Zscaler Private Access Solution not receiving data

Copper Contributor

EDIT: Solved by switching to a default Ubuntu VM. No idea what exactly it is about default Ubuntu that makes it work.


We have been trying to get the logs from Zscaler Private Access connected to our Sentinel instance, with 0 success so far.


We've followed the instructions on the data connector page perfectly, but there simply isn't any data from Zscaler coming into Sentinel and we cannot figure out why


- We've installed the Log Analytics (OMS) agent successfully. We can see a Heartbeat coming in and even the syslog of the machine. This should prove the connection between the VM and Sentinel is working

- We've placed the VM in the same subnet as the ZPA log receivers, opened the correct ports and firewall rules and we can see traffic on our VM coming from the log receivers via tcpdump. This should prove the connection between Zscaler and the VM working

- We can't find any errors in the OMS agent logs. It seems to load the provided zpa.conf file correctly.

- We triple checked all the steps, every step is taken correctly


But there are no ZPA logs in Sentinel

I've searched around and there seem to be multiple people (even in the reviews section of the solutions) running into issues with this, but there are no solutions posted anywhere


Did anyone have any luck with getting this solution to work? And can you share how you did it?

2 Replies

@LukeI91 1) Did you double check the zscaler.conf file to ensure all the ports are correct?

2) This data connector was written by ZScaler.  Have you contacted them to see if they have a resolution?

@GBushey 1) Yes we did. And we can see traffic on the ports via tcpdump.
2) We are contacting them as well to get insights. The solution in the content hub on the Sentinel blade actually lists Microsoft as support contact. I've also opened a support ticket with Microsoft.