Cyfin - Zscaler Support

New Release - Version 9.5.0 for Cyfin Now Available

• Upgrading from Cyfin v9.2.8 to v9.5.x
• Benefits of Upgrading to Cyfin VM

IMPORTANT NOTE: for 9.2.8 and earlier customers please contact support for upgrade.

Join our Early Adopter Program

Receive the latest solutions and have the opportunity to provide feedback directly to our development team. To learn more click here.

Cyfin - Zscaler Configuration

Cyfin is installed on a server, not on the Zscaler appliance.

Log File Setup

Log File Type:  Zscaler

Zscaler Configuration Steps

Zscaler uses a virtual machine, Nanolog Streaming Service (NSS), to stream logs from the Zscaler service and deliver them to Cyfin Syslog.

To collect logs for Zscaler Web Security, perform these steps detailed in the following sections:

1. Configure Zscaler NSS.
2. Connect the Zscaler NSS feed to Cyfin Syslog.

Configure Zscaler NSS

NSS is maintained and distributed by Zscaler as an Open Virtual Application (OVA). To stream logs to Cyfin Syslog, follow the steps outlined in the NSS Configuration Guide at https://support.zscaler.com/hc/en-us...guration-Guide.

Connect the Zscaler NSS Feed to Cyfin Syslog

Once you have configured the Zscaler NSS, now add a feed to send logs to Cyfin Syslog using the following steps.

1. Log into your Zscaler NSS system.
2. Go to Administration - Settings - Nanolog Streaming Service.
3. From the NSS Feeds tab, click Add.
4. In the Add NSS Feed dialog:
   • Feed Name. Enter a name for your NSS feed.
   • NSS Server. Select None.
   • SIEM IP Address. Enter the Cyfin IP address.
   • Log Type. Select Web Log.
   • Feed Output Type. QRadar LEEF is the default.
   • NSS Type. NSS for Web is the default.
   • Status. Select Enabled.
   • SIEM TCP Port. Enter the Cyfin Syslog TCP port number.
   • Feed Escape Character. Leave this field blank.
   • Feed Output Format. The LEEF format is displayed.
   • User Obfuscation. Select Disabled.
   • Duplicate Logs. Disabled by default.
   • Timezone. Set to GMT by default.
5. Click Save.

Cyfin Configuration Steps

Cyfin Syslog Server listens for syslog messages from your Zscaler device. Both UDP-based and TCP-based messages are supported.

1. Select the Zscaler log file configuration in Cyfin for your Zscaler device.
2. Specify the Directory in which the log files will be created. The default directory is [InstallPath]\wc\cf\log.
3. Select Enable Syslog Server.
4. For Port Type, select UDP or TCP for the Internet protocol you want to use.
5. In the Listening Port field, the default port number is 1455. The listening port will be used by your Zscaler device to transfer the data. You may change this number if necessary.
6. At your Zscaler device, specify the IP address of the Cyfin server and the listening port, and submit the syslog messages.
7. Your log files will be created and displayed in the Log File Viewer in Cyfin.
8. If you have many of the same Zscaler devices, use one log file configuration with one listening port, and point each Zscaler device to the same listening port.