Collect Zscaler DNS logs
This document describes how you can export Zscaler DNS logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.
For more information, see Data ingestion to Google SecOps overview.
A typical deployment consists of Zscaler DNS and the Google SecOps Webhook feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.
The deployment contains the following components:
- Zscaler DNS: The platform from which you collect logs. 
- Google SecOps feed: The Google SecOps feed that fetches logs from Zscaler DNS and writes logs to Google SecOps. 
- Google SecOps: Retains and analyzes the logs. 
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the ZSCALER_DNS ingestion label.
Before you begin
Ensure you have the following prerequisites:
- Access to Zscaler Internet Access console. For more information, see Secure Internet and SaaS Access ZIA Help.
- Zscaler DNS 2024 or later
- All systems in the deployment architecture are configured with the UTC time zone.
- The API key which is needed to complete feed setup in Google Security Operations. For more information, see Setting up API keys.
Set up feeds
To configure this log type, follow these steps:
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click the Zscaler feed pack.
- Locate the required log type and click Add New Feed.
- Enter values for the following input parameters: - Source Type: Webhook (Recommended)
- Split delimiter: the character used to separate logs lines. Leave blank if no delimiter is used.
 - Advanced options - Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
 
- Click Create Feed. 
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
Set up Zscaler DNS
- In the Zscaler Internet Access console, click Administration > Nanolog Streaming Service > Cloud NSS Feeds and then click Add Cloud NSS Feed.
- The Add Cloud NSS Feed window appears. In the Add Cloud NSS Feed window, enter the details.
- Enter a name for the feed in the Feed Name field.
- Select NSS for DNS in NSS Type.
- Select the status from the Status list to activate or deactivate the NSS feed.
- Keep the value in the SIEM Rate drop-down as Unlimited. To suppress the output stream due to licensing or other constraints, change the value.
- Select Other in the SIEM Type list.
- Select Disabled in the OAuth 2.0 Authentication list.
- Enter a size limit for an individual HTTP request payload to the SIEM's best practice in Max Batch Size. For example, 512 KB.
- Enter the HTTPS URL of the Chronicle API endpoint in the API URL in the following format: - https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs- CHRONICLE_REGION: Region where your Chronicle instance is hosted. For example, US.
- GOOGLE_PROJECT_NUMBER: BYOP project number. Obtain this from C4.
- LOCATION: Chronicle region. For example, US.
- CUSTOMER_ID: Chronicle customer ID. Obtain from C4.
- FEED_ID: Feed ID shown on Feed UI on the new webhook created
- Sample API URL:
 - https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
- Click Add HTTP Header, and then add HTTP headers in the following format: - Header 1: Key1:- X-goog-api-keyand Value1: API Key generated on Google Cloud BYOP's API Credentials.
- Header 2: Key2:- X-Webhook-Access-Keyand Value2: API secret key generated on webhook's "SECRET KEY".
 
- Select DNS Logs in the Log Types list. 
- Select JSON in the Feed Output Type list. 
- Set Feed Escape Character to - , \ ".
- To add a new field to the Feed Output Format, select Custom in the Feed Output Type list. 
- Copy-paste the Feed Output Format and add new fields. Ensure the key names match the actual field names. 
- Following is the default Feed Output Format: - \{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
- Select the timezone for the Time field in the output file in the Timezone list. By default, the timezone is set to your organization's time zone. 
- Review the configured settings. 
- Click Save to test connectivity. If the connection is successful, a green tick accompanied by the message Test Connectivity Successful: OK (200) appears. 
For more information about Google SecOps feeds, see Google SecOps feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google SecOps support.
Supported Zscaler DNS log formats
The Zscaler DNS parser supports logs in JSON format.
