Zscaler NSS sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Sample 1: The following table provides a sample event message for Firewall logs feeds when you use the Syslog protocol for the Zscaler NSS DSM.

Event name Low-level category Sample log message

Drop

Firewall Deny

Table 1. Zscaler NSS Syslog sample message for Firewall logs feeds supported by Zscaler NSS.
Event name	Low-level category	Sample log message
Drop	Firewall Deny	Jun 02 16:34:55 zscaler-nss: LEEF:1.0\|Zscaler\|NSS-FW\|5.5\|Drop\|usrName=GCL->SBL-1\trole=Default Department\trealm=GCL->SBL-1\tsrc=10.11.12.13\tdst=10.66.69.21\tsrcPort=30513\tdstPort=53\tdstPreNATPort=30512\tsrcPreNATPort=234\tdstPostNATPort=2345\tsrcPostNATPort=332\tsrcPreNAT=10.17.15.14\tdstPreNAT=10.66.69.111\tsrcPostNAT=10.66.54.105\tdstPostNAT=10.17.15.14\ttsip=10.66.54.105\t\ttsport=0\t\tttype=GRE\tcat=nss-fw\tdnat=No\tstateful=No\taggregate=No\tnwsvc=HTTP\tnwapp=adultadworld\tproto=TCP\tipcat=Miscellaneous or Unknown\tdestcountry=United States\tavgduration=115\trulelabel=Firewall_Adult\tdstBytes=898\tsrcBytes=14754\tduration=0\tdurationms=115\tnumsessions=1

Jun 02 16:34:55 zscaler-nss: LEEF:1.0|Zscaler|NSS-FW|5.5|Drop|usrName=GCL->SBL-1\trole=Default Department\trealm=GCL->SBL-1\tsrc=10.11.12.13\tdst=10.66.69.21\tsrcPort=30513\tdstPort=53\tdstPreNATPort=30512\tsrcPreNATPort=234\tdstPostNATPort=2345\tsrcPostNATPort=332\tsrcPreNAT=10.17.15.14\tdstPreNAT=10.66.69.111\tsrcPostNAT=10.66.54.105\tdstPostNAT=10.17.15.14\ttsip=10.66.54.105\t\ttsport=0\t\tttype=GRE\tcat=nss-fw\tdnat=No\tstateful=No\taggregate=No\tnwsvc=HTTP\tnwapp=adultadworld\tproto=TCP\tipcat=Miscellaneous or Unknown\tdestcountry=United States\tavgduration=115\trulelabel=Firewall_Adult\tdstBytes=898\tsrcBytes=14754\tduration=0\tdurationms=115\tnumsessions=1

Sample 2: The following table provides a sample event message for Web logs feeds when you use the Syslog protocol for the Zscaler NSS DSM.

Event name Low-level category Sample log message

Block

Network Threshold Policy Violation

Table 2. Zscaler NSS Syslog sample message for Web logs feeds supported by Zscaler NSS.
Event name	Low-level category	Sample log message
Block	Network Threshold Policy Violation	<13>Feb 21 06:56:02 zscalar.nss.test zscaler-nss: LEEF:1.0\|Zscaler\|NSS\|4.1\|IPS block outbound request: adware/spyware traffic\|cat=Blocked devTime=Feb 21 2019 06:56:02 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src=192.0.2.0 dst=192.0.2.11 srcPostNAT=192.0.2.14 realm=Location 1 usrName=User01 srcBytes=175 dstBytes=14798 role=Unauthenticated Transactions policy=IPS block outbound request: adware/spyware traffic url=qradar.example.test/?v=3.08&pcrc=123456789=CHECK recordid=6660343920943824897 bwthrottle=NO useragent=Unknown referer=None hostname=qradar.example.test appproto=HTTP urlcategory=Suspected Spyware or Adware urlsupercategory=Advanced Security urlclass=Advanced Security Risk appclass=General Browsing appname=generalbrowsing malwaretype=Clean Transaction malwareclass=Clean Transaction threatname=Win32.PUA.Jeefo riskscore=100 dlpdict=None dlpeng=None fileclass=None filetype=None reqmethod=POST respcode=40

<13>Feb 21 06:56:02 zscalar.nss.test zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1|IPS block outbound request: adware/spyware traffic|cat=Blocked devTime=Feb 21 2019 06:56:02 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src=192.0.2.0 dst=192.0.2.11 srcPostNAT=192.0.2.14 realm=Location 1 usrName=User01 srcBytes=175 dstBytes=14798 role=Unauthenticated Transactions policy=IPS block outbound request: adware/spyware traffic url=qradar.example.test/?v=3.08&pcrc=123456789=CHECK recordid=6660343920943824897 bwthrottle=NO useragent=Unknown referer=None hostname=qradar.example.test appproto=HTTP urlcategory=Suspected Spyware or Adware urlsupercategory=Advanced Security urlclass=Advanced Security Risk appclass=General Browsing appname=generalbrowsing malwaretype=Clean Transaction malwareclass=Clean Transaction threatname=Win32.PUA.Jeefo riskscore=100 dlpdict=None dlpeng=None fileclass=None filetype=None reqmethod=POST respcode=40