Risk Insights provide a quick and easy way to discover cloud apps in your environment to establish a baseline risk assessment for your cloud apps usage.
You can upload the log files from your enterprise web proxy, next generation firewalls, and other devices to your tenant instance in the Netskope cloud. Netskope Log Collector can parse these logs to provide insight into the cloud apps being used, like who is using the app, what the app is, its bandwidth and session usage, the source and destination IP of cloud app traffic, and so on.
Logs can be uploaded to Netskope in these ways:
- Upload logs directly to the Netskope cloud from your tenant UI or via SFTP.
- Deploy an On-Premises Log Parser (OPLP) virtual appliance and upload the logs to the OPLP. You can also directly stream the logs via syslog to the OPLP. All the log processing happens on the OPLP. Log collector processes on the device will parse the logs, extract the necessary events, and send only the extracted cloud app events to your tenant instance in the Netskope cloud. For more information, refer to Configure the Virtual Appliance.
This document describes how to upload logs from your tenant or via SFTP, and explains how to use predefined and custom parsers. To use OPLP on a virtual appliance to upload logs, refer to those sections to configure those systems before proceeding.
Supported Log Formats
Netskope currently supports the following log formats:
|Bluecoat logs sent to Greenplum logserver
|Mcafee Web GW
|Palo Alto Networks
|Bluecoat logs exported In websense format
|Sophos Web Gateway
|Symantec Web Security
Netskope log based discovery requires the destination URL in addition to the destination IP address to accurately identify and map cloud apps. Since most service providers use netblocks to host their services, a destination IP address can be shared by multiple services and therefore, the destination IP address alone does not provide sufficient information required to identify the cloud app.
Netskope recommends either turning on SSL decryption on your firewall or proxy server to capture the destination URLs in the logs so that Netskope can more accurately determine the cloud app service in use, or steering user traffic through Netskope cloud for the most accurate understanding of apps, tenants, and activities.
- You can compress the logs before uploading. Bzip, zip and gzip are currently supported.
- Each compressed file can contain only one single log file.
- Make sure to upload the log to the correct log folder. For example, for checkpoint logs, use the
upload/chkpfolder, and for Bluecoat Proxy logs use the
upload/proxysg-http-mainfolder, and so on.
Please reach out to your SE to learn if there are any new log formats that are not listed.
Use port 22 to upload logs to the tenant UI via SFTP.
Supported Character Encoding
Netskope supports ASCII and UTF-8 character encoding formats.
OPLP Sizing Guide
To ensure you have enough processing power for the amount of logs being processed, review these guidelines. Keep in mind these guidelines are for predefined parsers; core and RAM requirements for custom parsers vary depending on the complexity of the logs.
|Expected Log Traffic
|Disk Space Required
|Approximately 72 GB per day or 3 GB per hour
|Approximately 144 GB per day or 6 GB per hour
|Approximately 216 GB per day or 8 GB per hour