Zscaler

Integrate Zscaler as a data source in the Observo AI pipeline using the dedicated Splunk HEC Source. Configure Zscaler Cloud NSS to send security logs directly to Observo AI's Zscaler-specific HEC endpoint for real-time analysis, optimization, and intelligent routing to downstream security tools.

Purpose

The Observo AI Zscaler integration leverages a dedicated Splunk HEC Source to enable organizations to ingest high-volume security logs from Zscaler's cloud security platform directly into Observo AI for analysis and processing. This integration provides Zscaler-specific configurations and supports web security logs, firewall logs, DNS logs, and other Zscaler security telemetry in real-time using the standard Splunk HTTP Event Collector protocol with enhanced Zscaler-specific features. The source is designed to handle Zscaler's high-throughput log streams while applying AI-powered optimization to reduce data volume, enrich logs with threat intelligence, and route critical security events to appropriate SIEM platforms.

How it works

The Zscaler integration works by configuring Zscaler's Nanolog Streaming Service to send logs to Observo AI's dedicated Splunk HEC Source using HTTP/HTTPS POST requests with the Splunk HEC protocol. Zscaler Cloud NSS sends logs in near real-time to the configured Observo AI Zscaler endpoint using the standard Splunk HEC protocol. The Zscaler Source in Observo AI provides three endpoints:

  • /services/collector/event - for sending structured JSON events

  • /services/collector/raw - for sending raw log events

  • /services/collector/health - for health checks

When logs are received, Observo AI automatically processes them through its AI-powered pipeline, performing data optimization, enrichment, and intelligent routing based on the configured destination rules.

Observo AI processes the following types of Zscaler logs:

  • Web Security Logs: HTTP/HTTPS traffic, URL filtering, malware detection

  • Firewall Logs: Network traffic, blocked connections, policy violations

  • DNS Logs: DNS queries, malicious domain detection, DNS security events

  • Tunnel Logs: VPN tunnel traffic and security events

  • Sandbox Logs: File analysis results, threat detonation reports

  • Audit Logs: Administrative actions, policy changes, user access events

Authentication Requirements

Permissions Required

  • Zscaler Admin Console Access: Administrative privileges to configure NSS feeds

  • Network Connectivity: Outbound HTTPS connectivity from Zscaler Cloud to Observo AI endpoint

  • Token Management: Ability to create and manage HEC authentication tokens

Authentication Methods

The Zscaler Source supports multiple authentication methods:

  1. Token-based Authentication: Authorization tokens provided in HTTP headers (Authorization: <token>)

  2. Multiple Valid Tokens: Support for multiple authorization tokens for different environments

  3. Default Token: Fallback token when no token is provided in the request

  4. Token Validation: If no valid tokens are configured, all events are accepted (not recommended for production)

  5. IP Allowlisting: Restrict incoming connections to specified Zscaler Cloud IPs

  6. TLS Client Certificates: Mutual TLS authentication for enhanced security

Prerequisites

Before configuring the Zscaler integration with Observo AI, ensure the following requirements are met:

Observo AI Platform Setup

  • The Observo AI platform must be installed and operational

  • Zscaler Source must be available and configured

  • Network endpoint accessible from Zscaler Cloud (public IP or properly configured NAT/firewall rules)

  • Valid SSL/TLS certificate for HTTPS endpoints (recommended for production)

Zscaler Configuration Requirements

  • Zscaler Cloud Access: Administrative access to Zscaler Internet Access (ZIA) or Zscaler Private Access (ZPA)

  • NSS Licensing: Active Nanolog Streaming Service subscription

  • Network Connectivity: Outbound HTTPS connectivity from Zscaler Cloud to Observo AI

  • NSS Feed Configuration: Ability to create and manage NSS feed destinations

  • Cloud Identifier: Knowledge of your Zscaler cloud (e.g., zscaler.net, zscalerone.net)

Network and Connectivity

  • Firewall Rules: Allow inbound HTTPS traffic on configured port (range: 1-65535)

  • Load Balancer (Optional): For high availability and traffic distribution

  • DNS Resolution: Proper DNS configuration for Observo AI endpoint FQDN

Requirement
Details

Observo AI Platform

Must support Zscaler Source

Zscaler Admin Access

Administrative privileges in Zscaler console

NSS Licensing

Active Nanolog Streaming Service subscription

Network Connectivity

Outbound HTTPS from Zscaler Cloud

SSL Certificate

Valid certificate for HTTPS endpoints

Port Range

1-65535 for Zscaler source

Integration

To configure Zscaler integration with Observo AI, follow these steps:

