Collect data from Zscaler
Zscaler (Nanolog Streaming Service) to Onum HTTP Listener (with TLS)
See the changelog of the HTTP Listener here.
Overview
The following article outlines a basic data flow from Zscaler's Nanolog Streaming Service (NSS) to the Onum HTTP Listener.
Prerequisites
Contact Onum to get the cert information needed for TLS communication, which will be needed on the Listener setup.
Zscaler NNS Setup
Identify the NSS Feeds you want to send in the Zscaler documentation. Configure the required ingestion setup following the steps in the documentation.
Important notes
The SIEM type will be
Other.You must generate a JWT token and add it as an HTTP header. Add the word
Bearerbefore the token value (Bearer <token>). The corresponding secret value will be added in the Onum configuration later.
Contact us if you cannot generate a JWT token.
Important Considerations Regarding Cloud Listeners
In cloud-based Onum installations, the TLS configuration section of the HTTP Listener is not visible and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your HTTP Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions in this article.
If you are defining this Listener in a cloud instance, Onum will automatically provide the Port and TLS configuration.
Cloud Listeners have an additional step in their creation process: Network configuration. Use these details to configure your data source to communicate with Onum. Click Download certificate to get the required certificate for the connection. You can also download it from the Listener details once it is created.
When configuring a Listener in a Cloud tenant, the port will be
443. In on-prem, the selected port must fall within the range of1024to10000.Cloud Listener endpoints are created in Onum's DNS. This process is usually fast, and Listeners are normally available immediately. However, note that this may last up to 24-48 hours, depending on your organization's DNS configuration.
Your data input must use the Server Name Indication (SNI) method, which means it must send its hostname in the TLS authentication process. If SNI is not used, the certificate routing will fail, and data will not be received, even if the certificate is valid.
If your organization's software cannot meet points 2 and 3, you can use an intermediate piece of software to ensure the client-Onum connection, such as Stunnel.
Onum Setup
Here we will detail the steps for the HTTP Listener.
Log in to your Onum tenant and click Listeners > New listener.
Double-click the HTTP Listener.
Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.
For most cloud-based Onum installations, the Socket section is not visible, and port 443 is used by default. If you see it, enter the required port in the Port field. At this time, all TCP ports from 1024 to 10000 are open.
In most cloud-based Onum installations, the TLS configuration section is not visible. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration.
If you see this section, you must enter the required Certificate, Private key and CA Chain. Learn how to generate these self-signed certificates in this article. Once you have them, click New secret in each field and add the corresponding values.
Now there are two possible scenarios:
If you didn't enter your TLS certificates, when you click Create listener you'll see the Network configuration screen, which shows the Address and Port needed to communicate with Onum. Here you will download the certificate (see the steps after creation to do this).
You can access all this information in the Listener details after creation, so don't worry.
If you entered the TLS certificates, you'll go directly to the Labels when you eventually click create Listener.
In the Authentication section, choose Bearer as the Authentication Type.
Open the Token Secret field and click New secret to create a new one:
Give the token a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the JWT token you received. Remember that the token will be added in the Cloudflare configuration.
Click Save.
Learn more about secrets in Onum in this article.
You can now select the secret you just created in the Token Secret field.
In the Endpoint section, choose POST as the method.
In the Request path field, enter /
In the Message extraction section, choose Multiple events at body as stacked JSON in the Strategy field. You can leave the Extraction info field empty.
In the General behavior section, set Propagate headers strategy to None (default option).
Then, configure the following settings:
Exported headers format - Choose the required format for your headers. Choose JSON (default value).
Maximum message length - Maximum characters of the message. The default value is
4096.Response code - Specify the response code to show when successful. You must choose 200 OK.
Important
Note that Zscaler doesn't accept any other response than 200 OK.
Response Content-Type - Lets the server know the expected format of the incoming message or request. In this case, choose application/json.
Response text - The text that will show in case of success.
For cloud instalments, copy the DNS Address details to configure your data source in order to communicate with Onum. This contains the IP address of the DNS (Domain Name System) server to connect to.
Note that you will only see this section if you're defining this Listener in a Cloud instance.
Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.
Learn more about labels in this article.
Click Create listener when you're done.
Download certificate
For cloud environments, download the certificate from the Listeners view by clicking the created listener and selecting the three dots in the top right-hand corner of the menu > Download Certificate.
This .p12 does not require password to access.
To extract the certificates from the download:
Ports
The HTTP Listener has two output ports:
Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.
The error message is provided in a free-text format and may change over time. Please consider this if performing any post-processing based on the message content.
Last updated
Was this helpful?