Supported Zscaler DNS Sample Logs
- JSON - { "sourcetype": "zscalernss-dns", "event": { "srv_dport": "53", "durationms": "1306", "clt_sip": "1.1.1.1", "respipcategory": "Other", "datetime": "Sun Sep 18 22:41:05 2020", "reqaction": "Allow", "resaction": "Allow", "resrulelabel": "None", "category": "Finance", "devicehostname": "dummy_hostname", "user": "test.123@test.com", "location": "dummy", "deviceowner": "212582", "department": "Output%20Solutions", "reqrulelabel": "Default Firewall DNS Rule", "dns_reqtype": "SRV", "dns_req": "dummy.domains.com", "dns_resp": "NXDOMAIN", "srv_dip": "1.1.1.1" } }
Field mapping reference
Field mapping reference: ZSCALER_DNS
The following table lists the log fields of the ZSCALER_DNS log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
|  | metadata.event_type | The metadata.event_typeUDM field is set toNETWORK_DNS. | 
|  | metadata.product_name | The metadata.product_nameUDM field is set toDNS. | 
|  | metadata.vendor_name | The metadata.vendor_nameUDM field is set toZscaler. | 
|  | metadata.description | If the categorylog field value is not empty and thedurationmslog field value is not empty, then theNSSDNSLog | Duration: durationms ms | Category: categorylog field is mapped to themetadata.descriptionUDM field.Else, if the categorylog field value is not empty, then theDNS request to \category\log field is mapped to themetadata.descriptionUDM field. | 
| recordid | metadata.product_log_id | |
| datetime | metadata.event_timestamp | |
| epochtime | metadata.event_timestamp | |
|  | network.application_protocol | The network.application_protocolUDM field is set toDNS. | 
|  | network.dns.response_code | If the dns_resplog field value is equal toNOERROR, then thenetwork.dns.response_codeUDM field is set to0.Else, if the dns_resplog field value is equal toFORMERR, then thenetwork.dns.response_codeUDM field is set to1.Else, if the dns_resplog field value is equal toSERVFAIL, then thenetwork.dns.response_codeUDM field is set to2.Else, if the dns_resplog field value is equal toNXDOMAIN, then thenetwork.dns.response_codeUDM field is set to3.Else, if the dns_resplog field value is equal toNOTIMP, then thenetwork.dns.response_codeUDM field is set to4.Else, if the dns_resplog field value is equal toREFUSED, then thenetwork.dns.response_codeUDM field is set to5.Else, if the dns_resplog field value is equal toYXDOMAIN, then thenetwork.dns.response_codeUDM field is set to6.Else, if the dns_resplog field value is equal toYXRRSET, then thenetwork.dns.response_codeUDM field is set to7.Else, if the dns_resplog field value is equal toNXRRSET, then thenetwork.dns.response_codeUDM field is set to8.Else, if the dns_resplog field value is equal toNOTAUTH, then thenetwork.dns.response_codeUDM field is set to9.Else, if the dns_resplog field value is equal toNOTZONE, then thenetwork.dns.response_codeUDM field is set to10. | 
| dns_resp | network.dns.answers.data | |
|  | network.dns.answers.type | If the restypelog field value matches the regular expression patternipv4, then thenetwork.dns.answers.typeUDM field is set to1.Else, if the restypelog field value matches the regular expression patternipv6, then thenetwork.dns.answers.typeUDM field is set to28. | 
| dns_req | network.dns.questions.name | |
|  | network.dns.questions.type | If the record_typelog field value is equal toA, then thenetwork.dns.questions.typeUDM field is set to1.Else, if the record_typelog field value is equal toNS, then thenetwork.dns.questions.typeUDM field is set to2.Else, if the record_typelog field value is equal toMD, then thenetwork.dns.questions.typeUDM field is set to3.Else, if the record_typelog field value is equal toMF, then thenetwork.dns.questions.typeUDM field is set to4.Else, if the record_typelog field value is equal toCNAME, then thenetwork.dns.questions.typeUDM field is set to5.Else, if the record_typelog field value is equal toSOA, then thenetwork.dns.questions.typeUDM field is set to6.Else, if the record_typelog field value is equal toMB, then thenetwork.dns.questions.typeUDM field is set to7.Else, if the record_typelog field value is equal toMG, then thenetwork.dns.questions.typeUDM field is set to8.Else, if the record_typelog field value is equal toMR, then thenetwork.dns.questions.typeUDM field is set to9.Else, if the record_typelog field value is equal toNULL, then thenetwork.dns.questions.typeUDM field is set to10.Else, if the record_typelog field value is equal toWKS, then thenetwork.dns.questions.typeUDM field is set to11.Else, if the record_typelog field value is equal toPTR, then