which means it must send its hostname in the TLS authentication process. If SNI is not used, the certificate routing will fail, and data will not be received, even if the certificate is valid.

If your organization's software cannot meet points 2 and 3, you can use an intermediate piece of software to ensure the client-Onum connection, such as Stunnel.

## Onum Setup

Here we will detail the steps for the **HTTP** Listene&#x72;**.**

{% stepper %}
{% step %}
Log in to your Onum tenant and click **Listeners > New listener**.
{% endstep %}

{% step %}
Double-click the **HTTP** Listener.
{% endstep %}

{% step %}
Enter a **Name** for the new Listener. Optionally, add a **Description** and some **Tags** to identify the Listener.
{% endstep %}

{% step %}
For most cloud-based Onum installations, the **Socket** section is not visible, and **port** `443` is used by default. If you see it, enter the required port in the **Port** field. At this time, all TCP ports from `1024` to `10000` are open.
{% endstep %}

{% step %}
In most cloud-based Onum installations, the **TLS** configuration section is not visible. In these setups, Onum automatically manages **TLS** certificates, eliminating the need for manual configuration.&#x20;

If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain.** Learn how to generate these self-signed certificates in [this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). Once you have them, click **New secret** in each field and add the corresponding values.
{% endstep %}

{% step %}
**Now there are two possible scenarios:**

If you didn't enter your **TLS** certificates, when you click **Create listener** you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. Here you will download the certificate (see the[ steps after creation to do this](#download-certificate)).

{% hint style="info" %}
You can access all this information in the Listener details after creation, so don't worry.
{% endhint %}

If you entered the TLS certificates, you'll go directly to the Labels when you eventually click **create Listener**.
{% endstep %}

{% step %}
In the **Authentication** section, choose **Bearer** as the Authentication Type.&#x20;

Open the Token Secret field and click New secret to create a new one:

* Give the token a **Name**.
* Turn off the **Expiration** **date** option.
* Click **Add new value** and paste the secret corresponding to the JWT token you received. Remember that the token will be added in the Zscaler configuration.
* Click **Save**.

{% hint style="info" %}
Learn more about secrets in Onum [in this article.](/administration/global-settings/organization-settings/secrets-management.md)
{% endhint %}

You can now select the secret you just created in the Token Secret field.
{% endstep %}

{% step %}
In the **Endpoint** section, choose `POST` as the method.

In the **Request path** field, enter `/`
{% endstep %}

{% step %}
In the **Message extraction** section, choose **Multiple events at body as stacked JSON** in the **Strategy** field. You can leave the **Extraction info** field empty.
{% endstep %}

{% step %}
In the **General behavior** section, set **Propagate headers strategy** to **None** (default option).
{% endstep %}

{% step %}
Then, configure the following settings:

* **Exported headers format** - Choose the required format for your headers. Choose **JSON** (default value).
* **Maximum message length** - Maximum characters of the message. The default value is `4096`.
* **Response code** - Specify the response code to show when successful. You must choose **200 OK**.

{% hint style="warning" %}
**Important**

Note that Zscaler doesn't accept any other response than 200 OK.
{% endhint %}

* **Response Content-Type** - Lets the server know the expected format of the incoming message or request. In this case, choose **application/json**.
* **Response text** - The text that will show in case of success.
  {% endstep %}

{% step %}
For cloud instalments, copy the **DNS Address** details to configure your data source in order to communicate with Onum. This contains the IP address of the DNS (Domain Name System) server to connect to.

{% hint style="warning" %}
Note that you will only see this section if you're defining this Listener in a Cloud instance.&#x20;
{% endhint %}
{% endstep %}

{% step %}
Finally, click **Create labels**. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as **Unlabeled**. Click **Create listener** when you're done.

{% hint style="info" %}
Learn more about labels in [this article](/the-workspace/listeners/labels.md).
{% endhint %}
{% endstep %}
{% endstepper %}

Click **Create listener** when you're done.

### Download certificate

For cloud environments, download the certificate from the **Listeners** view by clicking the created listener and selecting the three dots in the top right-hand corner of the menu > **Download Certificate**.

{% hint style="info" %}
This .p12 does not require password to access.
{% endhint %}

To extract the certificates from the download:

```
#!/bin/bash
# Extract certs from certificate.p12

# Client certificate (PEM)
openssl pkcs12 -in certificate.p12 -clcerts -nokeys -out client.crt -password pass:

# Client private key (PEM)
openssl pkcs12 -in certificate.p12 -nocerts -nodes -out client.key -password pass:

# CA chain (PEM)
openssl pkcs12 -in certificate.p12 -cacerts -nokeys -out ca-chain.crt -password pass:
```

### Ports <a href="#ports" id="ports"></a>

The HTTP Listener has two output ports:

* **Default port** - Events are sent through this port if no error occurs while processing them.
* **Error port** - Events are sent through this port if an error occurs while processing them.

{% hint style="warning" %}
The error message is provided in a free-text format and may change over time. Please consider this if performing any post-processing based on the message content.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/the-workspace/listeners/listener-integrations/collect-data-using-http/collect-data-from-zscaler.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.