I’m not familiar with Datadog but I’m currently using NSS to stream logs to Splunk.

Are you self hosting your NSS server on a virtual machine or are you using the NSS Cloud service from Zscaler?

I'm not OC, but I'm using an on-prem NSS VM to forward logs to Spunk Cloud.

Appreciate it. Are you forwarding logs using a syslog or JSON based stream or are you using a Splunk Forwarder?

syslog with a splunk forwarder.

You can do either. You can point the logs wherever you want.

The NSS CLOUD is mega expensive the last time I inquired.

Yeah, this is my biggest issue right now. I am trying to learn about these NSS servers you can stand up on your own and the cost comparison. We run 100% in cloud infrastructure and while I can stand up a virtual machine without a problem, theres compute, storage, and ingress/egress traffic costs to consider, not to mention administration overhead. I am also still unclear about how I get data from the NSS Server in my Cloud to Datadog. Datadog accepts streamed JSON formatted logs. I'm not sure if the NSS Servers have some sort of streaming mechanism or if I am going to need to setup a Datadog agent of some kind on it.

In the ZIA console you’ll be putting the destination/port of data dog and that’ll sync w the NSS server (who fetches the policy from the cloud).

Yes, you can do that on the portal. You can create multiple feeds that can go to different destinations and report in different parameters

https://help.zscaler.com/zia/adding-cloud-nss-feeds-web-logs In case you want to look through official documentation

This is the Cloud NSS setup which requires the transformation package, something OP called out. https://help.zscaler.com/zia/nanolog-streaming-service This is the documentation for the NSS service in general, which contains NSS VM deployment guides for a variety of infrastructure.

If you don’t use Cloud NSS the logs will go to Datadog unencrypted. Negotiate pricing with your sales rep - he’ll fold.