The metadata.event_type UDM field is set to STATUS_UPDATE.
metadata.product_name
The metadata.product_name UDM field is set to Admin Audit.
metadata.vendor_name
The metadata.vendor_name UDM field is set to Zscaler.
sourcetype
additional.fields[sourcetype]
time
metadata.event_timestamp
recordid
metadata.product_log_id
action
security_result.action_details
category
target.security_result.category_details
subcategory
target.security_result.category_details
resource
target.resource.name
interface
principal.resource.attribute.labels[interface]
adminid
principal.user.userid
clientip
principal.ip
security_result.action
If the event.result log field value is equal to SUCCESS, then the security_result.action UDM field is set to ALLOW.
Else, if the event.result log field value is equal to FAILURE, then the security_result.action UDM field is set to BLOCK.
errorcode
security_result.summary
auditlogtype
additional.fields[auditlogtype]
preaction
principal.resource.attribute.labels
Iterate through preaction object: The preaction object key is mapped to the principal.resource.attribute.labels.key UDM field and preaction object value is mapped to the principal.resource.attribute.labels.value UDM field.
postaction
principal.resource.attribute.labels
Iterate through postaction object: The postaction object key is mapped to the principal.resource.attribute.labels.key UDM field and postaction object value is mapped to the principal.resource.attribute.labels.value UDM field.
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["# Collect Zscaler Internet Access logs\n====================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document describes how you can export Zscaler Internet Access logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.\n\nFor more information, see [Data ingestion to Google SecOps overview](/chronicle/docs/data-ingestion-flow).\n\nA typical deployment consists of Zscaler Internet Access and the Google SecOps Webhook feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.\n\nThe deployment contains the following components:\n\n- **Zscaler Internet Access**: The platform from which you collect logs.\n\n- **Google SecOps feed**: The Google SecOps feed that fetches logs from Zscaler Internet Access and writes logs to Google SecOps.\n\n- **Google SecOps**: Retains and analyzes the logs.\n\nAn ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the `ZSCALER_INTERNET_ACCESS` ingestion label.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Access to Zscaler Internet Access console. For more information, see [Secure Internet and SaaS Access ZIA Help](https://help.zscaler.com/zia/getting-started).\n- Zscaler Internet Access 2024 or later\n- All systems in the deployment architecture are configured with the UTC time zone.\n- The API key which is needed to complete feed setup in Google Security Operations. For more information, see [Setting up API keys](https://support.google.com/googleapi/answer/6158862).\n\nSet up feeds\n------------\n\nTo configure this log type, follow these steps:\n\n1. Go to **SIEM Settings \\\u003e Feeds**.\n2. Click **Add New Feed**.\n3. Click the **Zscaler** feed pack.\n4. Locate the required log type and click **Add New Feed**.\n5. Enter values for the following input parameters:\n\n - **Source Type**: Webhook (Recommended)\n - **Split delimiter**: the character used to separate logs lines. Leave blank if no delimiter is used.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace** : [Namespace associated with the feed](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion Labels**: Labels applied to all events from this feed.\n6. Click **Create Feed**.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nSet up Zscaler Internet Access\n------------------------------\n\n1. In the Zscaler Internet Access console, click **Administration** \\\u003e **Nanolog Streaming Service** \\\u003e **Cloud NSS Feeds** and then click **Add Cloud NSS Feed**.\n2. The **Add Cloud NSS Feed** window appears. In the **Add Cloud NSS Feed** window, enter the details.\n3. Enter a name for the feed in the **Feed Name** field.\n4. Select **NSS for Web** in **NSS Type**.\n5. Select the status from the **Status** list to activate or deactivate the NSS feed.\n6. Keep the value in the **SIEM Rate** drop-down as **Unlimited**. To suppress the output stream due to licensing or other constraints, change the value.\n7. Select **Other** in the **SIEM Type** list.\n8. Select **Disabled** in the **OAuth 2.0 Authentication** list.\n9. Enter a size limit for an individual HTTP request payload to the SIEM's best practice in **Max Batch Size**. For example, 512 KB.\n10. Enter the HTTPS URL of the Chronicle API endpoint in the API URL in the following format:\n\n https://\u003cCHRONICLE_REGION\u003e-chronicle.googleapis.com/v1alpha/projects/\u003cGOOGLE_PROJECT_NUMBER\u003e/locations/\u003cLOCATION\u003e/instances/\u003cCUSTOMER_ID\u003e/feeds/\u003cFEED_ID\u003e:importPushLogs\n\n - `CHRONICLE_REGION`: Region where your Chronicle instance is hosted. For example, US.\n - `GOOGLE_PROJECT_NUMBER`: BYOP project number. Obtain this from C4.\n - `LOCATION`: Chronicle region. For example, US.\n - `CUSTOMER_ID`: Chronicle customer ID. Obtain from C4.