Skip to main content

Sending events from GravityZone Cloud platform to SIEMs lacking HTTPS listeners

This article aims to help you install a connector between GravityZone and SIEM solutions that do not have HTTPS listeners for events.

Bitdefender GravityZone – the cloud platform, provides alerts about security events in CEF and JSON message standards. These alerts are sent through the Event Push Service.

The GravityZone APIs are exposed using JSON-RPC 2.0 protocol specified here. For details on GravityZone API, refer to the available documentation.

If your SIEM does not have any HTTP/HTTPS listeners, but supports a Syslog service, you need to install the GravityZone Event Push Service Connector.

The connector uses the POST method to receive authenticated and secured messages from the GravityZone Event Push Service. It parses the message and then forwards it to a local or a remote Syslog server. You can use the Syslog server to feed these messages to the SIEM.

To install the connector, follow these steps:

  1. Check the prerequisites.

  2. If you have a version of the GravityZone Event Event Push Service that has been set up manually before March 29th, 2022, remove its files from your system.

  3. Add the repository to the APT sources list.

  4. Install the DEB package.


    If you receive a signatures couldn't be verified because the public key is not available error message during the DEB package installation, download and install a digital signature for the package files:

    curl -sS | apt-key add -
  5. Configure via bash script.

  6. Enable system service.

  7. Test the connector.

  8. Configure GravityZone to send messages to the SIEM.

Check the prerequisites

Before proceeding any further, you need to meet the following prerequisites:

  • Linux basic knowledge

  • GravityZone cloud solution

  • A GravityZone API key that covers Event Push Service API

  • Ubuntu 20.04 LTS server with the following configuration:

    • Hardware:

      • 1 CPU

      • 2 GB RAM

      • 1 Gbit virtual NIC

      • 80 GB HDD


    This configuration can sustain an environment up to 15000 endpoints. The CPU and network usage will increase proportionally with the number of endpoints.


    The SIEM receiving events from the event push requires a Public IP assigned for the GravityZone Event Push server to forward events to.

Install the connector

  1. Connect to the Ubuntu 20.04 server.

  2. Add the Bitdefender Connector repository to APT.

    sudo echo "deb bitdefender non-free" >> /etc/apt/sources.list
  3. Install the DEB package.

    sudo apt update  
    sudo apt install gz-evpsc
  4. Run the configuration script.

    #Change the path to where the configuration script is located.
    cd /opt/bitdefender/gz-evpsc  
    #Run the script with sudo permission




    The port used by the event push service to access the HTTPS connector server.


    The port used by the HTTPS connector server to send data to the SIEM.


    The protocol used to transfer data.


    The IP address of the SIEM.


    The key used for authentication for accessing the SIEM through APIs.

    This key must be different from the GravityZone API authentication key.


    The name of the config file.


    cd /opt/bitdefender/gz-evpsc 
    sudo ./ 3200 514 Tcp 'Basic dGVzdDp0ZXN0' config.json


    The connector needs to have a public IP address assigned for the GravityZone Event Push server to forward events to.

  5. (optional) Add certificates paths to the config file.

    By default, the script creates self signed certificates for the HTTPS connector server. For better security, certificates obtained from a certificate authority can be placed in the following files:

  6. Enable the system service

    systemctl enable gz-evpsc 
  7. Start the system service

    systemctl start gz-evpsc 

Obtain the security certificate for authentication

The GravityZone cloud platform only sends Push Event messages to HTTPS capable collectors. For the collector service to function over HTTPS, and provide a secure communication with Bitdefender Cloud, you need to set it up to function with an SSL/TLS certificate.

By default, the script creates self signed certificates for the HTTPS connector server. You can obtain an SSL/TLS certificate for this service in a few other ways:

  1. From a trusted public Certificate Authority (CA)


    We strongly recommend this method, since it will allow our Cloud servers to properly validate the identity the URL of the collector and avoid any man-in-the-middle attacks.

  2. From your company’s internal PKI


    We do not recommend this method, since the Bitdefender public cloud service is not be able to validate a certificate signed by a private CA.

  3. Create a self-signed certificate


    We strongly advise against this option. It does not provide any certificate validation methods and exposes the communication to man-in-the-middle attacks. This method should only be used for testing purposes and never in production environments.

Further on, you will need the sslkey.pem and ssl.cer/ssl.crt files, signed by your CA of choice.