Step 1: Configure Observo AI Zscaler Source

Configure the Splunk HEC Source

Step 2: Configure Zscaler NSS Feed

  1. Access Zscaler Admin Console

    • Log in to your Zscaler Admin Console

    • Navigate to Administration > Nanolog Streaming Service

  2. Create NSS Feed

    • Click "Add NSS Feed" to create a new feed

    • Feed Name: Enter descriptive name (e.g., "Observo-AI-Zscaler-Feed")

    • Feed Status: Ensure it's set to Enabled

  3. Configure Feed Details

    • SIEM IP Address/FQDN: Enter Observo AI endpoint without protocol

      • Example: your-observo-instance.company.com

    • Port: Enter the port configured in Observo AI Zscaler source (e.g., 8088)

    • SIEM Type: Select "Splunk" for HEC compatibility

    • Feed Output Format: Choose "Splunk Format" for optimal compatibility with Splunk HEC

  4. Authentication Configuration

    • Authentication Method: Select "Token" or "API Key"

    • Token/API Key: Enter the authorization token configured in Observo AI

      • Example: your-zscaler-hec-token

  5. Log Type Selection

    • Web Logs: Enable for HTTP/HTTPS traffic analysis

    • Firewall Logs: Enable for network security events

    • DNS Logs: Enable for DNS security monitoring

    • Tunnel Logs: Enable for VPN tunnel monitoring

    • Sandbox Logs: Enable for file analysis results

    • Audit Logs: Enable for administrative events

  6. Advanced Feed Settings

    • Use HTTPS: Enable for secure transmission (recommended)

    • Batch Size: Configure batch size for log transmission

    • Feed Frequency: Set transmission frequency (Real-time recommended)

    • Compression: Enable compression if supported

    • Retry Settings: Configure retry logic for failed transmissions

Step 3: Test and Validate Configuration

  1. Test Zscaler Source Endpoint Use curl to test the Observo AI Zscaler endpoint:

    Formatted Event Test:

    curl https://your-observo-instance.company.com:8088/services/collector/event \
  -H 'Authorization: your-zscaler-hec-token' \
  -d '{"event":"Zscaler test event","index":"main","sourcetype":"zscaler:web"}'

    Raw Event Test:

    curl https://your-observo-instance.company.com:8088/services/collector/raw \
  -H 'Authorization: your-zscaler-hec-token' \
  -d 'this is a sample Zscaler raw event'

    Health Check:

    curl https://your-observo-instance.company.com:8088/services/collector/health

  2. Validate Configuration

    • Save the NSS feed configuration in Zscaler

    • Save the Zscaler source configuration in Observo AI

    • Use Zscaler's built-in connectivity test feature

    • Verify logs are being received in Observo AI Analytics tab

Example Configuration

Zscaler Source Configuration Example

{
  "source_name": "zscaler-production",
  "source_type": "Zscaler Logs",
  "config": {
    "address": "0.0.0.0:8088",
    "store_hec_token": true,
    "zscaler_cloud": "zscaler.net",
    "valid_tokens": [
      "zsc-prod-550e8400-e29b-41d4-a716-446655440000",
      "zsc-backup-660f9511-f30c-52e5-b827-557766551111"
    ],
    "default_token": "zsc-default-770a0622-a40d-63f6-c938-668877662222",
    "allowed_source_ips": ["203.0.113.0/24", "198.51.100.1"],
    "tls": {
      "enabled": true,
      "ca_file": "/opt/observo/certs/ca.crt",
      "crt_file": "/opt/observo/certs/observo.crt",
      "key_file": "/opt/observo/certs/observo.key",
      "verify_certificate": false
    },
    "acknowledgements": {
      "enabled": false,
      "max_number_of_ack_events": 100
    },
    "max_request_size_bytes": 52428800,
    "path": "/services/collector",
    "remove_splunk_hec_metadata": false
  }
}

Standard Zscaler with Zscaler Source Setup

Here is a standard configuration example for Zscaler integration:

Category
Setting
Value
Description

General Settings

Socket Address

0.0.0.0:8088

Listen address and port

Store HEC Token

true

Add HEC token to events

Zscaler Cloud

zscaler.net

Zscaler cloud identifier

Authentication

Valid Authorization Tokens

['zsc-prod-550e8400-e29b-41d4-a716-446655440000']