\n - `FEED_ID`: Feed ID shown on Feed UI on the new webhook created\n - Sample API URL:\n\n https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs\n\n11. Click **Add HTTP Header**, and then add HTTP headers in the following format:\n\n - `Header 1`: **Key1:** `X-goog-api-key` and **Value1:** API Key generated on Google Cloud BYOP's API Credentials.\n - `Header 2`: **Key2:** `X-Webhook-Access-Key` and **Value2:** API secret key generated on webhook's \"SECRET KEY\".\n12. Select **Admin Audit Logs** in the **Log Types** list.\n\n13. Select **JSON** in the **Feed Output Type** list.\n\n14. Set **Feed Escape Character** to `, \\ \"`.\n\n15. To add a new field to the **Feed Output Format,** select **Custom** in the **Feed Output Type** list.\n\n16. Copy-paste the **Feed Output Format** and add new fields. Ensure the key names match the actual field names.\n\n17. Following is the default **Feed Output Format**:\n\n \\{ \"sourcetype\" : \"zscalernss-audit\", \"event\" :\\{\"time\":\"%s{time}\",\"recordid\":\"%d{recordid}\",\"action\":\"%s{action}\",\"category\":\"%s{category}\",\"subcategory\":\"%s{subcategory}\",\"resource\":\"%s{resource}\",\"interface\":\"%s{interface}\",\"adminid\":\"%s{adminid}\",\"clientip\":\"%s{clientip}\",\"result\":\"%s{result}\",\"errorcode\":\"%s{errorcode}\",\"auditlogtype\":\"%s{auditlogtype}\",\"preaction\":%s{preaction},\"postaction\":%s{postaction}\\}\\}\n\n18. Select the timezone for the **Time** field in the output file in the\n **Timezone** list. By default, the timezone is set to your organization's\n time zone.\n\n19. Review the configured settings.\n\n20. Click **Save** to test connectivity. If the connection is successful, a green tick accompanied by the message **Test Connectivity Successful: OK (200)** appears.\n\nFor more information about Google SecOps feeds, see [Google Security Operations feeds documentation](/chronicle/docs/administration/feed-management). For information about requirements for each\nfeed type, see [Feed configuration by type](/chronicle/docs/reference/feed-management-api#feed_configuration_by_type).\n\nIf you encounter issues when you create feeds, contact [Google Security Operations support](/chronicle/docs/support).\n\nSupported Zscaler Internet Access log formats\n---------------------------------------------\n\nThe Zscaler Internet Access parser supports logs in JSON format.\n\nSupported Zscaler Internet Access sample logs\n---------------------------------------------\n\n- JSON\n\n {\n \"sourcetype\": \"zscalernss-audit\",\n \"event\": {\n \"time\": \"Wed May 29 17:45:03 2024\",\n \"recordid\": \"6095\",\n \"action\": \"UPDATE\",\n \"category\": \"ACCESS_CONTROL_RESOURCE\",\n \"subcategory\": \"URL_CATEGORY\",\n \"resource\": \"Custom SSL Bypass\",\n \"interface\": \"UI\",\n \"adminid\": \"abc@xyz.com\",\n \"clientip\": \"198.51.100.1\",\n \"result\": \"SUCCESS\",\n \"errorcode\": \"None\",\n \"auditlogtype\": \"ZIA\",\n \"preaction\": \"{\"id\":{\"val\":130%2c\"mask\":255%2c\"parent\":\"CUSTOM_SUPERCATEGORY\"%2c\"deprecated\":false%2c\"backendName\":\"custom_03\"%2c\"name\":\"CUSTOM_03\"%2c\"userConfiguredName\":\"\"}%2c\"configuredName\":\"Custom%20SSL%20Bypass\"%2c\"superCategory\":\"USER_DEFINED\"%2c\"keywords\":[]%2c\"keywordsRetainingParentCategory\":[]%2c\"customUrlsToAdd\":[]%2c\"customUrlsToDelete\":[]%2c\"urlsRetainingParentCategoryToAdd\":[]%2c\"urlsRetainingParentCategoryToDelete\":[]%2c\"customIpRangesToAdd\":[]%2c\"customIpRangesToDelete\":[]%2c\"ipRangesRetainingParentCategoryToAdd\":[]%2c\"ipRangesRetainingParentCategoryToDelete\":[]%2c\"customCategory\":true%2c\"editable\":true%2c\"description\":\"https: //help.zscaler.com/zia/url-format-guidelines\"%2c\"type\":\"URL_CATEGORY\"%2c\"customUrlsCount\":1%2c\"urlsRetainingParentCategoryCount\":60%2c\"customIpRangesCount\":0%2c\"ipRangesRetainingParentCategoryCount\":0%2c\"urlsToAdd\":[]%2c\"urlsToDelete\":[]%2c\"dbCategorizedUrlsToAdd\":[]%2c\"dbCategorizedUrlsToDelete\":[]}\",\"postaction\":\"{\"id\":{\"val\":130%2c\"mask\":255%2c\"parent\":\"CUSTOM_SUPERCATEGORY\"%2c\"deprecated\":false%2c\"backendName\":\"custom_03\"%2c\"name\":\"CUSTOM_03\"%2c\"userConfiguredName\":\"\"}%2c\"configuredName\":\"Custom%20SSL%20Bypass\"%2c\"superCategory\":\"USER_DEFINED\"%2c\"customUrlsToAdd\":[]%2c\"customUrlsToDelete\":[]%2c\"urlsRetainingParentCategoryToAdd\":[\"webcast.temoinproduction.com\"]%2c\"urlsRetainingParentCategoryToDelete\":[]%2c\"customIpRangesToAdd\":[]%2c\"customIpRangesToDelete\":[]%2c\"ipRangesRetainingParentCategoryToAdd\":[]%2c\"ipRangesRetainingParentCategoryToDelete\":[]%2c\"customCategory\":true%2c\"editable\":true%2c\"description\":\"https://help.zscaler.com/zia/url-format-guidelines\"%2c\"type\":\"URL_CATEGORY\"%2c\"customUrlsCount\":1%2c\"urlsRetainingParentCategoryCount\":61%2c\"customIpRangesCount\":0%2c\"ipRangesRetainingParentCategoryCount\":0%2c\"urlsToAdd\":[]%2c\"urlsToDelete\":[]%2c\"dbCategorizedUrlsToAdd\":[]%2c\"dbCategorizedUrlsToDelete\":[]}\"}\n }\n\nField mapping reference\n-----------------------\n\nThe following table lists the log fields of the `ZSCALER_INTERNET_ACCESS` log type and their corresponding UDM fields. \n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
