Wazuh Integration with Zscaler

[Rijn Raju]

Hi All

I'm trying to integrate Zscaler Activity Log of ZIA with Wazuh.

I setup the Nss server for Zsaler and started forwarding the logs to my Wazuh server in csv format.

I got around 20K logs on one day and after that it suddenly stopped working.

I'm not getting any error messages either it is actively listening on the port but I'm not getting any logs.

Any idea what the problem could be??

Thanks in advance for your help.

Regards

Rijin

[Natalia Castillo]

Hi Rijin,

It appears you were initially successful in setting up log forwarding from Zscaler NSS to your Wazuh server but are now experiencing an interruption. Let's troubleshoot this issue step-by-step to identify the root cause.

1. Configuration Changes: Please review any recent changes in your configuration. Were any updates or modifications made just before the logs stopped transmitting?
2. Documentation Review: Ensure that all settings are correctly configured according to the official documentation for both Zscaler and Wazuh. Here's some documentation that might be useful or if you followed any specific documentation, feel free to share it!
   
   • https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/
     
   • https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html
     
3. Network Connectivity: Check the network connection between the NSS server and your Wazuh server:
   • Use tools like ping or traceroute to ensure network paths are intact.
   • Verify that the required ports are open and listening on both ends. Using telnet on the port used for log forwarding can confirm this.
   • Check for any new firewall rules or security settings that could be blocking the flow of logs.
4. Resource Usage: Investigate the resource usage on your Wazuh server. Excessive CPU, memory, or disk usage can impede log processing and storage.
5. Restart Services: Sometimes, a simple restart of the Zscaler NSS service and the Wazuh server can resolve the issue.
6. Re-configure Log Forwarding: If none of the above steps resolve the problem, consider re-setting up the log forwarding configuration.

I hope these steps help you pinpoint and solve the issue. Please keep us updated on your progress or if you need further assistance.

Regards,
Natalia