Automating Netskope Client Log Collection via Remote Execution

Overview

To streamline troubleshooting, organizations often want to automate log collection (e.g., triggered automatically when a user submits a support ticket).

Technical Note: The Netskope REST API v2 allows for the retrieval of logs already present in the tenant. However, the "Collect Logs" function in the Netskope UI relies on a proprietary signaling mechanism that is not currently exposed via a public API. To automate the initiation of log collection, organizations must use a remote execution solution (MDM/EDR) to run the nsdiag utility locally on the endpoint.

The Automation Workflow

Since the process cannot be triggered via a Netskope API call, the workflow moves from the Netskope Cloud to your internal management infrastructure.

1. Trigger: An automation engine (e.g., ServiceNow, Jira Automation) identifies a new ticket with a hostname.

2. Execute: Your MDM (Jamf, Intune, Kandji) or EDR (Tanium, CrowdStrike) runs the nsdiag command on the target host.

3. Local Bundle: The nsdiag tool generates a .zip file in the local Netskope directory.

4. Exfiltrate: Your remote execution script moves the .zip from the endpoint to your secure internal storage or IT file share.

Implementation Details

1. Binary Locations and Permissions

The diagnostic tool requires root/administrator privileges to capture full system and driver logs.

• macOS: /Library/Application Support/Netskope/STAgent/nsdiag

• Windows: C:\Program Files (x86)\Netskope\STAgent\nsdiag.exe

2. The Collection Command

Run the following command via your remote management tool:

Bash

# macOS Example
sudo "/Library/Application Support/Netskope/STAgent/nsdiag" -o Auto_Logs.zip

• Output Path: The file will be saved to /Library/Logs/Netskope/Auto_Logs.zip (macOS) or C:\Users\Public\Netskope (Windows).

• Constraint: The -o flag accepts a filename only. Do not provide a full path; the tool automatically saves to the default Netskope log directory.

3. Sample Automation Script Logic

This logic can be embedded into a Jamf Policy, a Tanium Package, or an Intune Proactive Remediation script:

Bash

#!/bin/bash
# 1. Generate the local diagnostic bundle
sudo "/Library/Application Support/Netskope/STAgent/nsdiag" -o "Ticket_$(hostname)_Logs.zip"

# 2. Verify file creation
LOG_FILE="/Library/Logs/Netskope/Ticket_$(hostname)_Logs.zip"

if [ -f "$LOG_FILE" ]; then
    # 3. Transport the file to your secure repository
    # (Example using curl to an internal API or storage bucket)
    curl -F "file=@$LOG_FILE" https://internal-it-repo.corp/upload
else
    echo "Log generation failed."
    exit 1
fi

Key Benefits of This Method

• Independence: Does not rely on the Netskope Client's check-in interval or the Cloud Gateway's processing time.

• Customization: You can modify the command to include packet captures (e.g., nsdiag -c start) if deeper troubleshooting is required.

• Integration: Allows you to attach the logs directly to the original IT ticket automatically.

Summary: Automated log initiation is achieved by leveraging your existing endpoint management tools to call the nsdiag binary. This provides a faster, more reliable path for SOC and Helpdesk teams compared to manual console intervention.