Your web transaction data has stories to tell. Important ones about threats, compliance, and operational health. But right now, those stories are probably scattered across expensive Security Event Managers (SEMs), threat analysis platforms, and various data lakes… not exactly a bestseller in the making.
As part of January 2025’s 4.10.0 release, customers can now source log data from Zscaler Nanolog Streaming Service (NSS) using the new Zscaler Cloud NSS Source. Cribl’s native integration with Zscaler NSS helps you:
Route critical security alerts to your Security Information and Event Management (SIEM) system for immediate action
Send enriched threat data to your analysis platforms
Archive everything else for compliance without breaking the bank
That way, you can stop paying premium SIEM prices for logs you rarely use, finally get your security and IT teams speaking the same data language, and make your threat analysts actually thank you for the quality of data they receive.
Meet Zscaler’s Nanolog Streaming Service
Zscaler’s Nanolog Streaming Service (NSS) is a log streaming service that allows customers to export security event logs. This rolls up to Zscaler’s broader platform. Zscaler accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications anywhere. Distributed across more than 150 data centers, the SSE-based Zero Trust Exchange is the world’s largest in-line cloud security platform. Learn more about Zscaler.
How-To Get Data Moving
Setting up data flow from Zscaler NSS to Cribl Stream will require action within both platforms. Before you start, ensure you have admin permissions in your Zscaler environment and Cribl Stream.
Setting up the new Zscaler Cloud NSS Source in Cribl Stream
Login to Cribl, navigate to Stream and a Worker Group. Select Data > Sources.
Search or scroll to the Zscaler Cloud NSS tile. Select the tile and select Add Source.
Enter an Input ID, Address, and Port. Leave the HEC Endpoint as the default value (/services/collector).
Select Add Token
Set the Authentication Method to Manual.
Select Generate.
Copy the Token value.
Select Save.
Commit and Deploy. The Token value will be used in the following Zscaler configuration steps.
Locate and note your Worker Group Ingress Address.
Within the specific Worker Group, navigate to the Overview tab. The Ingress Address is under Group Information. This will be used in the Zscaler configuration steps below.
Setting Up a Data Stream in Zscaler NSS Cloud
Login to Zscaler
In the left menu, select Administration, then Nanolog Streaming Service under Cloud Configuration.
Select the Cloud NSS Feeds tab. Then select +Add Cloud NSS Feed
Enter in the following Cloud NSS Feed configurations:
Add a Feed Name
Select SIEM TYPE = Splunk.
Enter the API URL as
https://default.<workspace>.<cribl_cloud_name>.cribl.cloud:<port>/services/collectorAdd two HTTP Headers
Key 1 value = Authorization, Value 1= token from the Cribl Zscaler SourceKey 2 value = Content-Encoding, Value 2 = gzip
Continue to scroll down the NSS Cloud Feed configuration.
Select Log Type. Disable JSON Array Notation. Select Save.
You will see the feed added to the Cloud NSS Feed list.
Testing the Connection
In Cribl Stream, after committing and deploying, the Zscaler Source will change from a blue (no health metrics available) to a green (healthy) status icon.
Under the Status column of the Source line item, select the Live button next to the green status icon.
Select Capture and increase the Capture time (sec) to a large value like 100. Then select Start.
In a separate tab or window, navigate to the Cloud NSS Feed.
Select the Test Connectivity icon in the far right column. You will see a success message at the top of the console.
Navigate back to Cribl Stream to see the test event land successfully in the Zscaler Source!
