1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Integration

Bitdefender GravityZone Integration via Log Forwarder

Updated

I will try to share the steps we need to pay attention to in Bitdefender GravityZone integration below.

First of all, we need to log in to the product interface with a user with administrator authorization and click on the My Account field from the User Menu tab at the top right.

On the incoming screen, we need to create a new API in the section at the bottom and select Event Push Service at the creation stage. The name you write here does not matter, but you need to save the API key it gives you when you save it. This key appears once and if you do not save it, you will need to create it again.

Based on the API key you created, we can now configure the forwarder side.

You need to install Ubuntu 20.04 LTS on your Log Forwarder server and you must provide the following minimum specs. 

Requirements,

  • Ubuntu 20.04 virtual machine
  • 2 Core CPU
  • 2 GB ram
  • 80 GB HDD
  • Bitdefender Api Key
  • From the external network to the ip and port of the server we set up inside nat. (a port number above 1024

can be given. In this example we set port 60001)

Bitdefender Connector installation

  • We add the public key of the Bitdefender repo to the keyring

curl -sS https://download.bitdefender.com/repos/gzrepos.key.asc | apt-key add -

  • We add the Bitdefender repo

sudo echo “deb http://download.bitdefender.com/repos/deb-hydra20-evpsc/ bitdefender non-free” >> /etc/apt/sources.list

  • We install the Bitdefender Connector service

sudo apt update

sudo apt install gz-evpsc

  • After installation, we go to the following directory and set the parameters following the config.sh file to our environment according to

cd /opt/bitdefender/gz-evpsc ./config.sh <PORT> <SYSLOGPORT> <TRANSPORT> <TARGET> <AUTH> <CONFIG_FILENAME>

  • PORT

This port is used by Gravity Zone when accessing the machine is the port that the gz-evpsc service will use and listen on. For this example 60001 used.

  • SYSLOGPORT

This port receives the logs that Bitdefender Connector receives from the cloud is the port of the Logsign server it redirects to.

  • TRANSPORT

This is the protocol we use for syslog. We use the Udp protocol we will use.

  • TARGET

The ip address of our Logsign server.

  • AUTH

When sending logs to the machine we set up inside the cloud service we will define to the Bitdefender Connector that it will use to authenticate is the predefined key. For example dGVzdDp0ZXN0333, which we set ourselves a random value.

  • CONFIG_FILENAME > config.json

EXAMPLE > ./config.sh 60001 514 Udp 10.10.6.207 'Basic dGVzdDp0ZXN0333

config.json

  • We set the Bitdefender Connector service to enable/start

systemctl enable gz-evpsc

systemctl start gz-evpsc

  • With the following command, we create a sample log in our connector service in the local environment and send it to our syslog server we can send it.

curl -k -H 'Authorization: Basic dGVzdDp0ZXN0' \

-H "Content-Type: application/json" \

-d '{"cef": "0","events":

["CEF:0|Bitdefender|GravityZone|6.4.08|70000|Registration|3|BitdefenderGZModule=registrationdvchost=TEST_ENDPOINTasdadBitdefenderGZComputerFQDN=test.example.com dvc=192.168.1.2","CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product ModulesStatus|5|BitdefenderGZModule=modules dvchost=TEST_ENDPOINTasdadBitdefenderGZComputerFQDN=test.example.com dvc=192.168.1.2","CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product ModulesStatus|5|BitdefenderGZModule=modules dvchost=TEST_ENDPOINTasdadBitdefenderGZComputerFQDN=test.example.com dvc=192.168.1.2"]}' \

https://10.10.6.104:60001/api

In the photo above, you can see the Logsign USO side of the sample logs produced by the previous command has arrived. This means that our connector service is working. 

These are not real logs sent through the cloud. For this process we use the cloud service api

over the GravityZone Cloud.

Configurations on GravityZone Cloud

In order for Gravityzone to redirect the logs to the machine we have installed, we also need to have

we need a configuration. This configuration is not done through the interface. Api we will define the relevant parameters.

  • We need api key for this process.

Authorized at https://cloudgz.gravityzone.bitdefender.com to create an API key we log in with a user. From the menu at the top right, go to the My Account menu we're going in.

At the bottom of the page that opens, we note the Access URL in the Control Center API section and

click on the Add button.

We fill in the page that opens as follows and click create.

We copy and save our api key from the page that opens.

In Bitdefender documentation, this api key is API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED describes the api key. For this reason, in order to use this api key, we need to convert it to base64 and add : to the end.

  • We do this with the following command.

echo -n “<BITDEFENDER_API_KEY>:” | base64 -w 0

Example:

echo -n “9dff4e9b6c6527aa1df1b4a143bb29fcfe99bd4fca52139ddfd1067b4c:” | base64 -w 0

After running the command, we save the output. This output as api key we will use.

