Forum Discussion
Zscaler Private Access Solution not receiving data
EDIT: Solved by switching to a default Ubuntu VM. No idea what exactly it is about default Ubuntu that makes it work.
We have been trying to get the logs from Zscaler Private Access connected to our Sentinel instance, with 0 success so far.
We've followed the instructions on the data connector page perfectly, but there simply isn't any data from Zscaler coming into Sentinel and we cannot figure out why
- We've installed the Log Analytics (OMS) agent successfully. We can see a Heartbeat coming in and even the syslog of the machine. This should prove the connection between the VM and Sentinel is working
- We've placed the VM in the same subnet as the ZPA log receivers, opened the correct ports and firewall rules and we can see traffic on our VM coming from the log receivers via tcpdump. This should prove the connection between Zscaler and the VM working
- We can't find any errors in the OMS agent logs. It seems to load the provided zpa.conf file correctly.
- We triple checked all the steps, every step is taken correctly
But there are no ZPA logs in Sentinel
I've searched around and there seem to be multiple people (even in the reviews section of the solutions) running into issues with this, but there are no solutions posted anywhere
Did anyone have any luck with getting this solution to work? And can you share how you did it?
I have same issue for some time now. I have managed to get ZPA logs in syslog table in Sentinel, instead into Custom ZPA_CL table according to Zscaler provided guideline. The issue with Zscaler guideline is in modification of Data Collection Rule, where after DCR modification, ingestion into syslog table is broken and modified DCR does not correctly points logs to custom ZPA table. Did anyone solved this?
