Collect Zscaler ZPA Audit logs

This document explains how to export Zscaler ZPA Audit logs by setting up Bindplane agent and how log fields map to Google SecOps Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google SecOps overview .

A typical deployment consists of Zscaler ZPA Audit and the Bindplane agent configured to send logs to Google Security Operations. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

• Zscaler ZPA Audit: The platform from which you collect logs.

• Bindplane agent: The Bindplane agent fetches logs from Zscaler ZPA Audit and sends logs to Google Security Operations.

• Google SecOps: Retains and analyzes the logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the ZSCALER_ZPA_AUDIT label.

Before you begin

• Ensure that you are using Zscaler ZPA Audit 2024 or later.
• Ensure that you have access to Zscaler Private Access console. For more information, see Secure Private Access (ZPA) Help .
• Ensure that all systems in the deployment architecture are configured with the UTC time zone.

Configure Log Receiver in Zscaler Private Access

Use the following steps to configure and manage Log Receiver in Zscaler Private Access:

Add a log receiver

1. Select Configuration & Control > Private Infrastructure > Log Streaming Service > Log Receiversand then click Add Log Receiver.
2. In the Log Receivertab, do the following:
   1. In the Namefield, enter the name for the log receiver.
   2. In the Descriptionfield, enter a description.
   3. In the Domain or IP Addressfield, enter the fully qualified domain name (FQDN) or IP address for the log receiver.
   4. In the TCP Portfield, enter the TCP port number used by the log receiver.
   5. Select the encryption type in TLS Encryptionto enable or disable the encryption of the traffic between the App Connector and the log receiver. By default, this setting is disabled.
   6. In the App Connector groupslist, choose the App Connector groups that can forward logs to the receiver and click Done.
   7. Click Next.

3. In the Log Streamtab, do the following:

   1. Select a Log Typefrom the menu.
   2. Select a Log Templatefrom the menu.

   3. Copy-paste the Log Stream Contentand add new fields. Ensure the key names match the actual field names.

      The following is the default Log Stream Contentfor the Audit log type:

       {"ModifiedTime":%j{modifiedTime:iso8601},"CreationTime":%j{creationTime:iso8601},"ModifiedBy":%d{modifiedBy},"RequestID":%j{requestId},"SessionID":%j{sessionId},"AuditOldValue":%j{auditOldValue},"AuditNewValue":%j{auditNewValue},"AuditOperationType":%j{auditOperationType},"ObjectType":%j{objectType},"ObjectName":%j{objectName},"ObjectID":%d{objectId},"CustomerID":%d{customerId},"User":%j{modifiedByUser},"ClientAuditUpdate":%d{clientAuditUpdate}}\n 
      

   4. In the SAML Attributes, click Select IdPand select the IdP configuration you want to include in the policy.

   5. In the Application Segmentsmenu, select the application segments you want to include and click Done.

   6. In the Segment Groupsmenu, select the segment groups you want to include and click Done.

   7. In the Client Typesmenu, select the client types you want to include and click Done.

   8. In the Session Statusesmenu, select the session status codes you want to exclude and click Done.

   9. Click Next.

4. In the Reviewtab, review your log receiver configuration and click Save.

Note:The ZSCALER_ZPA_AUDIT Gold parser only supports JSON log format, therefore make sure to select JSONas Log Templatefrom the menu while configuring log stream.

Copy a log Receiver

1. Select Control > Private Infrastructure > Log Streaming Service > Log Receivers.
2. In the table, locate the log receiver you want to modify and click Copy.
3. In the Add Log Receiverwindow, modify fields as necessary. To learn more about each field, see the procedure in the Add Log Receiversection.
4. Click Save.

Edit a log Receiver

1. Select Control > Private Infrastructure > Log Streaming Service > Log Receivers.
2. In the table, locate the log receiver you want to modify and click Edit.
3. In the Edit Log Receiverwindow, modify fields as necessary. To learn more about each field, see the procedure in the Add Log Receiversection.
4. Click Save.

Delete a log Receiver

1. Select Control > Private Infrastructure > Log Streaming Service > Log Receivers.
2. In the table, locate the log receiver you want to modify and click Delete.
3. In the Confirmationwindow, click Delete.

Forward Logs to Google SecOps using Bindplane agent

1. Install and set up a Linux Virtual Machine.
2. Install and configure the Bindplane agent on Linux to forward logs to Google SecOps. For more information about how to install and configure the Bindplane agent, see the Bindplane agent installation and configuration instructions .

If you encounter issues when you create feeds, contact Google SecOps support .

Supported Zscaler ZPA Audit log formats

The Zscaler ZPA Audit parser supports logs in JSON format.

Supported Zscaler ZPA Audit sample logs

• JSON:

   {
    "ModifiedTime": "",
    "CreationTime": "2024-06-29T05:06:34.000Z",
    "ModifiedBy": 216193796315021769,
    "RequestID": "ed500dfb-c66d-4ec2-b97e-ec2018c811f4",
    "SessionID": "v2t27ixe6qs21cffpzy6jx1zv",
    "AuditOldValue": "",
    "AuditNewValue": "{\\"loginAttempt\\":\\"2024-06-29 05: 06: 34 UTC\\",\\"remoteIP\\":\\"198.51.100.0\\"}",
    "AuditOperationType": "Sign In",
    "ObjectType": "Authentication",
    "ObjectName": "",
    "ObjectID": 0,
    "CustomerID": dummy_customer_id,
    "User": "abc.xyz.com",
    "ClientAuditUpdate": 0
  } 
  

UDM Mapping Table

Field mapping reference: ZSCALER_ZPA_AUDIT

The following table lists the log fields of the ZSCALER_ZPA_AUDIT log type and their corresponding UDM fields.

Need more help? Get answers from Community members and Google SecOps professionals.