Bitdefender GravityZone Input

The Bitdefender GravityZone input supports collecting logs published from Bitdefender GravityZone using their Event Push service. Once set up, Bitdefender will post batches of CEF messages to the Graylog input.

Prerequisites

  • A BitDefender GravityZone subscription.

  • The BitDefender Push service must be able to forward to an endpoint in your environment that is secured with TLS 1.2 or greater. See Secure Inputs with TLS for more information.

  • We strongly recommend using the Authorization Header option when setting up the Bitdefender GravityZone input to ensure message requests are authenticated.

Required Bitdefender GravityZone Push Setup

Set up the GravityZone Push service to send logs to Graylog.

  • Set Up Endpoints: GravityZone Push requires using GravityZone API endpoints. Refer to the Bitdefender documentation for guidance on interacting with the API.

  • API Key Authentication: Authenticate API requests with a Base64-encoded API Key (followed by a trailing colon). Generate this API Key under My Account > API keys in the GravityZone User menu.

  • Configure Push Settings: The setPushEventSettings request must be used to create the needed setup to configure GravityZone to send logs to Graylog. Set the following options as required by the input:

  • serviceType: cef

  • serviceSettings:

    • url: The URI where the Graylog Bitdefender GravityZone input is listening for requests. The URL should include the /bitdefender root path where the Graylog input listens. e.g. https://graylog-host:port/bitdefender

    • authorization: A password value matching the value set in the Graylog input Authorization Header Value configuration option.

    • requireValidSslCertificate: true

Example request:

Copy 
curl -i -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H "Authorization: <base64-encoded GravityZone API Key followed by trailing colon>" \
-H "Content-Type: application/json" \
-d '{
           "params": {
              "status": 1,
              "serviceType": "cef",
              "serviceSettings": {
                   "url": "https://<graylog-host:port>/bitdefender",
                   "authorization": "<Graylog input Authorization Header Value value>",
                   "requireValidSslCertificate": true
              },
              "subscribeToEventTypes": {
                <include desired event types>
               }
           },
           "jsonrpc": "2.0",
           "method": "setPushEventSettings",
           "id": "d0bcb906-d0b7-4b5f-b29f-b2e8c459a2df"
}'

Once the configuration is complete, the sendTestPushEvent API request can be used to send a test message to Graylog.

Set Up the Input

Navigate to System > Inputs and select Bitdefender GravityZone to launch the new input. The following configuration settings must be carefully considered when setting up this input:

  • Bind Address and Port: Ensure that Bitdefender GravityZone can route through your network to the IP address and port specified. Note that this input listens for HTTP requests at the /bitdefender root HTTP path.

  • TLS Settings: TLS must either be enabled for this endpoint, or you can choose to route through a firewall or gateway to fulfill the required usage of TLS.

  • Enable Bulk Receiving: Be sure to select this option. This will ensure that the input will correctly split newline-delimited batches of log messages sent from GravityZone Push service.

  • Authorization Header: Specify a name and value for the authorization header to use. This will ensure that the input will only accept communication where appropriate authentication is validated.

    • Authorization Headerauthorization

    • Authorization Header Value: Choose a secure password with sufficient length and complexity to meet your requirements. Use the same value for the authorization GravityZone Push setPushEventSettings configuration option.

Unless required for your environment, we recommend you use the default settings when determining any additional configuration properties.