elastic · andrewkroh · Mar 12, 2022 · Mar 7, 2022 · Mar 7, 2022 · Mar 8, 2022
@@ -10,8 +10,26 @@ ECS fields where applicable and the remaining fields are written under
 ## Setup steps
 
 1. Enable the integration with the TCP input.
-2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent
-that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address/hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen.
+2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscalar NSS Server and NSS Feeds follow the following steps.
+    - In the ZIA Admin Portal, add an NSS Server.
+        - Log in to the ZIA Admin Portal using your admin account. If you're unable to log in, contact Support.
+        - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall.
+        - Verify that the state of the NSS Server is healthy.
+            - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers.
+            - In the State column, confirm that the state of the NSS server is healthy.
+            ![NSS server setup image](../../../img/nss_server.png?raw=true)
+    - In the ZIA Admin Portal, add an NSS Feed.
+        - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs:
+            - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to.
+            - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type.
+                - **Alerts**: 9010
+                - **DNS**: 9011
+                - **Firewall**: 9012
+                - **Tunnel**: 9013
+                - **Web**: 9014
+            - **Feed Output Type**: Select Custom paste the appropriate response format as follows:
+            ![NSS feeds setup image](../../../img/nss_feeds.png?raw=true)  
+
 3. *Please make sure to use the given response formats.*
 
 ## Compatibility
@@ -99,8 +117,10 @@ Sample Response:
 
 ### Web Log
 
-Default port: _9014_
+Default port: _9014_  
+Add characters **"** and **\\** in **feed escape character** while configuring Web Log.  
 
+![Escape feed setup image](../../../img/escape_feed.png?raw=true)  
 Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-web-logs
 
 Zscaler response format:  

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.1"
+  changes:
+    - description: Updated the README to describe the Zscaler ZIA setup process in detail.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2773
 - version: "0.1.0"
   changes:
     - description: Initial draft of the package

@@ -124,6 +124,9 @@ processors:
       - remove:
           field: json.eurl
           ignore_missing: true
+  - urldecode:
+      field: url.original
+      ignore_missing: true
   - user_agent:
       field: json.ua
       ignore_failure: true

@@ -10,8 +10,26 @@ ECS fields where applicable and the remaining fields are written under
 ## Setup steps
 
 1. Enable the integration with the TCP input.
-2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent
-that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address/hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen.
+2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscalar NSS Server and NSS Feeds follow the following steps.
+    - In the ZIA Admin Portal, add an NSS Server.
+        - Log in to the ZIA Admin Portal using your admin account. If you're unable to log in, contact Support.
+        - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall.
+        - Verify that the state of the NSS Server is healthy.
+            - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers.
+            - In the State column, confirm that the state of the NSS server is healthy.
+            ![NSS server setup image](../../../img/nss_server.png?raw=true)
+    - In the ZIA Admin Portal, add an NSS Feed.
+        - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs:
+            - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to.
+            - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type.
+                - **Alerts**: 9010
+                - **DNS**: 9011
+                - **Firewall**: 9012
+                - **Tunnel**: 9013
+                - **Web**: 9014
+            - **Feed Output Type**: Select Custom paste the appropriate response format as follows:
+            ![NSS feeds setup image](../../../img/nss_feeds.png?raw=true)  
+
 3. *Please make sure to use the given response formats.*
 
 ## Compatibility
@@ -99,8 +117,10 @@ Sample Response:
 
 ### Web Log
 
-Default port: _9014_
+Default port: _9014_  
+Add characters **"** and **\\** in **feed escape character** while configuring Web Log.  
 
+![Escape feed setup image](../../../img/escape_feed.png?raw=true)  
 Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-web-logs
 
 Zscaler response format:  

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: zscaler_zia
 title: "Zscaler Internet Access"
-version: 0.1.0
+version: 0.1.1
 license: basic
 description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent.
 type: integration