thenetwork.dns.questions.typeUDM field is set to12.Else, if the record_typelog field value is equal toHINFO, then thenetwork.dns.questions.typeUDM field is set to13.Else, if the record_typelog field value is equal toMINFO, then thenetwork.dns.questions.typeUDM field is set to14.Else, if the record_typelog field value is equal toMX, then thenetwork.dns.questions.typeUDM field is set to15.Else, if the record_typelog field value is equal toTXT, then thenetwork.dns.questions.typeUDM field is set to16.Else, if the record_typelog field value is equal toRP, then thenetwork.dns.questions.typeUDM field is set to17.Else, if the record_typelog field value is equal toAFSDB, then thenetwork.dns.questions.typeUDM field is set to18.Else, if the record_typelog field value is equal toX25, then thenetwork.dns.questions.typeUDM field is set to19.Else, if the record_typelog field value is equal toISDN, then thenetwork.dns.questions.typeUDM field is set to20.Else, if the record_typelog field value is equal toRT, then thenetwork.dns.questions.typeUDM field is set to21.Else, if the record_typelog field value is equal toNSAP, then thenetwork.dns.questions.typeUDM field is set to22.Else, if the record_typelog field value is equal toNSAP-PTR, then thenetwork.dns.questions.typeUDM field is set to23.Else, if the record_typelog field value is equal toSIG, then thenetwork.dns.questions.typeUDM field is set to24.Else, if the record_typelog field value is equal toKEY, then thenetwork.dns.questions.typeUDM field is set to25.Else, if the record_typelog field value is equal toPX, then thenetwork.dns.questions.typeUDM field is set to26.Else, if the record_typelog field value is equal toGPOS, then thenetwork.dns.questions.typeUDM field is set to27.Else, if the record_typelog field value is equal toAAAA, then thenetwork.dns.questions.typeUDM field is set to28.Else, if the record_typelog field value is equal toLOC, then thenetwork.dns.questions.typeUDM field is set to29.Else, if the record_typelog field value is equal toNXT, then thenetwork.dns.questions.typeUDM field is set to30.Else, if the record_typelog field value is equal toEID, then thenetwork.dns.questions.typeUDM field is set to31.Else, if the record_typelog field value is equal toNIMLOC, then thenetwork.dns.questions.typeUDM field is set to32.Else, if the record_typelog field value is equal toSRV, then thenetwork.dns.questions.typeUDM field is set to33.Else, if the record_typelog field value is equal toATMA, then thenetwork.dns.questions.typeUDM field is set to34.Else, if the record_typelog field value is equal toNAPTR, then thenetwork.dns.questions.typeUDM field is set to35.Else, if the record_typelog field value is equal toKX, then thenetwork.dns.questions.typeUDM field is set to36.Else, if the record_typelog field value is equal toCERT, then thenetwork.dns.questions.typeUDM field is set to37.Else, if the record_typelog field value is equal toA6, then thenetwork.dns.questions.typeUDM field is set to38.Else, if the record_typelog field value is equal toDNAME, then thenetwork.dns.questions.typeUDM field is set to39.Else, if the record_typelog field value is equal toSINK, then thenetwork.dns.questions.typeUDM field is set to40.Else, if the record_typelog field value is equal toOPT, then thenetwork.dns.questions.typeUDM field is set to41.Else, if the record_typelog field value is equal toAPL, then thenetwork.dns.questions.typeUDM field is set to42.Else, if the record_typelog field value is equal toDS, then thenetwork.dns.questions.typeUDM field is set to43.Else, if the record_typelog field value is equal toSSHFP, then thenetwork.dns.questions.typeUDM field is set to44.Else, if the record_typelog field value is equal toIPSECKEY, then thenetwork.dns.questions.typeUDM field is set to45.Else, if the record_typelog field value is equal toRRSIG, then thenetwork.dns.questions.typeUDM field is set to46.Else, if the record_typelog field value is equal toNSEC, then thenetwork.dns.questions.typeUDM field is set to47.Else, if the record_typelog field value is equal toDNSKEY, then thenetwork.dns.questions.typeUDM field is set to48.Else, if the record_typelog field value is equal toDHCID, then thenetwork.dns.questions.typeUDM field is set to49.Else, if the record_typelog field value is equal toNSEC3, then thenetwork.dns.questions.typeUDM field is set to50.Else, if the record_typelog field value is equal toNSEC3PARAM, then thenetwork.dns.questions.typeUDM field is set to51.Else, if the record_typelog field value is equal toTLSA, then thenetwork.dns.questions.typeUDM field is set to52.Else, if the record_typelog