NSS Configuration Guide

This guide describes the tasks required to deploy a Nanolog Streaming Service (NSS) to stream either web logs or firewall logs to a SIEM. Each step links you to the appropriate article for that configuration task.

To learn more about NSS, see About NSS.

A. Ensure that you have all the requirements in place.

B. On the Zscaler admin portal, register the NSS and download the NSS OVA file and SSL certificate.

C. On the vSphere client, configure and start the NSS.

D. Add NSS feeds for each NSS. An NSS feed specifies the data from the logs that the NSS will send to the SIEM. You can filter the data, so you send only the data you need to the SIEM.   You can add one or more fields for the logs and one field for alerts. You can add up to eight NSS feeds for each NSS. Click a link below to learn how to configure each feed.

You can also learn about:

Deploying Multiple NSS VMs

For full site redundancy, each organization can subscribe to up to two NSS servers for each type of traffic and deploy each pair in an active-active configuration. Each NSS supports up to eight parallel feeds. Each feed can have a different list of fields, a different format, and different filters.

When you register a new NSS in the Zscaler service, you are required to download an SSL certificate, which you then upload to the new NSS that you configure. The newly configured NSS then uses the certificate to authenticate itself to the Zscaler service. You can configure one NSS as two virtual machines identified by the same certificate, as long as they do not try to connect to the Nanolog at the same time. One VM can be the active NSS and the other VM can be a cold standby. Zscaler strongly recommends against running both VMs as active because this will result in frequent connection resets and a failure to stream the logs.

For completely redundant site configurations, if your organization has two SIEMs, Zscaler recommends using two NSS subscriptions, so both NSS VMs can stream logs to the SIEMs at the same time. Each NSS will run independently, with different configurations, and stream logs to two separate SIEMs. This is not recommended if you use a single SIEM, because each NSS will send copies of the same logs to the SIEM, which might not be able to remove the duplicates.