Test the connector

Use this HTTPS message example to test the connector you have just configured:

  • Event Push Service request header

    Authorization: Basic xxxxxxxxxxxxxx
  • Event Push Service payload

    "cef": "0",
     "events": [
    	"CEF:0|Bitdefender|GravityZone|6.4.08|70000|Registration|3| dvc=",
    	"CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product ModulesStatus|5|BitdefenderGZModule=modules dvc=",
    	"CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product ModulesStatus|5|BitdefenderGZModule=modules dvc="
  • Use the following cURL command to send the payload to the collector service:

    curl -k -H 'Authorization: Basic xxxxxxxxxxxxxxxxxx' \
    -H "Content-Type: application/json" \
    -d '{"cef": "0","events": ["CEF:0|Bitdefender|GravityZone|6.4.08|70000|Registration|3| dvc=","CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product ModulesStatus|5|BitdefenderGZModule=modules dvc=","CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product ModulesStatus|5|BitdefenderGZModule=modules dvc="]}' \


    Replace the authorization header and URL with the one configured above in the config.json file.

    The event should appear in your defined syslog server and as output of the running server.js.

Configure GravityZone to send messages to the SIEM

Now that the HTTPS collector service is running and listening for messages, you can configure Control Center to send events to the above-defined URL: https://your_web_server_hostname_or_public_IP:port/api.

All settings for Event Push Service API are configured via the setPushEventSettings method. For detailed information about these settings, refer to Push.

Using your API key of choice, configure the API push events and the service URL where you want the messages delivered:

$ curl --tlsv1.2 -sS -k -X POST \
https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"1","jsonrpc":"2.0","method":"setPushEventSettings","params":{"serviceSettings":{"requireValidSslCertificate":false,"authorization":"Basic xxxxxxxxxx","url":" https://your_web_server_hostname_or_public_IP:port/api"},"serviceType":"cef","status":1,"subscribeToEventTypes":{"adcloudgz":true,"antiexploit":true,"aph":true,"av":true,"avc":true,"dp":true,"endpoint-moved-in":true,"endpoint-moved-out":true,"exchange-malware":true,"exchange-user-credentials":true,"fw":true,"hd":true,"hwid-change":true,"install":true,"modules":true,"network-monitor":true,"network-sandboxing":true,"new-incident":true,"ransomware-mitigation":true,"registration":true,"supa-update-status":true,"sva":true,"sva-load":true,"task-status":true,"troubleshooting-activity":true,"uc":true,"uninstall":true}}}'


When using a valid service certificate signed by a public CA, we recommend setting  "requireValidSslCertificate":true , to force certificate validation. If you are using a self-signed certificate or a certificate signed by your internal CA, set "requireValidSslCertificate":false.


Make sure to replace "authorization":"Basic xxxxxxxxxx" and "url":" https://your_web_server_hostname_or_public_IP:port/api" with the correct values for your server, as defined in the config.json file, and CONTROL_CENTER_APIs_ACCESS_URL and API_KEY_BASE64_ENCODED_WITH_COLON_APPENDED with the correct values for your GravityZone instance.

Once configured, wait about 10 minutes for the settings to take effect, and then make a request using getPushEventSettings.

$ curl --tlsv1.2 -sS -k -X POST \
https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \
-H 'authorization: Basic API_KEY_BASE64_ENCODED' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"3","jsonrpc":"2.0","method":"getPushEventSettings","params":{}}'

The result should look like this:

  "id": "2",
  "jsonrpc": "2.0",
  "result": {
    "serviceSettings": {
      "authorization": "********",
      "requireValidSslCertificate": false,
      "url": "https://your_web_server_hostname_or_public_IP:port/api"
    "serviceType": "cef",
    "status": 1,
    "subscribeToCompanies": null,
    "subscribeToEventTypes": {
      "adcloud": false,
      "antiexploit": true,
      "aph": true,
      "av": true,
      "uninstall": true

To send a test event, you can call the sendTestPushEvent API method.

$ curl --tlsv1.2 -sS -k -X POST \
https://CONTROL_CENTER_APIs_ACCESS_URL/v1.0/jsonrpc/push \
-H 'authorization: Basic API_KEY_BASE64_ENCODED' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"id":"4","jsonrpc":"2.0","method":"sendTestPushEvent","params":{"eventType": "av"}}'

The result should look like this:

  "id": "4",
  "jsonrpc": "2.0",
  "result": {
    "computer_name": "FC-WIN7-X64-01",
    "computer_fqdn": "fc-win7-x64-01",
    "computer_ip": "",
    "computer_id": "59a1604e60369e06733f8abb",
    "product_installed": "BEST",
    "malware_type": "file",
    "malware_name": "EICAR-Test-File (not a virus)",
    "file_path": "C:\\eicar0000001.txt",
    "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
    "final_status": "deleted",
    "timestamp": "2017-09-08T12:01:36.000Z",
    "companyId": "5ac8460f8a799399a78b456c",
    "module": "av",
    "_testEvent_": true

The event should shortly show up in the Syslog server and in the server.js output.

Check the log files

You can find the log file here: