Package zscaler/private-access Release Notes

Package zscaler/private-access Release Notes Version 1.2.1

  • Adds support for parsing and processing logs in the default ZPA format.

  • Drops the observer.type field.

Package zscaler/private-access Release Notes Version 1.2.0
Parser renaming and Deprecation notice

As part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified zscaler-privateaccess parser. This means the following parsers:

  • zscaler-zpa-app-connector-status-json

  • zscaler-zpa-app-protection-json

  • zscaler-zpa-audit-json

  • zscaler-zpa-browser-access-json

  • zscaler-zpa-user-activity-json

  • zscaler-zpa-user-status-json

    are deprecated and all future changes will only go into the new zscaler-privateaccess parser. The new parser requires a change on the Zscaler side in the log format for Zscaler Private Acesss sources.

    Follow the steps outlined below for the migration process:

  • Create new ingest token and associate it with the new zscaler-privateaccess parser

  • In the ZPA administration console:

    • create a new log receiver and configure it with your LogScale Collector's IP address, TCP port, and TLS encryption details (if required)

    • Under the Log Stream tab, set the new log format for a log type which you want to send into LogScale

    • Configure LogScale Collector to receive ZPA logs with new format

    • Confirm that data with new format is successfully ingested into LogScale

    • Delete the ingest tokens for old parsers

    • Delete the configuration for old parsers in the LogCollector

    • Remove the configuration for the old format in the ZPA console

Misc

  • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

  • Improves the field extraction and performance.

Package zscaler/private-access Release Notes Version 1.1.0

  • Improves the field extraction and performance.

  • Sets the event.category, event.type and the event.outcome fields based on the source data.

  • Adds observer.type, package.version, server.bytes, event.action fields and more.

Package zscaler/private-access Release Notes Version 1.0.0

  • Adds new event.module and Cps.version fields

  • Removes the Product, related.user, related.hosts and related.ip fields

  • Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type

Package zscaler/private-access Release Notes Version 0.2.0

  • Changes the parsers to normalise event data to common schema.

  • Removes dashboards from the package. To keep those, stay on the old version of the package.

  • Bumps the minimum supported version of LogScale from 1.20 to 1.82.