Skip to main content

Zscaler Destination

Nexla's bi-directional connectors allow data to flow both to and from any location, making it simple to create a FlexFlow, DB-CDC, Spark ETL, or Replication data flow that sends data to a Zscaler location.
zscaler_api.png

Zscaler

Create a New Data Flow

  1. To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Then, select the desired flow type from the list, and click the Create button.

  2. Select the Zscaler connector tile from the list of available connectors. Then, select the credential that will be used to connect to the Zscaler instance, and click Next; or, create a new Zscaler credential for use in this flow.

  3. In Nexla, Zscaler destinations can be created using pre-built endpoint templates, which expedite destination setup for common Zscaler Cloud NSS API endpoints. Each template is designed specifically for the corresponding Zscaler API endpoint, making destination configuration easy and efficient.
    • To configure this destination using a template, follow the instructions in Configure Using a Template.

    Zscaler destinations can also be configured manually, allowing you to send data to Zscaler API endpoints not included in the pre-built templates or apply further customizations to exactly suit your needs.
    • To configure this destination manually, follow the instructions in Configure Manually.

Configure Using a Template

Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Zscaler Cloud NSS API endpoints. Each template is designed specifically for the corresponding Zscaler API endpoint, making destination setup easy and efficient.

Endpoint Settings

  • Select the endpoint to which this destination will send data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below. Click on an endpoint to see more information about it and how to configure your destination for this endpoint.

    SaaS Security Logs

    This endpoint uploads security logs using Zscaler's NSS API. Use this endpoint when you need to send SaaS security logs, forward security events, or integrate security data with Zscaler Cloud NSS.

    • This endpoint accepts JSON data in the request body. The data should include security log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
    • Ensure your data includes the required fields for Zscaler SaaS security logs, including timestamp, event type, user information, and security event details.

    This endpoint uses POST method for uploading SaaS security logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about SaaS Security Logs, refer to the Zscaler Cloud NSS Documentation.

    Endpoint DLP Logs

    This endpoint receives DLP (Data Loss Prevention) logs via Zscaler Cloud NSS. Use this endpoint when you need to send endpoint DLP logs, forward DLP events, or integrate DLP data with Zscaler.

    • This endpoint accepts JSON data in the request body. The data should include DLP log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
    • Ensure your data includes the required fields for Zscaler endpoint DLP logs, including timestamp, DLP event type, file information, and policy details.

    This endpoint uses POST method for receiving endpoint DLP logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about Endpoint DLP Logs, refer to the Zscaler Cloud NSS Documentation.

    Firewall Logs

    This endpoint uploads firewall logs using Zscaler's NSS API. Use this endpoint when you need to send firewall logs, forward network security events, or integrate firewall data with Zscaler Cloud NSS.

    • This endpoint accepts JSON data in the request body. The data should include firewall log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
    • Ensure your data includes the required fields for Zscaler firewall logs, including timestamp, source/destination IP addresses, ports, protocol, and firewall action.

    This endpoint uses POST method for uploading firewall logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about Firewall Logs, refer to the Zscaler Cloud NSS Documentation.

    DNS Logs

    This endpoint uploads DNS query logs to Zscaler Cloud NSS API. Use this endpoint when you need to send DNS logs, forward DNS query events, or integrate DNS data with Zscaler.

    • This endpoint accepts JSON data in the request body. The data should include DNS log information in the format expected by Zscaler Cloud NSS. Each record will be sent as a separate API request.
    • Ensure your data includes the required fields for Zscaler DNS logs, including timestamp, DNS query, response, and DNS server information.

    This endpoint uses POST method for uploading DNS logs. The endpoint accepts JSON data in the request body and does not support batch mode. For more information about DNS Logs, refer to the Zscaler Cloud NSS Documentation.

Endpoint Testing

Once the selected endpoint template has been configured, Nexla can send a sample of the data that will be sent according to the current settings. This allows users to verify that the destination is configured correctly before saving.

  • To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be sent & the response will be displayed in the Endpoint Test Result panel on the right.

  • If the test is not successful or the response is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the response to ensure that the destination is configured correctly.

Configure Manually

Zscaler destinations can be manually configured to send data to any valid Zscaler Cloud NSS API endpoint. Manual configuration provides maximum flexibility for accessing endpoints not covered by pre-built templates or when you need custom API configurations.

With manual configuration, you can also create more complex Zscaler destinations, such as destinations that send data to multiple endpoints or destinations that require custom authentication headers or request parameters.

API Method

  1. To manually configure this destination, select the Advanced tab at the top of the configuration screen.

  2. Select the API method that will be used for calls to the Zscaler API from the Method pulldown menu. The most common methods are:

    • POST: For sending log data to the API (all Zscaler Cloud NSS endpoints use POST)

API Endpoint URL

  1. Enter the URL of the Zscaler Cloud NSS API endpoint to which this destination will send data in the Set API URL field. This should be the complete URL including the protocol (https://) and any required path parameters. Zscaler Cloud NSS API endpoints typically follow the pattern {base_url}/services/collector, where {base_url} is your Zscaler Cloud NSS base URL configured in the credential.

Ensure the API endpoint URL is correct and accessible with your current credentials. You can test the endpoint using the Test button after configuring the URL. The endpoint URL should use the base URL configured in your credential. Zscaler Cloud NSS requires OAuth 2.0 Bearer token authentication and an authentication token header, both of which are automatically included from your credential.

Request Headers

Optional

  • If Nexla should include any additional request headers in API calls to this destination, enter the headers & corresponding values as comma-separated pairs in the Request Headers field (e.g., header1:value1,header2:value2). Additional headers are often required for API versioning, content type specifications, or custom authentication requirements.

    You do not need to include any headers already present in the credentials. Common headers like Authorization, Content-Type, Content-Encoding, and Accept are typically handled automatically by Nexla based on your credential configuration. For Zscaler, the Authorization header with Bearer token and the authentication token header are automatically included from your credential, and Content-Type is typically set to application/json with Content-Encoding set to gzip for ingestion endpoints.

Request Body Template

Optional

  • If the API endpoint requires a specific request body format, you can customize how Nexla formats the data before sending it to the Zscaler API by entering a request body template in the Request Body Template field. The template should use {message.json} to include the entire record as JSON, or you can specify individual fields using dot notation (e.g., {message.field_name}).

    For most Zscaler Cloud NSS ingestion endpoints, the default request body template {message.json} will work correctly, sending the entire record as JSON. You may need to customize the template if the API requires a specific structure or if you need to transform the data before sending. Zscaler Cloud NSS endpoints typically require specific JSON structures depending on the log type being sent (firewall, DNS, DLP, etc.).

Endpoint Testing

After configuring all settings for the selected endpoint, Nexla can send a sample of the data that will be sent according to the current configuration. This allows users to verify that the destination is configured correctly before saving.

  • To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be sent & the response will be displayed in the Endpoint Test Result panel on the right.

  • If the test is not successful or the response is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the response to ensure that the destination is configured correctly.

Save & Activate the Destination

  1. Once all of the relevant steps in the above sections have been completed, click the Create button in the upper right corner of the screen to save and create the new Zscaler destination. Nexla will now begin sending data to the configured endpoint according to your data flow schedule.