Netskope Help

Risk Insights

You can upload the log files from your enterprise web proxy, next generation firewalls, and other devices to your tenant instance in the Netskope cloud. Netskope Log Collector can parse these logs to provide insight into the cloud apps being used, like who is using the app, what the app is, its bandwidth and session usage, the source and destination IP of cloud app traffic, and so on.

Logs can be uploaded to Netskope in these ways:

  • Upload logs directly to the Netskope cloud from your tenant UI or via SFTP.

  • Deploy an On-Premises Log Parser (OPLP) virtual appliance and upload the logs to the OPLP. You can also directly stream the logs via syslog to the OPLP. All the log processing happens on the OPLP. Log collector processes on the device will parse the logs, extract the necessary events, and send only the extracted cloud app events to your tenant instance in the Netskope cloud. For more information, refer to Configure the Virtual Appliance.

This document describes how to upload logs from your tenant or via SFTP, and explains how to use predefined and custom parsers. To use OPLP on a virtual appliance to upload logs, refer to those sections to configure those systems before proceeding.

Supported Log Formats

Netskope currently supports the following log formats:

Device

Log Format

Cisco-ASA

asa,asa-syslog

Bro-IDS

bro-ids

Checkpoint

chkp

Cisco Catalyst

cisco-fwsm-syslog

Cisco IronPort

cisco-wsa, cisco-wsa-syslog

Fortinet

fortigate

Bluecoat logs sent to Greenplum logserver

greenplum-bluecoat

Microsoft-ISA

isa-splunk

Juniper SRX

juniper-srx-structured-syslog

Juniper SRX

juniper-srx-unstructured-syslog

Juniper Netscreen

netscreen-traffic

Mcafee Web GW

mcafee

Palo Alto Networks

panw,panw-syslog

Blue Coat

proxysg, proxysg-http-main

Bluecoat logs exported In websense format

proxysg-websense

Cisco ScanSafe

scansafe

Sensage SIEM

sensage

Sonicwall

sonicwall-syslog

Squid Proxy

squid

Sophos Web Gateway

sophos

Symantec Web Security

Symantec-web-security

Trustwave

trustwave

Websense

websense

Zscaler

zscaler

Netskope log based discovery requires the destination URL in addition to the destination IP address to accurately identify and map cloud apps. Since most service providers use netblocks to host their services, a destination IP address can be shared by multiple services and therefore, the destination IP address alone does not provide sufficient information required to identify the cloud app.

Netskope recommends either turning on SSL decryption on your firewall or proxy server to capture the destination URLs in the logs so that Netskope can more accurately determine the cloud app service in use, or steering user traffic through Netskope cloud for the most accurate understanding of apps, tenants, and activities.

Log requirements:

  • You can compress the logs before uploading. Bzip, zip and gzip are currently supported.

  • Each compressed file can contain only one single log file.

  • Make sure to upload the log to the correct log folder. For example, for checkpoint logs, use the upload/chkp folder, and for Bluecoat Proxy logs use the upload/proxysg-http-main folder, and so on.

Please reach out to your SE to learn if there are any new log formats that are not listed.

Use port 22 to upload logs to the tenant UI via SFTP.

Supported Character Encoding

Netskope supports ASCII and UTF-8 character encoding formats.

OPLP Sizing Guide

To ensure you have enough processing power for the amount of logs being processed, review these guidelines. Keep in mind these guidelines are for predefined parsers; core and RAM requirements for custom parsers vary depending on the complexity of the logs.

Expected Log Traffic

Cores Required

RAM Required

Disk Space Required

Approximately 72 GB per day or 3 GB per hour

8

32 GB

300 GB

Approximately 144 GB per day or 6 GB per hour

16

64 GB

600 GB

Approximately 216 GB per day or 8 GB per hour

24

96 GB

900 GB