# Zscaler ZPA log ingestion via QRadar

For customers who already have Zscaler Private Access (ZPA) LSS logs flowing into QRadar for other reasons, Vectra is providing this additional set of instructions for how to setup QRadar forwarding of these logs to Detect.

Vectra recommends that customers also read the information in the following article that covers ZPA LSS Log Ingestion directly to Cognito Detect without using QRadar as an intermediary:

[https://support.vectra.ai/s/article/KB-VS-1058](/configuration/coverage/remote-users/zscaler-zpa.md)​​​​​​​

### Instructions

#### Step 1

Within the QRadar Admin Panel, click on Forwarding Destinations under the System Configuration section.

![](/files/21LN2IcaA0Jiic0Z4goZ)

Add an entry with the Destination Address as your Cognito Detect Brain.

* Event Format = Payload,
* Destination Port = 4639
* Protocol = TCP
* It is important that the option “Prefix a syslog header if it is missing or invalid” is **NOT** enabled

![](/files/XGL4vwJfU0vBfXzFerjl)

#### Step 2

* Next, within the Admin Panel (see screenshot above), click on Routing Rules
* Add an entry to forward the ZPA logs to the Detect Brain (screenshots below)
  * If event filtering is desired for specific QIDs, create that filter in the **Event Filters** section
* Select the appropriate event collector where the ZPA logs are already being sent
* Under Routing Options, check the box for Forward and select the Forwarding Destination created in the first step
* Finally, check the box for Log Only, this will forward the original payload with no QRadar log wrapper
* Click Save and forwarding to Detect should be complete

![](/files/H6GEsIDTA6zrY6XnX1j2)

![](/files/rELElTMCBG2Ads1HUK9V)

![](/files/XfVCnqoPqjcsLhR1OoUS)

![](/files/u2SJfTnv0ahrDau8XFRX)

Status of forwarding to Detect can be seen at **Settings > External Connectors > Zscaler Private Access (ZPA)**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.vectra.ai/configuration/coverage/remote-users/zscaler-zpa-log-ingestion-via-qradar.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.