topic zScaler LSS Log Ingestion in Getting Data In https://community.splunk.com/t5/Getting-Data-In/zScaler-LSS-Log-Ingestion/m-p/573837#M101491 <P>I have a set up a single-node test instance of Splunk to try and ingest zScaler LSS (not NSS) logs via a TCP input. However, it is not ingesting any data, despite being able to see traffic via TCPDump on that port</P><P>I have installed the latest zScaler Splunk App (v2.0.7) and the zScaler Technical Add-on (v3.1.2)</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[root@ip-10-127-0-113 apps]# ls | grep scaler TA-Zscaler_CIM zscalersplunkapp</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>via the WebUI, I have set up a TCP input on port 10000, set the sourcetype, app and index options.</P><P>I have checked to make sure that Splunk is listening on TCP/10000 and can see that it is</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[root@ip-10-127-0-113 apps]# netstat -antp | grep 10000 tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 7992/splunkd tcp 0 0 10.127.0.113:10000 x.x.x.x:38392 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:51586 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:53844 SYN_RECV -</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I can't see any errors in the _internal index (although I could be searching wrong). I'm using the below search:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal "err*"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The only errors I can see relate to the 'summarize' command.</P><P>Any pointers would be really appreciated.</P><P>Many thanks,</P><P>&nbsp;</P> Fri, 05 Nov 2021 15:26:45 GMT omranb 2021-11-05T15:26:45Z zScaler LSS Log Ingestion https://community.splunk.com/t5/Getting-Data-In/zScaler-LSS-Log-Ingestion/m-p/573837#M101491 <P>I have a set up a single-node test instance of Splunk to try and ingest zScaler LSS (not NSS) logs via a TCP input. However, it is not ingesting any data, despite being able to see traffic via TCPDump on that port</P><P>I have installed the latest zScaler Splunk App (v2.0.7) and the zScaler Technical Add-on (v3.1.2)</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[root@ip-10-127-0-113 apps]# ls | grep scaler TA-Zscaler_CIM zscalersplunkapp</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>via the WebUI, I have set up a TCP input on port 10000, set the sourcetype, app and index options.</P><P>I have checked to make sure that Splunk is listening on TCP/10000 and can see that it is</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[root@ip-10-127-0-113 apps]# netstat -antp | grep 10000 tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 7992/splunkd tcp 0 0 10.127.0.113:10000 x.x.x.x:38392 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:51586 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:53844 SYN_RECV -</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I can't see any errors in the _internal index (although I could be searching wrong). I'm using the below search:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal "err*"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The only errors I can see relate to the 'summarize' command.</P><P>Any pointers would be really appreciated.</P><P>Many thanks,</P><P>&nbsp;</P> Fri, 05 Nov 2021 15:26:45 GMT https://community.splunk.com/t5/Getting-Data-In/zScaler-LSS-Log-Ingestion/m-p/573837#M101491 omranb 2021-11-05T15:26:45Z