Getting Data In

zScaler LSS Log Ingestion

omranb
Engager

I have a set up a single-node test instance of Splunk to try and ingest zScaler LSS (not NSS) logs via a TCP input. However, it is not ingesting any data, despite being able to see traffic via TCPDump on that port

I have installed the latest zScaler Splunk App (v2.0.7) and the zScaler Technical Add-on (v3.1.2)

 

 

[root@ip-10-127-0-113 apps]# ls | grep scaler
TA-Zscaler_CIM
zscalersplunkapp

 

 

via the WebUI, I have set up a TCP input on port 10000, set the sourcetype, app and index options.

I have checked to make sure that Splunk is listening on TCP/10000 and can see that it is

 

 

[root@ip-10-127-0-113 apps]# netstat -antp | grep 10000
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      7992/splunkd
tcp        0      0 10.127.0.113:10000      x.x.x.x:38392     SYN_RECV    -
tcp        0      0 10.127.0.113:10000      x.x.x.x:51586     SYN_RECV    -
tcp        0      0 10.127.0.113:10000      x.x.x.x:53844     SYN_RECV    -

 

 

I can't see any errors in the _internal index (although I could be searching wrong). I'm using the below search:

 

 

index=_internal "err*"

 

 

The only errors I can see relate to the 'summarize' command.

Any pointers would be really appreciated.

Many thanks,

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...