  • GravityZone Cloud service via the api we created with the curl command below logs are sent to our public ip address. For this process we use the setPushEventSettings method.

curl --tlsv1.2 -sS -k -X POST \

https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \

-H 'authorization: Basic API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED' \

-H 'cache-control: no-cache' \

-H 'content-type: application/json' \

-d

'{“id”: “1”, “jsonrpc”: “2.0”, “method”: “setPushEventSettings”, “params”:{“serviceSettings”:{"requireValidSslCertificate":false, ‘authorization’: ”Basic xxxxxxxxxx”

, “url”:”https://your_web_server_hostname_or_public_IP:port/api"}, ‘serviceType’: ‘cef’, ‘status’:1, ”sub

scribeToEventTypes“:{”adcloudgz":true, ‘antiexploit’:true, ‘aph’:true, ‘av’:true, ‘avc’:true, ”dp

“:true, “endpoint-moved-in”:true, “endpoint-moved-out”:true, “exchange-malware”:true, “exchange-

user-credentials":true, ‘fw’:true, ‘hd’:true, ”hwid-change":true, ‘install’:true, ‘modules’:true, ‘network-monitor’:true, ”network-sandboxing":true, ‘new-incident’:true, ‘ransomware-mitigation’:true, ‘registration’:true, ”supa-update-status":true, ‘sva’:true, ‘sva-load’:true, ‘task-status’:true, ”troubleshooting-activity":true, ‘uc’:true, ‘uninstall’:true}}'

  • CONTROL_CENTER_APIs_ACCESS_URL >> https://cloudgz.gravityzone.bitdefender.com/api/
  • API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED >> The api key we created in the previous step.
  • xxxxxxxxxx >> The random auth key we generated during connector setup
  • https://your_web_server_hostname_or_public_IP:port >> Our outside leg ip address and the port we are porting into.

Example:

curl --tlsv1.2 -sS -k -X POST \

https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \

-H 'authorization: Basic OwRmZjRLOWI2YzY1MjdhYTFkZjFiNGExNDNiYjI5ZmNmZT*****' \

-H 'cache-control: no-cache' \

-H 'content-type: application/json' \

-d

'{“id”: “1”, ‘jsonrpc’: “2.0”, ‘method’: “setPushEventSettings”, “params”:{“serviceSettings”:{"requireValidSslCertificate":false, ‘authorization’: “Basic dGVzdDp0ZXN0”, “url”:”https://24.x.x.x:60001/api“}, ‘serviceType’: ‘cef’, ‘status’:1, ‘subscribeToEventTypes’:{”adclou dgz":true, ‘antiexploit’:true, ‘aph’:true, ‘av’:true, ‘avc’:true, ‘dp’:true, ”endpoint-moved-in":true, ‘endpoint-moved-out’:true, ‘exchange-malware’:true, ”exchange-user-credentials":true, ‘fw’:true, ‘hd’:true, ”hwid-change":true, ‘install’:true, ‘modules’:true, ‘network-monitor’:true, ”network-sandboxing":true, ‘new-incident’:true, ‘ransomware-mitigation’:true, ‘registration’:true, ”supa-update-status":true, ‘sva’:true, ‘sva-load’:true, ‘task-status’:true, ”troubleshooting-activity":true, ‘uc’:true, ‘uninstall’:true}}'

*After this process, we can verify the settings on the cloud side with the getPushEventSettings method.

curl --tlsv1.2 -sS -k -X POST \ 

https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \

-H 'authorization: Basic OwRmZjRLOWI2YzY1MjdhYTFkZjFiNGExNDNiYjI5Zm*******' \

-H 'cache-control: no-cache' \

-H 'content-type: application/json' \

-d '{“id”:“3”,“jsonrpc”:“2.0”,“method”:“getPushEventSettings”,“params”:{}}'

You can trigger log sending via cloud with sendTestPushEvent method.

curl --tlsv1.2 -sS -k -X POST \

https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \

-H 'authorization: Basic OwRmZjRLOWI2YzY1MjdhYTFkZjFiNGExNDNiYjI5ZmNmZTk5YmQ******' \

-H 'cache-control: no-cache' \

-H 'content-type: application/json' \

-d '{“id”: “4”, “jsonrpc”: “2.0”, “method”: “sendTestPushEvent”, “params”:{“eventType”: “av"}}'

List of Bitdefender's ip addresses that will be allowed when creating a nat to the internal network.

  • 34.148.142.174
  • 34.126.111.12
  • 34.48.74.208
  • 35.198.138.109
  • 35.246.228.213
  • 35.234.118.64
  • 34.159.83.241
  • 34.159.47.15
  • 34.159.150.228
  • 34.85.152.87
  • 35.204.90.200
  • 34.90.110.196
  • 34.147.0.186
  • 34.129.193.31
  • 34.85.155.173
  • 34.90.162.143
  • 34.91.218.129

Then you can log in to Logsign USO and select Syslog > Bitdefender > GravityZone and complete the source addition process. 

 

Sources:

https://www.bitdefender.com/business/support/en/77211-144080-build-an-event-push-service-api-connector-for-cef-standard.html

https://www.bitdefender.com/business/support/en/77209-135319-setpusheventsettings.html

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.