Zscaler LSS

Zscaler Private Access (ZPA) is a VPN alternative which allows you to give users policy-based secure access to only the internal apps they need to get their work done. The Log Streaming Service (LSS) provides a better understanding of the information coming from the ZPA service by allowing you to create log receivers that receive information about App Connectors and users.

Zscaler LSS product logs can contain information about hosts and accounts, in addition to the source address. When setting up Zscaler LSS as an event source, you will have the ability to specify attribution options.

To set up Zscaler LSS, you’ll need to:

  1. Configure Zscaler LSS to forward logs to the InsightIDR Collector.
  2. Set up the Zscaler LSS event source in InsightIDR.
  3. Verify the configuration.

Configure Zscaler LSS to forward logs to your Collector

You must first configure Zscaler LSS to forward logs to the InsightIDR Collector. You can find information on how to configure Zscaler LSS at: https://help.zscaler.com/zpa/configuring-log-receiver

Supported log format and log types

InsightIDR only supports logs formatted in JSON. When selecting a Log Template, select JSON. Use the default Log Stream Content that is mentioned in the Zscaler documentation. InsightIDR only supports User Activity and Audit Logs for the Zscaler LSS event source; these should be the only Log Types set up in the Log Stream tab. (Note that only one log type can be selected per stream, so if you wish for both log types to be sent to InsightIDR, a separate log stream will be required for each).

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Zscaler LSS in the event sources search bar.
    • In the Product Type filter, select Ingress Authentication.
  3. Select the Zscaler LSS event source tile.
  4. Choose your Collector and event source.
  5. (Optional) Name your event source if you want.
  6. (Optional) Choose to send unfiltered logs.
  7. Choose the time zone that matches the location of your event source logs.
  8. Select an attribution source.
  9. Select a collection method and specify a port and a protocol.
  10. (Optional) If you are using TCP, you may choose to download the Rapid7 Certificate to encrypt the event source.
  11. Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable log sets and the log names within them. The log name will be the event source name or “Zscaler LSS” if you did not name the event source. Zscaler LSS User Activity logs flow into the Ingress Authentication log set, and Audit Logs flow into the Cloud Admin Activity log set.

Sample logs

Example User Activity log:

json
1
{
2
"LogTimestamp": "Fri May 31 17:35:42 2019",
3
"Customer": "ANZ Team/zdemo in beta",
4
"SessionID": "SqyZIMkg0JTj7EABsvwA",
5
"ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm",
6
"InternalReason": "OPEN_OR_ACTIVE_CONNECTION",
7
"ConnectionStatus": "active",
8
"IPProtocol": 6,
9
"DoubleEncryption": 0,
10
"Username": "ZPA LSS Client",
11
"ServicePort": 10011,
12
"ClientPublicIP": "34.209.189.218",
13
"ClientPrivateIP": "",
14
"ClientLatitude": 45.000000,
15
"ClientLongitude": -119.000000,
16
"ClientCountryCode": "US",
17
"ClientZEN": "broker1b.pdx2",
18
"Policy": "ANZ Lab Apps_1",
19
"Connector": "ZDEMO ANZ Lab-1",
20
"ConnectorZEN": "broker1b.pdx2",
21
"ConnectorIP": "192.168.1.53",
22
"ConnectorPort": 60266,
23
"Host": "192.168.1.57",
24
"Application": "ANZ Lab Apps",
25
"AppGroup": "ANZ Lab Apps",
26
"Server": "0",
27
"ServerIP": "192.168.1.57",
28
"ServerPort": 10011,
29
"PolicyProcessingTime": 28,
30
"CAProcessingTime": 1330,
31
"ConnectorZENSetupTime": 191017,
32
"ConnectionSetupTime": 192397,
33
"ServerSetupTime": 465,
34
"AppLearnTime": 0,
35
"TimestampConnectionStart": "2019-05-30T08:20:42.230Z",
36
"TimestampConnectionEnd": "",
37
"TimestampCATx": "2019-05-30T08:20:42.230Z",
38
"TimestampCARx": "2019-05-30T08:20:42.231Z",
39
"TimestampAppLearnStart": "",
40
"TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z",
41
"TimestampZENFirstTxClient": "",
42
"TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z",
43
"TimestampZENLastTxClient": "",
44
"TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z",
45
"TimestampZENFirstRxConnector": "",
46
"TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z",
47
"TimestampZENLastRxConnector": "",
48
"TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z",
49
"ZENTotalBytesRxClient": 2406926,
50
"ZENBytesRxClient": 7115,
51
"ZENTotalBytesTxClient": 0,
52
"ZENBytesTxClient": 0,
53
"ZENTotalBytesRxConnector": 0,
54
"ZENBytesRxConnector": 0,
55
"ZENTotalBytesTxConnector": 2406926,
56
"ZENBytesTxConnector": 7115,
57
"Idp": "Example IDP Config"
58
}

Example Audit log:

json
1
{
2
"ModifiedTime": "2020-07-13T20:53:10.000Z",
3
"CreationTime": "2020-07-13T20:53:10.000Z",
4
"ModifiedBy": 11223344556677889,
5
"RequestID": "a12aa12a-1234-aab1-123ab123456a",
6
"SessionID": "a123456789abc12a123456789a12a1a1a12345678ab12a12345a",
7
"AuditOldValue": "",
8
"AuditNewValue": "{\"id\":\"98765432100123456\",\"name\":\"app1.test.com\",\"applicationId\":\"12312312312312300\",\"applicationPort\":\"443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"10203040506070809\",\"domain\":\"app1.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"\\/\",\"portal\":\"false\",\"trustUntrustedCert\":\"true\"}",
9
"AuditOperationType": "Create",
10
"ObjectType": "Browser Access",
11
"ObjectName": "app1.test.com",
12
"ObjectID": 98765432100123456,
13
"CustomerID": 12345678901234567,
14
"User": "zpaadmin@test.com"
15
}