Bitdefender GravityZone Integration via Log Forwarder

I will try to share the steps we need to pay attention to in Bitdefender GravityZone integration below.

First of all, we need to log in to the product interface with a user with administrator authorization and click on the My Account field from the User Menu tab at the top right.

On the incoming screen, we need to create a new API in the section at the bottom and select Event Push Service at the creation stage. The name you write here does not matter, but you need to save the API key it gives you when you save it. This key appears once and if you do not save it, you will need to create it again.

Based on the API key you created, we can now configure the forwarder side.

You need to install Ubuntu 20.04 LTS on your Log Forwarder server and you must provide the following minimum specs. 

 

Hardware

1 CPU

2 GB RAM

1 Gbit virtual NIC

80 GB HDD

 

Then you need to do the following steps on the server respectively.

 

sudo echo "deb http://download.bitdefender.com/repos/deb-hydra20-evpsc/ bitdefender non-free" >> /etc/apt/sources.list

 

sudo apt update  

If you get error like;

Err:1 http://download.bitdefender.com/repos/deb-hydra20-evpsc bitdefender InRelease The following signatures couldn't be verified because the public key is not av ailable: NO_PUBKEY 887A41B4AF6056F5

Please execute commands below;

gpg --keyserver keyserver.ubuntu.com --recv-keys 887A41B4AF6056F5
gpg --export --armor 887A41B4AF6056F5 | sudo apt-key add - && sudo apt-get update

 

sudo apt install gz-evpsc

 

#Change the path to where the configuration script is located.

cd /opt/bitdefender/gz-evpsc  

#Run the script with sudo permission

sudo ./config.sh <PORT> <SYSLOGPORT> <TRANSPORT> <TARGET> <AUTH> <CONFIG_FILENAME>

 

I am giving you a full line as an example.sudo ./config.sh 3200 514 Tcp 127.0.0.1 'Basic dGVzdDp0ZXN0' config.json

 

PORT: 3200 can stay, there is no problem.

Syslogport: 514(tcp) or 515(udp)

Transport: tcp or udp (must be parallel with the port)

Target: Logsign USO IP Address

AUTH: Basic <Password to be written (cannot be the same as API)>

 

When we do this, it assigns the fields we provide through the config.sh file to the config file and prepares access with the certificates it creates.

 

After this process, we enable and start the gravityzone service.

 

systemctl enable gz-evpsc

systemctl start gz-evpsc

 

After these operations, you can review the config file created in the location I have given below and edit the things you want to change. 

 

/opt/bitdefender/gz-evpsc/api/config/config.json

 

After a change you need to restart the service. (systemctl restart gz-evpsc)

 

After these operations, we need to have the application take an action to redirect the logs to this source and we need to send a curl for this.

 

I share the details about this curl request below.

 

curl --location 'https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push' \

--header 'Content-Type: application/json' \

--header 'Authorization: Basic Y2Q3YjU3OWEyMGQ******3NDYwNjNjYjZhOD*****2NDdiMTo=' \

--data '  {

       "params": {

          "status": 1,

          "serviceType": "cef",

          "serviceSettings": {

               "url": "1.1.1.1",

               "authorization": "Basic dGVzdDptMTltTk51bE0",

               "requireValidSslCertificate": false

          },

          "subscribeToEventTypes": {

              "modules": true,

              "sva": true,

              "registration": true,

              "supa-update-status": true,

              "av": true,

              "aph": true,

              "fw": true,

              "avc": true,

              "uc": true,

              "dp": true,

              "sva-load": true,

              "task-status": true,

              "exchange-malware": true,

              "network-sandboxing": true,

              "adcloud": true,

              "exchange-user-credentials": true,

              "endpoint-moved-out": true, 

              "endpoint-moved-in": true,

              "troubleshooting-activity": true,

              "uninstall": true,

              "install": true,

              "hwid-change": true,

              "new-incident": true,

              "antiexploit": true,

              "network-monitor": true,

              "ransomware-mitigation": true,

              "security-container-update-available": true

           }

           

       },

       "jsonrpc": "2.0",

       "method": "setPushEventSettings",

       "id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"

  }  '

 

There are fields that we need to update in this curl request, I specify these fields below.

--header 'Authorization: Basic Y2Q3YjU3OWEyMGQ******3NDYwNjNjNjYjZhOD*****2NDdiMTo='

 

In this field, the API key we get from the product will be written.

 “url": “1.1.1.1”

 

The IP address of the server where the logs will be forwarded.

    “authorization": “Basic dGVzdDptMTltTk51bE0”,

 

In this field, we will write the password we created while performing server-side operations.

You can make these changes and send a curl request from the terminal or create a post request via postman.

 

There is a script I created for these operations.

It works in both install and uninstall (16.12.2024)

Note: You must have root access to run the script.

 

When you have root access, you need to switch to the folder where you uploaded the file and send the following command.

 

bash bitdefender_forwarder_installv2.sh

 

Then the installation will start and you will start pulling packages. The script does the things that need to be done in the background.

 

After installation, in the configure stage, you are asked to write the IP address (Logsign USO), protocol information (just type udp or tcp, it sets the port itself. UDP=514, TCP=515) and finally API key. When the installation and configure processes are finished, routing to Logsign USO will be successful. Then you can log in to Logsign USO and select Syslog > Bitdefender > GravityZone and complete the source addition process. The IP address you will use here will be your server that redirects the logs.

 

If you think there is a mistake in your work, you can use the uninstall script to remove all bitdefender related packages.

 

bash bitdefender_forwarder_uninstall.sh

 

This script will delete all files.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.