Documentation to setup ZScaler as Audit Log feed has the following directions:

"SIEM IP Address and SIEM TCP Port: Enter the IP address and port of the SpanVA to which the logs are streamed.

Ensure that the SpanVA is configured to accept the feed from NSS."

The following is unclear

• Where is the TCP port configured on the SpanVA to accept logs?

Ports for the ZScaler NSS SpanVA data source (DS) are not configurable and auto assigned when the DS is created in CloudSOC

It is required to create the new data source first in CloudSOC to determine what the TCP Port is.

To create a new ZScaler NSS SpanVA DS:

1. Login to CloudSOC
2. Choose Audit > Device Logs
3. Choose + New Data Source > SpanVA Datasource
4. Choose a unique Datasource name
5. Choose the Firewall type (ZScaler NSS)
6. Choose the SpanVA
7. Click Create connection
8. Once the connection is created, in the details window choose the Configuration Details tab
9. Configuration tab shows the IP address and the port being used

Then Configure NSS feeds on Zscaler side to complete the configuration.

After completing configuration

Check SpanVA Monitoring tab to see that logs are being processed and uploaded to CloudSOC (good sign)

After sufficient processing time - check to see that logs are also being processed successfully in CloudSOC Audit after sufficient time

Note: End to End logs to Audit processing time can vary from minutes to hours depending on multiple factors.

Client should see "processed" logs in Audit / Device Logs / Select DS / Details within a day or less if NSS log format was properly configured