All Apps and Add-ons

Zscaler Addon and Splunk Cloud: Do they require a TCP input to accept alerts from Zscaler?

ytenenbaum_splu
Splunk Employee
Splunk Employee

I am having an interesting discussion with a client here regarding Splunk Cloud and the ZScaler app/add-on, as it is something they deem as critical (given current issues they are having), and we have an app/add-on for it. While both are supported on Cloud according to Splunkbase, after going through docs it appears that they require a TCP input to accept alerts from ZScaler. I thought that wasn’t permitted with cloud environments?

Do we approach this as opening a TCP input and firewalling it to specific source IP’s? Or do we approach this as it cannot be done with the cloud environment and requires a local UF in a DMZ that will forward the data up to the cloud for processing?

0 Karma
1 Solution

ytenenbaum_splu
Splunk Employee
Splunk Employee

They just need a HF next to their internal NSS server which we can listen to and forward onto Cloud.

Watch the 3 min video. It’s around 1 minute in.

https://help.zscaler.com/zia/about-nanolog-streaming-service

So customers need to purchase and deploy the NSS product:

https://help.zscaler.com/zia/about-nanolog-streaming-service
https://www.zscaler.com/resources/data-sheets/zscaler-nanolog-streaming-service.pdf

Communication is encrypted between zScaler cloud and a customer’s NSS VM. It is only syslog/tcp from NSS -> Splunk, which by this point, is within their internal network (or this could be within a DMZ, …etc).

View solution in original post

ytenenbaum_splu
Splunk Employee
Splunk Employee

They just need a HF next to their internal NSS server which we can listen to and forward onto Cloud.

Watch the 3 min video. It’s around 1 minute in.

https://help.zscaler.com/zia/about-nanolog-streaming-service

So customers need to purchase and deploy the NSS product:

https://help.zscaler.com/zia/about-nanolog-streaming-service
https://www.zscaler.com/resources/data-sheets/zscaler-nanolog-streaming-service.pdf

Communication is encrypted between zScaler cloud and a customer’s NSS VM. It is only syslog/tcp from NSS -> Splunk, which by this point, is within their internal network (or this could be within a DMZ, …etc).

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.