Skip to main content

Zscaler

Zscaler is a cloud security platform that provides secure access to applications and services. The Zscaler connector enables you to send security logs, firewall logs, DNS logs, and other security data to Zscaler Cloud NSS (Network Security Services) for analysis and monitoring. This connector is particularly useful for applications that need to forward security logs, integrate security data with Zscaler, build security analytics solutions, or centralize security log management.

Zscaler icon

Power end-to-end data operations for your Zscaler API with Nexla. Our bi-directional Zscaler connector is purpose-built for Zscaler, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Zscaler or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Zscaler workflows fast, secure, and fully governed.

Features

Type: API

SourceDestination

  • Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
  • Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
  • API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
  • Request optimization with intelligent batching, retry, and caching to minimize API calls and costs

Prerequisites

Before creating a Zscaler credential, you'll need to obtain OAuth 2.0 credentials (Client ID and Client Secret) and an authentication token from your Zscaler account. Zscaler Cloud NSS (Network Security Services) uses OAuth 2.0 for API authentication, along with an authentication token for securing API requests.

To obtain Zscaler API credentials:

  1. Log in to your Zscaler admin portal. Navigate to your Zscaler ZIA (Zscaler Internet Access) or ZPA (Zscaler Private Access) admin console.

  2. Navigate to Administration > Cloud NSS or Settings > Cloud NSS in the Zscaler admin portal.

  3. In the Cloud NSS settings, you'll need to configure a feed for log submission. This involves:

    • Creating a new Cloud NSS feed or selecting an existing feed
    • Configuring the feed type (e.g., Firewall Logs, DNS Logs, SaaS Security Logs, Endpoint DLP Logs)
  4. In the feed configuration, you'll receive:

    • Base URL: This is the HTTPS URL for log submission services. This is typically provided in the Cloud NSS feed configuration.
    • Authentication Token: This is a string authentication token for securing API requests to Zscaler Cloud NSS endpoints via HTTP headers.
  5. For OAuth 2.0 credentials (if required):

    • Navigate to Administration > API Keys or Settings > API Keys in the Zscaler admin portal.
    • Create a new API key or OAuth application to obtain:
      • Client ID: A unique public identifier assigned to your application
      • Client Secret: A confidential password or key provided alongside the client ID
  6. Copy the Base URL, Authentication Token, Client ID, and Client Secret. Store them securely, as you'll need them to authenticate API requests.

Zscaler Cloud NSS uses OAuth 2.0 with client credentials flow (2-legged OAuth) for API authentication, along with an authentication token for securing API requests. The authentication token is sent as an HTTP header, and OAuth 2.0 credentials are used to obtain access tokens. Both are required for Zscaler Cloud NSS API access.

For detailed information about Zscaler Cloud NSS authentication and feed configuration, refer to the Zscaler Cloud NSS Documentation and Zscaler API Documentation.

Authenticate

Credentials required

A direct authentication flow between a client application and server using client credentials, without user interaction

FieldRequiredSecretDescription
Client IDYesNoA unique public identifier assigned to your application for authentication purposes
Client SecretYesYesA confidential password or key provided alongside the client ID to authenticate your application
Authentication TokenYesNoString authentication token for securing API requests to Zscaler Cloud NSS endpoints via HTTP headers
Base URLYesNoRoot URL for log submission services. Must be a valid HTTPS URL. Required parameter.

Create a credential in Nexla

  1. After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

New Credential Overlay – Zscaler

ZscalerCred.png
  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

  2. In the Client ID field, enter the Client ID that you obtained from your Zscaler API key configuration. This is a unique public identifier assigned to your application for authentication purposes.

  3. In the Client Secret field, enter the Client Secret that you obtained from your Zscaler API key configuration. This is a confidential password or key provided alongside the client ID to authenticate your application.

  4. In the Authentication Token field, enter the authentication token that you obtained from your Zscaler Cloud NSS feed configuration. This is a string authentication token for securing API requests to Zscaler Cloud NSS endpoints via HTTP headers.