field value is equal toSMIMEA, then thenetwork.dns.questions.typeUDM field is set to53.Else, if the record_typelog field value is equal toUNASSIGNED, then thenetwork.dns.questions.typeUDM field is set to54.Else, if the record_typelog field value is equal toHIP, then thenetwork.dns.questions.typeUDM field is set to55.Else, if the record_typelog field value is equal toNINFO, then thenetwork.dns.questions.typeUDM field is set to56.Else, if the record_typelog field value is equal toRKEY, then thenetwork.dns.questions.typeUDM field is set to57.Else, if the record_typelog field value is equal toTALINK, then thenetwork.dns.questions.typeUDM field is set to58.Else, if the record_typelog field value is equal toCDS, then thenetwork.dns.questions.typeUDM field is set to59.Else, if the record_typelog field value is equal toCDNSKEY, then thenetwork.dns.questions.typeUDM field is set to60.Else, if the record_typelog field value is equal toOPENPGPKEY, then thenetwork.dns.questions.typeUDM field is set to61.Else, if the record_typelog field value is equal toCSYNC, then thenetwork.dns.questions.typeUDM field is set to62.Else, if the record_typelog field value is equal toZONEMD, then thenetwork.dns.questions.typeUDM field is set to63.Else, if the record_typelog field value is equal toSVCB, then thenetwork.dns.questions.typeUDM field is set to64.Else, if the record_typelog field value is equal toHTTPS, then thenetwork.dns.questions.typeUDM field is set to65.Else, if the record_typelog field value is equal toSPF, then thenetwork.dns.questions.typeUDM field is set to99.Else, if the record_typelog field value is equal toUINFO, then thenetwork.dns.questions.typeUDM field is set to100.Else, if the record_typelog field value is equal toUID, then thenetwork.dns.questions.typeUDM field is set to101.Else, if the record_typelog field value is equal toGID, then thenetwork.dns.questions.typeUDM field is set to102.Else, if the record_typelog field value is equal toUNSPEC, then thenetwork.dns.questions.typeUDM field is set to103.Else, if the record_typelog field value is equal toNID, then thenetwork.dns.questions.typeUDM field is set to104.Else, if the record_typelog field value is equal toL32, then thenetwork.dns.questions.typeUDM field is set to105.Else, if the record_typelog field value is equal toL64, then thenetwork.dns.questions.typeUDM field is set to106.Else, if the record_typelog field value is equal toLP, then thenetwork.dns.questions.typeUDM field is set to107.Else, if the record_typelog field value is equal toEUI48, then thenetwork.dns.questions.typeUDM field is set to108.Else, if the record_typelog field value is equal toEUI64, then thenetwork.dns.questions.typeUDM field is set to109.Else, if the record_typelog field value is equal toTKEY, then thenetwork.dns.questions.typeUDM field is set to249.Else, if the record_typelog field value is equal toTSIG, then thenetwork.dns.questions.typeUDM field is set to250.Else, if the record_typelog field value is equal toIXFR, then thenetwork.dns.questions.typeUDM field is set to251.Else, if the record_typelog field value is equal toAXFR, then thenetwork.dns.questions.typeUDM field is set to252.Else, if the record_typelog field value is equal toMAILB, then thenetwork.dns.questions.typeUDM field is set to253.Else, if the record_typelog field value is equal toMAILA, then thenetwork.dns.questions.typeUDM field is set to254.Else, if the record_typelog field value is equal toALL, then thenetwork.dns.questions.typeUDM field is set to255.Else, if the record_typelog field value is equal toURI, then thenetwork.dns.questions.typeUDM field is set to256.Else, if the record_typelog field value is equal toCAA, then thenetwork.dns.questions.typeUDM field is set to257.Else, if the record_typelog field value is equal toAVC, then thenetwork.dns.questions.typeUDM field is set to258.Else, if the record_typelog field value is equal toDOA, then thenetwork.dns.questions.typeUDM field is set to259.Else, if the record_typelog field value is equal toAMTRELAY, then thenetwork.dns.questions.typeUDM field is set to260.Else, if the record_typelog field value is equal toTA, then thenetwork.dns.questions.typeUDM field is set to32768.Else, if the record_typelog field value is equal toDLV, then thenetwork.dns.questions.typeUDM field is set to32769. | 
| dns_reqtype | additional.fields [dns_reqtype] | |
| http_code | network.http.response_code | |
| protocol | network.ip_protocol | If the protocollog field value contain one of the following values, then theprotocollog field is mapped to thenetwork.ip_protocolUDM field.