List of valid HEC tokens

Default HEC Token

zsc-default-770a0622-a40d-63f6-c938-668877662222

Fallback token

TLS Configuration

TLS Enabled

true

Enable HTTPS

CA Certificate File

/opt/observo/certs/ca.crt

CA certificate path

Server Certificate File

/opt/observo/certs/observo.crt

Server certificate path

Private Key File

/opt/observo/certs/observo.key

Private key path

Verify Client Certificate

false

Disable client cert verification

Acknowledgement Settings

Enabled

false

Disable HEC acknowledgements

Max Acknowledgement Events

100

Maximum events per ack

Advanced Settings

Max Request Size

52428800

50MB maximum request size

HTTP Path

/services/collector

HEC endpoint path

Zscaler NSS Feed Configuration

Setting
Value
Description

Feed Name

Observo-AI-Zscaler-Production

Descriptive feed identifier

Status

Enabled

Feed operational status

SIEM IP/FQDN

observo-prod.company.com

Observo AI hostname

Port

8088

Zscaler source port

SIEM Type

Splunk

Use Splunk HEC protocol

Output Format

Splunk Format

HEC-compatible format

Authentication

zsc-prod-550e8400-e29b-41d4-a716-446655440000

HEC authorization token

Use HTTPS

Enabled

Secure transmission

Log Types

Web, Firewall, DNS, Tunnel, Sandbox

Enabled log streams

Feed Frequency

Real-time

Log transmission frequency

Batch Size

1000

Events per transmission batch

Compression

Enabled

Reduce bandwidth usage

Troubleshooting

Common Zscaler Source Issues

Error Condition
Possible Cause
Resolution Steps

401 Unauthorized

Invalid HEC authorization token

Check token in Valid Authorization Tokens list

403 Forbidden

IP address not allowed

Check allowed_source_ips configuration

404 Not Found

Incorrect HEC endpoint path

Verify Zscaler uses correct HEC endpoints

413 Payload Too Large

Batch size exceeds limits

Reduce NSS feed batch size in Zscaler or increase max_request_size_bytes

Connection Refused

Port not accessible/firewall blocking

Verify port and firewall rules

SSL Handshake Failed

TLS configuration mismatch

Check certificate paths and TLS settings

No Data Received

NSS feed misconfigured

Verify Zscaler NSS feed status and settings

Diagnostic Steps

  1. Test Zscaler Source Endpoints:

    # Test event endpoint
curl -k https://your-observo:8088/services/collector/event \
  -H "Authorization: your-token" \
  -d '{"event": "test", "sourcetype": "zscaler:test"}'

# Test health endpoint
curl -k https://your-observo:8088/services/collector/health

  2. Verify Zscaler Connectivity:

    • Check NSS feed status in Zscaler Admin Console

    • Use Zscaler's built-in connectivity test

    • Monitor NSS feed transmission logs

  3. Monitor Observo AI:

    • Check Zscaler source logs for errors

    • Verify data ingestion in Analytics dashboard

    • Monitor token usage and authentication failures

Zscaler Source Logs Analysis

Monitor Observo AI logs for Zscaler-specific messages:

  • Authentication failures: Invalid or missing tokens

  • Cloud validation: Zscaler cloud identifier mismatches

  • Connection issues: Network connectivity problems

  • Data format errors: Malformed HEC payloads

  • Performance metrics: Throughput and latency statistics

Cloud Validation

Set zscaler_cloud to validate that incoming data is from the expected Zscaler cloud instance.

Best Practices

  1. Security

    • Always use HTTPS with valid certificates

    • Implement IP allowlisting for additional security

    • Use strong, unique HEC tokens and rotate them regularly

    • Validate Zscaler cloud identifier

  2. Performance

    • Configure appropriate batch sizes in Zscaler NSS

    • Monitor Zscaler source metrics for performance issues

    • Consider load balancing for high-volume environments

    • Adjust max_request_size_bytes based on your traffic patterns

  3. Data Management

    • Only forward necessary log types to Observo AI

    • Include HEC tokens in events for better routing and processing

    • Remove HEC metadata if not needed for downstream processing

Resources

Documentation Links

Best Practices

  • Port Management: Use ports in range 1-65535 for Zscaler sources

  • Token Security: Rotate HEC tokens regularly and use strong, unique tokens

  • TLS Configuration: Always enable TLS in production with valid certificates

  • Monitoring: Implement comprehensive monitoring for HEC endpoints and data flow

  • Load Balancing: Use load balancers for high availability HEC deployments

Support Resources

  • Zscaler Technical Support for NSS configuration issues

  • Observo AI Support for Zscaler source configuration

  • Network team for connectivity and firewall configuration

  • Security team for token management and certificate handling

Last updated: January 2025

PreviousWizNextDestinations

Last updated

Was this helpful?