ZPA-Sentinel SIEM ingestion

Occasional Contributor

We have been trying to get ZPA (Zscaler Private Access) logs into Sentinel using the data connector described in Sentinel. The LSS was setup in AWS and the Log Receiver is an Azure Ubuntu VM.

It has not been successful at all and we just have some gibberish data (likely TCP traffic after a failed TLS handshake) in the Sentinel table. The plugin used by Sentinel is FluentD which is capturing the TCP data.

 

Has anyone succeeded in ingesting ZPA logs into Sentinel yet?

1 Reply

Hi @GraceAA ,

 

I haven't worked with Zscaler products specifically, but I have experience with Fluentd and the Sentinel plugin. 

Can you provide the Fluentd config?

Have you written an output plugin to dump logs to a file?  Do the files match the data in sentinel?

Have you checked the "Operation" table in the Sentinel workspace? Are there any errors for the system?