Adding NSS Feeds for DNS Logs

You can configure up to eight NSS feeds to specify the data from the DNS logs that the NSS will send to the SIEM. For each feed, you can configure multiple types of filters. For example, you can configure separate feeds for each location or for different policy rules. Note that a large number of filters or complex filters, such as string search, might impact the performance of the NSS.

Before you start configuring a feed for DNS logs, consider the guidelines for configuring feeds.

To configure a feed for DNS logs:

  1. Go to Administration > Settings > Nanolog Streaming Service.
  2. From the NSS Feeds tab, click Add and complete the following:
    • Feed Name: Enter or edit the name of the feed. Each feed is a connection between NSS and your SIEM.
    • NSS Type: Select NSS for Firewall.
    • NSS Server: Choose an NSS from the list.
    • Status: It is Enabled by default. Click Disabled if you want to activate it at a later time.
    • SIEM IP Address and SIEM TCP Port: Enter the IP address and port of the SIEM to which the logs are streamed. Ensure that the SIEM is configured to accept the feed from NSS.
    • Log Type: Choose DNS Logs.
    • Feed Output Type: The output is a comma-separated (CSV) list by default. You can choose Name-Value Pairs or Tab-separated, if your SIEM accepts any of these formats.
    • Feed Escape Character: The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends the logs to the NSS. Any URL character that is less than 0x21, or above 0x7E, will be encoded as %HH. This ensures that your SIEM will be able to parse the URLs in case they contain non-printable characters. For example, a \n char in a URL is encoded as %0A, and a space is encoded as %20. In this field, you can specify additional characters that you would like to encode. For example, type a comma (,) to encode it as %2C. This is useful if you are using this character as your delimiter and would like to ensure it does not cause erroneous delimitation. Note that the service encodes characters in URLs, host names, and referer URLs only. If custom encoding was done for a record, the %s{eedone} field will be YES for that record.
    • Feed Output Format: These are the fields that will be displayed in the output. See NSS Feed Output Format for information about the available fields and their syntax.
    • User Obfuscation: You can enable user obfuscation. When you do, it displays a random string instead of the user names. If this is enabled, the ‘login’ field in Feed Format Output automatically changes to ‘ologin’ field which outputs the obfuscated login name. Choose Disable to display the user names.
    • Timezone: By default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone database. Direct GMT offsets can also be specified.
    • Duplicate Logs: To ensure that no logs are skipped during any down time, specify the number of minutes that NSS will send duplicate logs.
  3. Define filters for firewall logs as follows:
    • Action
      • Policy Actions
        • Allow: Use this filter to limit the logs to allowed DNS requests and responses.
        • Block: Use this filter to limit the logs to DNS requests and responses that the service dropped.
        • Redirect: Use this filter to limit the logs to transactions wherein the service redirected the DNS request or response.
        • Request Allow: Use this filter to limit the logs to allowed DNS requests only.
        • Request Block: Use this filter to limit the logs to DNS requests that the service dropped.
        • Request Redirect: Use this filter to limit the logs to DNS requests that the service redirected.  
        • Response Allow: Use this filter to limit the logs to allowed DNS responses only.
        • Response Block: Use this filter to limit the logs to DNS responses that the service dropped.
        • Response Redirect: Use this filter to limit the logs to DNS responses that the service redirected.  
      • Rule Name: Use this filter to limit the logs based on specific rules in the DNS Control policy. Choose the rules from the list.
    • Who
      • Users: Use this filter to limit the logs to specific users who generated transactions. To use the Search function, enter either the user name or email address in the Search box and click Search. There is no limit on the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.
      • Departments: Use this filter to limit the logs to specific departments that generated transactions. To use the Search function, enter the department name in the Search box and click Search. There is no limit on the number of departments that you can select. Departments that are deleted after they are selected appear with a strikethrough line.
    • Source
      • Locations:  Use this filter to limit the logs to specific locations and sublocations. To use the Search function, enter the location name in the Search box and click Search. There is no limit on the number of locations that you can select. Locations that are deleted after they are selected appear with a strikethrough line.
      • Client IP Addresses: Use this filter to limit the logs based on a client’s IP address. You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries. Hit Enter after each entry.
    • Destination
      • Server IP Addresses: Use this filter to limit the logs to specific server IP addresses. You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries. Hit Enter after each entry.
      • Server Ports: Use this filter to limit the logs to specific server ports. You can specify individual ports and a range of ports.
      • IP Domain Classes: Use this filter to limit the logs to specific URL classes with the domain in the request.
      • IP Domain Super Categories: Use this filter to limit the logs to specific URL super categories with the domain in the request.
      • IP Domain Categories: Use this filter to limit the logs to specific URL categories associated with the domain in the request.  
    • Session
      • Domains: Use this filter to limit the logs to sessions associated with specific domains.
      • DNS Request Types: Use this filter to limit the logs to sessions associated with specific DNS request types.
      • DNS Response Codes: Use this filter to limit the logs to sessions associated with specific DNS response codes.
      • DNS Responses: Use this filter to limit the logs to sessions  that contained specific data in the DNS responses. You can specify domain names, IPv4 and IPv6 addresses. For IPv4 addresses, You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries separated by commas.
      • Durations: Use this filter to limit the logs based on the duration of the sessions, in seconds.
  4. Click Save and activate the change.