Skip to main content

Netskope Help

Log Shipper Module

Log Shipper is a logging service that pulls all or a subset of customer tenant events and alerts logs and sends them in a customized, customer-selected format to its SIEM and datalake(s) using either the mapping wizard or the raw editor. Use either tool to add or remove fields, change mappings, change field headers, transform field extended attributes, or insert static placeholders to meet your specific log requirements.

Click play to learn how to set up Log Shipper.

Log Shipper Global Settings

Only Admins can change Log Shipper Global Settings. Go to Settings > Log Shipper. There are two tabs: General and Mappings.

On the General tab, you can set the number of entries per page expected to be polled from Netskope. This setting should only be modified when directed to do so by Netskope.


On the Mapping tab, you can open and edit each of the mapping files available for use by the installed plugins by clicking the pencil icon.


You can also create a new mapping file to be invoked by a configured plugin as an alternative to the defaults provided. In the Wizard view, you can modify the mapping file to enable the addition, deletion, or modification of new fields to the default. For example, open an existing default file, like the SYSLOG file, and copy its contents to create a new mapping file by clicking Add Mapping File > Add Alert Field, and then add new fields for Alerts as needed. You do the same for Events and WebTx.


You may need to modify the mapping file to enable the addition, deletion, or modification of new fields to the default. .

In the Editor view, click Load From File to upload a mapping file.


Headers, payloads, and attributes can be overwritten, mapped to new values, transformed to use new data types, deleted, or added. If you prefer to do this outside of CE, you can download the original mapping file using the download icon, and then edit in a tool of your choice. When finished, copy the content and paste into a new placeholder file created using the copy function. Make sure the Editor button is selected when pasting.


Amazon S3, Azure Blob, and Google GCS plugins for web transaction logs can not be edited. Those plugins push the original .gzip files obtained from Netskope to the cloud service providers without decompressing or modifying the content.