  5. In the Base URL field, enter the root URL for log submission services. This must be a valid HTTPS URL. This is typically provided in your Zscaler Cloud NSS feed configuration.

    The Client Secret and Authentication Token are sensitive information and should be kept secure. Both are required for Zscaler Cloud NSS API access. The OAuth 2.0 credentials are used to obtain access tokens, and the authentication token is sent as an HTTP header for securing API requests.

  6. Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.

Use as a destination

Click the + icon on the Nexset that will be sent to the Zscaler destination, and select the Send to Destination option from the menu. Select the Zscaler connector from the list of available destination connectors, then select the credential that will be used to connect to the Zscaler instance, and click Next; or, create a new Zscaler credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Zscaler Cloud NSS API endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.

SaaS Security Logs

This endpoint uploads security logs using Zscaler's NSS API. Use this endpoint when you need to send SaaS security logs, forward security events, or integrate security data with Zscaler Cloud NSS.

  • This endpoint accepts JSON data in the request body. The data should include security log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
  • Ensure your data includes the required fields for Zscaler SaaS security logs, including timestamp, event type, user information, and security event details.

This endpoint uses POST method for uploading SaaS security logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about SaaS Security Logs, refer to the Zscaler Cloud NSS Documentation.

Endpoint DLP Logs

This endpoint receives DLP (Data Loss Prevention) logs via Zscaler Cloud NSS. Use this endpoint when you need to send endpoint DLP logs, forward DLP events, or integrate DLP data with Zscaler.

  • This endpoint accepts JSON data in the request body. The data should include DLP log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
  • Ensure your data includes the required fields for Zscaler endpoint DLP logs, including timestamp, DLP event type, file information, and policy details.

This endpoint uses POST method for receiving endpoint DLP logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about Endpoint DLP Logs, refer to the Zscaler Cloud NSS Documentation.

Firewall Logs

This endpoint uploads firewall logs using Zscaler's NSS API. Use this endpoint when you need to send firewall logs, forward network security events, or integrate firewall data with Zscaler Cloud NSS.

  • This endpoint accepts JSON data in the request body. The data should include firewall log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
  • Ensure your data includes the required fields for Zscaler firewall logs, including timestamp, source/destination IP addresses, ports, protocol, and firewall action.

This endpoint uses POST method for uploading firewall logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about Firewall Logs, refer to the Zscaler Cloud NSS Documentation.

DNS Logs

This endpoint uploads DNS query logs to Zscaler Cloud NSS API. Use this endpoint when you need to send DNS logs, forward DNS query events, or integrate DNS data with Zscaler.

  • This endpoint accepts JSON data in the request body. The data should include DNS log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
  • Ensure your data includes the required fields for Zscaler DNS logs, including timestamp, DNS query, response, and DNS server information.

This endpoint uses POST method for uploading DNS logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about DNS Logs, refer to the Zscaler Cloud NSS Documentation.

Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to send a sample of the data. The response will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the destination is configured correctly before saving.

Manual configuration

Zscaler destinations can also be manually configured to send data to any valid Zscaler Cloud NSS API endpoint not covered by the pre-built templates. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, request headers, and request body template.

All Zscaler Cloud NSS endpoints use the POST method. Endpoint URLs typically follow the pattern {base_url}/services/collector, where {base_url} is the base URL configured in your Zscaler credential. The Authorization header with Bearer token and the authentication token header are automatically included from your credential; Content-Type is set to application/json and Content-Encoding to gzip for ingestion endpoints. The default request body template {message.json} works for most Zscaler Cloud NSS ingestion endpoints, sending the entire record as JSON — customize it only if a specific log type (firewall, DNS, DLP, etc.) requires a different structure.

Save & activate

Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To send the data to the configured Zscaler endpoint, open the destination resource menu, and select Activate.

The Nexset data will not be sent to the Zscaler endpoint until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.