Zscaler Private Access

  • Published on Mar 10, 2026
  • 3 minute(s) read
Prev Next

Zscaler Private Access (ZPA) is a cloud-based service that provides secure access to private applications and services.

Integration Method: Data Collector

Tables: Network Activity [4001], HTTP Activity [4002], API Activity [6003]

This integration supports the following events

Event

Description

Application Activity

Events related to application access and usage

Network Activity

Events related to network connections and traffic

HTTP Activity

Events related to HTTP traffic and requests

Prerequisite

  • Administrator access to follow the Zscaler Private Access portal

  • Ability to add a Data Collector on the network, or use an existing one

  • Access to the DataBee console

Zscaler Configuration

  1. In the Zscaler portal, go to Configuration & Control > Private Infrastructure > Log Receivers.

  2. Click Add Log Receiver. The “Add Log Receiver” window appears.

  3. In the “Add Log Receiver” window, fill in the required information for all three types of logs (app protection, user activity, user status) one by one:

    1. Name: Enter a name for the Log Receiver.

    2. Description: This field is not required, if you want to add any description you can add here.

    3. Domain or IP Address: Enter the (Domain / IP Address), where you want to forward the logs.

    4. TCP Port: Enter the TCP port (Port should be open)

    5. TLS Encryption: this should be checked as Disabled

    6. App Connector Groups:  Data will be passed through this App Connector Group

      1. Reference - https://help.zscaler.com/zpa/app-connector-deployment-guide-linux

  4. Click Next and fill the following details.

    1. Log Type: select log Type

      1. app protection - App Protection

      2. user status - User Status

      3. user activity - User Activity

    2. Log Template: Select this as Custom (when updated Log Stream Content it will be updated to Custom)

    3. Log Stream Content: Enter schema for the logs

      1. app protection 

        {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"ConnectionID": %j{ConnectionID},"UserID": %j{UserID},"AssistantID": %j{AssistantID},"ExchangeSequenceIndex": %d{ExchangeSequenceIndex},"TimestampRequestReceiveStart": %d{TimestampRequestReceiveStart},"TimestampRequestReceiveHeaderFinish": %d{TimestampRequestReceiveHeaderFinish},"TimestampRequestReceiveFinish": %d{TimestampRequestReceiveFinish},"TimestampRequestTransmitStart": %d{TimestampRequestTransmitStart},"TimestampRequestTransmitFinish": %d{TimestampRequestTransmitFinish},"TimestampResponseReceiveFinish": %d{TimestampResponseReceiveFinish},"TimestampResponseTransmitStart": %d{TimestampResponseTransmitStart},"TimestampResponseTransmitFinish": %d{TimestampResponseTransmitFinish},"TotalTimeRequestReceive": %d{TotalTimeRequestReceive},"TotalTimeRequestTransmit": %d{TotalTimeRequestTransmit},"TotalTimeResponseReceive": %d{TotalTimeResponseReceive},"TotalTimeResponseTransmit": %d{TotalTimeResponseTransmit},"Domain": %j{Domain},"Method": %j{Method},"Protocol": %j{Protocol},"ProtocolVersion": %j{ProtocolVersion},"ContentType": %j{ContentType},"ContentEncoding": %j{ContentEncoding},"TransferEncoding": %j{TransferEncoding},"Host": %j{Host},"Destination": %j{Destination},"OriginDomain": %j{OriginDomain},"URL": %j{URL},"UserAgent": %j{UserAgent},"HTTPError": %j{HTTPError},"ClientPublicIP": %j{ClientPublicIp},"ClientPort": %d{ClientPort},"UpgradeHeaderPresent": %d{UpgradeHeaderPresent},"StatusCode": %d{StatusCode},"RequestHdrSize": %d{RequestHdrSize},"ResponseHdrSize": %d{ResponseHdrSize},"RequestBodySize": %d{RequestBodySize},"ResponseBodySize": %d{ResponseBodySize},"Application": %d{Application},"ApplicationGroup": %d{ApplicationGroup},"InspectionPolicy": %d{InspectionPolicy},"InspectionProfile": %d{InspectionProfile},"ParanoiaLevel": %d{ParanoiaLevel},"InspectionControlsHitCount": %d{InspectionControlsHitCount},"InspectionRuleProcessingTime": %d{InspectionRuleProcessingTime},"InspectionReqHeadersProcessingTime": %d{InspectionReqHeadersProcessingTime},"InspectionReqBodyProcessingTime": %d{InspectionReqBodyProcessingTime},"InspectionRespHeadersProcessingTime": %d{InspectionRespHeadersProcessingTime},"InspectionRespBodyProcessingTime": %d{InspectionRespBodyProcessingTime},"CertificateId": %d{CertificateId},"DoubleEncryption": %d{DoubleEncryption},"SSLInspection": %d{SSLInspection},"TotalBytesProcessed": %d{TotalBytesProcessed},"InspectionControls": [%j(,){InspectionControlArray}],"InspectionControlTypes": [%j(,){ControlTypeArray}],"InspectionControlCategories": [%j(,){InspectionControlCategories}],"Actions": [%j(,){Actions}],"Severities": [%j(,){SeveritiesArray}],"Descriptions": [%j(,){DescriptiveExplanationsArray}]}

      2. user status - User Status

        {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": %j(,){TrustedNetworks},"TrustedNetworksNames": %j(,){TrustedNetworksNames},"PosturesHit": %j(,){PosturesHit},"PosturesMiss": %j(,){PosturesMiss},"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error},"City": %j{City},"MicroTenantID": %j{MicroTenantID}}

      3. user activity - User Activity

        {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ClientCity": %j{ClientCity},"MicroTenantID": %j{MicroTenantID},"AppMicroTenantID": %j{AppMicroTenantID}}

  5. Click Next.

  6. Click Save.

  7. After saving, it will be visible on the same page where you can edit/delete that entity.

Configure Data Collector

Reference link - https://docs.databee.buzz/docs/data-collector

  1. From the DataBee console, navigate to the System.

    A screenshot of a computer AI-generated content may be incorrect.

  2. Go to the Data Collectors page and click on Add Data Collector to create a data collector.

    A screenshot of a computer AI-generated content may be incorrect.

  3. Fill in the basic information and then click Next.

  4. Installation steps will be shown. Ensure that you copy all the details before closing it.

  5. Now, open the terminal on the VM (Linux) where the logs are forwarded. Paste the Installation Script URL and run it to install the Data Collector on the instance. Make sure to run the script as the root user.

  6. While configuring the Data Collector, enter the Tenant ID, Receiver URL, Collector ID, and API Key, which you will get from Step 4.

DataBee Configuration

  1. Log into the DataBee console, navigate to the Data > Data Feeds tab, and click Add New Data Feed.

  2. Search ZScaler Private Access and select it.

  3. Select the Data Collector option.

  4. Click Syslog.

  5. Fill out the following details. In the Collector options, select the Data Collector you created above and click Next.

  6. Fill out the following details.

    1. Format: JSON

    2. Mode: TCP

    3. Port: Use same value as the Zscaler configuration.

  7. Click on the Submit button and a new data source will be created.