Overview
Blumira integrates with Zscaler Firewall to stream logs for centralized visibility, detection, and response. This integration requires the Blumira sensor Logger Module, which acts as a syslog server to collect your forwarded logs.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Ingestion > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
Forwarding logs to Blumira
To configure Zscaler Fiirewall devices to stream logs to Blumira, follow the instructions Zscaler provides in Adding NSS Feeds for Firewall Logs. In Step 3 of the procedure, do the following:
- In SIEM Destination Type, select SIEM IP Address and enter the Blumira sensor IP address you gathered previously.
- In SIEM TCP Port, enter 514.
- For Feed Output Type, select JSON.
- For Feed Output Format, leave field defaults and do not rename or reformat the fields.
- For Timezone, select UTC.