The Nanolog Streaming Service (NSS) uses a virtual machine (VM) to stream traffic logs in real time from the Zscaler Nanolog to your security information and event management (SIEM) system, such as Splunk or Arcsight, enabling real-time alerting, correlation with the logs of your other devices, and long-term local log archival. Zscaler offers the following NSS subscriptions:

  • NSS for Web which streams web and mobile traffic logs
  • NSS for Firewall which streams logs from the Zscaler next-generation firewall

As shown in the figure below, the web and mobile traffic logs and the firewall logs are stored in the Nanolog in the Zscaler service cloud. When an organization deploys one NSS for web and mobile logs and another NSS for firewall logs, each NSS opens a secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog then streams copies of the logs to each NSS in a highly compressed format to reduce bandwidth footprint; the original logs are retained on the Nanolog.

When an NSS receives the logs from the Nanolog, it unscrambles them, applies the configured filters to exclude unwanted logs, converts the filtered logs to the configured output format so they can be parsed by your SIEM, and then streams the logs to your SIEM over a raw TCP connection.

Additionally, if your organization has the Cloud Sandbox subscription, you can open a Sandbox Detail Report based on the MD5 parameter that you retrieve from your logs in the SIEM.

The NSS requires minimal administration. After you deploy it, the NSS automatically polls the Zscaler service for updates and installs them. For monitoring purposes, you can configure a separate feed for NSS alerts. The service sends the alerts in an RFC-compliant syslog format to the specified IP address and port.

Read more about how to configure an NSS.