The Scope application supports ingestion of logs from the following Zscaler ZIA products through log forwarders:
Refer to the official Zscaler documentation below for instructions on configuring log forwarding for the supported ZIA products.
| Product | Official Documentation |
|---|---|
| Zscaler ZIA Web | https://help.zscaler.com/zia/adding-nss-feeds-web-logs |
| Zscaler ZIA Firewall | https://help.zscaler.com/zia/adding-nss-feeds-firewall-logs |
| Zscaler ZIA Alerts | https://help.zscaler.com/zia/adding-nss-feeds-alerts |
| Zscaler ZIA DNS | https://help.zscaler.com/zia/adding-nss-feeds-dns-logs |
| Zscaler ZIA Tunnel | https://help.zscaler.com/zia/adding-nss-feeds-tunnel-logs |
The Scope application supports ingestion of Zscaler ZIA Web logs in the following two formats:
Note: Either format can be used. Ensure that all fields defined in the selected format are included in the NSS feed configuration.
| Field Name | Sample |
|---|---|
time |
Wed Sep 11 01:50:58 2024 |
login |
ABC-XYZ-ADW/INET2/64.NE_6 |
proto |
TUNNEL |
eurl |
10.11.5.100/ |
action |
Allowed |
appname |
General Browsing |
appclass |
General Browsing |
reqsize |
68 |
respsize |
52 |
urlclass |
Business Use |
urlsupercat |
Internet Communication |
urlcat |
Internet Services |
malwarecat |
None |
threatname |
None |
riskscore |
0 |
dlpeng |
None |
dlpdict |
None |
location |
ABC-XYZ-ADW/INET2/64.NE_6 |
dept |
Default Department |
cip |
10.7.8.25 |
sip |
10.11.5.100 |
reqmethod |
NA |
respcode |
NA |
eua |
Unknown |
ereferer |
None |
ruletype |
None |
rulelabel |
None |
contenttype |
Other |
unscannabletype |
None |
deviceowner |
NA |
devicehostname |
NA |
| Field Name | Sample |
|---|---|
time |
Tue Sep 3 15:16:30 2024 |
login |
redacted1@tst.com |
proto |
DNSOVERHTTPS |
eurl |
mozilla.redacted.com/dns-query |
action |
Allowed |
appname |
Cloudflare DNS |
appclass |
DoH Services |
reqsize |
379 |
respsize |
690 |
stime |
3 |
ctime |
53 |
urlclass |
Business Use |
urlsupercat |
Internet Communication |
urlcat |
Internet Services |
malwarecat |
None |
threatname |
None |
riskscore |
0 |
dlpeng |
None |
dlpdict |
None |
location |
Redacted 500MB |
dept |
Default Department |
cip |
10.203.40.123 |
sip |
10.10.61.4 |
reqmethod |
POST |
respcode |
200 |
eua |
Unknown |
ereferer |
None |
ruletype |
None |
rulelabel |
None |
contenttype |
application/dns_message |
unscannabletype |
None |
deviceowner |
REDACTED2 |
devicehostname |
NA |
The Scope application supports ingestion of Zscaler ZIA Firewall logs in the following format:
| Field Name | Sample |
|---|---|
time |
Mon Apr 13 16:29:12 2026 |
login |
user@domain.com |
dept |
Client Relations |
location |
Road Warrior |
cdport |
443 |
csport |
51940 |
sdport |
0 |
ssport |
0 |
csip |
10.26.59.20 |
cdip |
10.85.15.67 |
ssip |
0.0.0.0 |
sdip |
0.0.0.0 |
tsip |
10.15.79.23 |
tunsport |
0 |
ttype |
GRE |
action |
Allow |
dnat |
No |
stateful |
Yes |
aggregate |
Yes |
nwsvc |
REDACTED-Ports |
nwapp |
tcp |
ipproto |
TCP |
ipcat |
Zscaler Proxy IPs |
destcountry |
United States |
avgduration |
718 |
rulelabel |
Allow REDACTED |
inbytes |
147730 |
outbytes |
50733 |
duration |
23 |
durationms |
23000 |
numsessions |
32 |
ipsrulelabel |
None |
threatcat |
None |
threatname |
None |
deviceowner |
NA |
devicehostname |
NA |
additionalfield1 |
0 |
additionalfield2 |
None |