Zscaler Private Access: User activity logs are going to Main:fallback

[evslacker]

What is the sc4s version? 3.30.1 Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? wil lbe sharing over mail

What the vendor name? Zscaler

What's the product name? Zscaler private Access

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events? NA Do you have syslog documentation or a manual for that device?? NA Feature Request description: ZPA is already a approved vendor for SC4S, but somehow the User Activity logs are not going to the Defined index, and they are going to Index=main sourcetype=sc4s:falback. Do you want to have it for local usage or prepare a github PR? NA