 | 
| durationms | network.session_duration.seconds | |
| devicemodel | principal.asset.hardware.model | |
| devicename | principal.asset.asset_id | |
| devicehostname | principal.asset.hostname | |
|  | principal.asset.platform_software.platform | If the deviceostypelog field value matches the regular expression pattern(?i)win, then theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if the deviceostypelog field value matches the regular expression pattern(?i)lin, then theprincipal.asset.platform_software.platformUDM field is set toLINUX. | 
| deviceosversion | principal.asset.platform_software.platform_version | |
| company | principal.user.company_name | |
| department | principal.user.department | |
| user | principal.user.email_addresses | If the userlog field value matches the regular expression pattern(^.@.$)or theloginlog field value matches the regular expression pattern(^.@.$), then if theuserlog field value is not empty, then theuserlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| login | principal.user.email_addresses | If the userlog field value matches the regular expression pattern(^.@.$)or theloginlog field value matches the regular expression pattern(^.@.$), then if theuserlog field value is not empty, then else, theloginlog field is mapped to theprincipal.user.email_addressesUDM field. | 
| deviceowner | principal.user.userid | |
| clt_sip | principal.ip | |
| location | principal.location.name | |
| reqrulelabel | security_result.rule_name | |
| rule | security_result.rule_name | |
|  | security_result.action | If the reqactionlog field value matches the regular expression pattern(?i)BLOCK, then thesecurity_result.actionUDM field is set toBLOCK.Else, if the reqactionlog field value matches the regular expression pattern(?i)ALLOW, then thesecurity_result.actionUDM field is set toALLOW. | 
| reqaction | security_result.action_details | |
|  | security_result.category | If the categorylog field value is not empty, then thesecurity_result.categoryUDM field is set toNETWORK_CATEGORIZED_CONTENT. | 
| category | security_result.category_details | |
| resrulelabel | security_result.rule_name | |
|  | security_result.action | If the resactionlog field value matches the regular expression pattern(?i)BLOCK, then thesecurity_result.actionUDM field is set toBLOCK.Else, if the resactionlog field value matches the regular expression pattern(?i)ALLOW, then thesecurity_result.actionUDM field is set toALLOW. | 
| resaction | security_result.action_details | |
|  | security_result.category | If the respipcategorylog field value is not empty, then thesecurity_result.categoryUDM field is set toNETWORK_CATEGORIZED_CONTENT. | 
| respipcategory | security_result.category_details | |
| ecs_slot | security_result.rule_labels [ecs_slot] | If the dnsgw_slotlog field value is empty, then theecs_slotlog field is mapped to thesecurity_result.rule_nameUDM field. | 
| dnsgw_slot | security_result.rule_name | If the dnsgw_slotlog field value is not empty, then thednsgw_slotlog field is mapped to thesecurity_result.rule_nameUDM field. | 
| ecs_slot | security_result.rule_name | If the dnsgw_slotlog field value is not empty, then theecs_slotlog field is mapped to thesecurity_result.rule_labelsUDM field. | 
| dnsapp | target.application | |
| srv_dip | target.ip | |
| srv_dport | target.port | |
| datacentercity | target.location.city | |
| datacentercountry | target.location.country_or_region | |
| datacenter | target.location.name | |
| cloudname | security_result.detection_fields [cloudname] | |
| dnsappcat | security_result.detection_fields [dnsappcat] | |
| ecs_prefix | security_result.detection_fields [ecs_prefix] | |
| error | security_result.detection_fields [error] | |
| istcp | security_result.detection_fields [istcp] | |
| ocip | security_result.detection_fields [ocip] | |
| odevicehostname | security_result.detection_fields [odevicehostname] | |
| odeviceowner | security_result.detection_fields [odeviceowner] | |
| odevicename | security_result.detection_fields [odevicename] | |
| odomcat | security_result.detection_fields [odomcat] | |
| dnsgw_flags | security_result.detection_fields[dnsgw_flags] | |
| dnsgw_srv_proto | security_result.detection_fields[dnsgw_srv_proto] | |
| erulelabel | security_result.rule_labels [erulelabel] | |
| ethreatname | security_result.threat_name | |
| durationms | additional.fields [durationms] | If the durationmslog field value is equal to1, then thedurationmslog field is mapped to theadditional.fields.durationmsUDM field. | 
| sourcetype | additional.fields[sourcetype] | |
| deviceappversion | additional.fields [deviceappversion] | |
| devicetype | additional.fields [devicetype] | |
| eedone | additional.fields [eedone] | |
| tz | additional.fields [tz] | |
| ss | additional.fields [ss] | |
| mm | additional.fields [mm] | |
| hh | additional.fields [hh] | |
| dd | additional.fields [dd] | |
| mth | additional.fields [mth] | |
| yyyy | additional.fields [yyyy] | |
| mon | additional.fields [mon] | |
| day | additional.fields [day] | 
Need more help? Get answers from Community members and Google SecOps professionals.