WebsiteBlogLogin

Collect data from Zscaler

Zscaler (Nanolog Streaming Service) to Onum HTTP Listener (with TLS)

See the changelog of the HTTP Listener here.

Overview

The following article outlines a basic data flow from Zscaler's Nanolog Streaming Service (NSS) to the Onum HTTP Listener.

Prerequisites

Contact Onum to get the cert information needed for TLS communication, which will be needed on the Listener setup.

Zscaler NNS Setup

Identify the NSS Feeds you want to send in the Zscaler documentation. Configure the required ingestion setup following the steps in the documentation.

Important notes

  • The SIEM type will be Other.

  • You must generate a JWT token and add it as an HTTP header. Add the word Bearer before the token value (Bearer <token>). The corresponding secret value will be added in the Onum configuration later.

Contact us if you cannot generate a JWT token.

Onum Setup

1

Log in to your Onum tenant and click Listeners > New listener.

2

Double-click the HTTP Listener.

3

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

4

In the Socket section, enter the required Port. By default, all TCP ports from 1024 to 10000 are open.

5

In the TLS configuration section, enter the data you received from the Onum team (Certificate, Private key and CA chain). Choose No client certificate as Client authentication method and TLS v.1.0 as the Minimum TLS version.

6

In the Authentication section, choose Bearer as the Authentication Type. Click New secret to create a new one:

  • Give the token a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the JWT token you generated before. Remember that the token will be added in the Zscaler configuration.

  • Click Save.

Learn more about secrets in Onum in this article.

7

You can now select the secret you just created in the Token Secret field.

8

In the Endpoint section, choose POST as the HTTP Method. In the Request path field, enter /

9

In the Message extraction section, choose Multiple events at body as stacked JSON in the Strategy field. You can leave the Extraction info field empty.

10

In the General behavior section, set Propagate headers strategy to None (default option).

11

Then, configure the following settings:

  • Exported headers format - Choose the required format for your headers. Choose JSON (default value).

  • Maximum message length - Maximum characters of the message. The default value is 4096.

  • Response code - Specify the response code to show when successful. You must choose 200 OK.

Important

Note that Zscaler doesn't accept any other response than 200 OK.

  • Response Content-Type - Lets the server know the expected format of the incoming message or request. In this case, choose application/json.

  • Response text - The text that will show in case of success.

12

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

Learn more about labels in this article.

PreviousHTTPNextHTTP Pull

Last updated

Was this helpful?