Directly contact our Support Team

How to integrate GravityZone with Splunk

This article explains how to integrate GravityZone with Splunk by using HTTP Event Collector and GravityZone APIs.

About the GravityZone integration with Splunk

As a Bitdefender partner, you can integrate GravityZone with Splunk by using GravityZone APIs and Splunk HTTP Event Collector. Thus, you are able to send data from GravityZone Control Center directly to Splunk Enterprise or Splunk Cloud.

Prerequisites

To integrate GravityZone with Splunk, you must have at hand:

  1. Credentials for your GravityZone Cloud account.
  2. Credentials for your Splunk account (cloud or on-premises).

Optionally, you can use a script to automatically enable the integration.

For Bitdefender Splunk App to correlate data coming from GravityZone, you must install Bitdefender Splunk Add-on.

How to configure GravityZone integration with Splunk

To use the GravityZone integration with Splunk you need to:

To integrate GravityZone with Splunk:

A. Enable Event Push API in GravityZone Control Center

  1. Log in to GravityZone Control Center.
  2. Go to My Account.
  3. Under API keys section, click Add.
  4. Select the Event Push Service API check box and click Save. The new key appears in the API Keys table.
    Image-Splunk-API-key
  5. Click Save to preserve the changes made in My Account page.

B. Enable a new token for HTTP Event Collector in Splunk

  1. Log in to Splunk.
  2. Go to Settings > Data Inputs > HTTP Event Colector.
    Image-Splunk-http-event
  3. Click New Token.
  4. In the Add Data screen, fill in the Name field, as suggested in the image below, and click Next.
    Image-Splunk-select-source
  5. For Source type, click Select and choose _json.
    Image-Splunk-select-json

    When using Bitdefender Splunk App, after installing Splunk Bitdefender Add-on, click Select and choose bitdefender:gz as the source.
    source type

  6. At Index, select a default index or create a new one. The events received by HTTP Event Collector will be inserted in the selected index.
  7. Click Review.
  8. Verify the data you entered and click Submit.

    The token has been created successfully. Copy the token value and save it. You will need it later to enable the integration.
    Image-Splunk-token

  9. Go to Settings > Data Inputs > HTTP Event Collector and click Global Settings.
    Image-Splunk-global-settings
  10. In the new window, under All Tokens section, select Enabled.
    Image-Splunk-all-tokens
  11. Click Save.

C. Enable the Splunk integration

After you created the Event Push Service key in GravityZone Control Center and enabled HTTP Event Collector in Splunk, you need to enable the integration. That means you have to start sending events from GravityZone to Splunk.

Enable the Splunk integration manually

To enable Splunk integration means you must configure Event Push Service settings from your favorite terminal emulator on Linux or Mac. These settings refer to:

Example:

  • GravityZone API URL. You find it in MyAccount > Control Center API and it should be similar to https://cloudgz.gravityzone.bitdefender.com/api.
  • The authorization header of the API key generated in GravityZone. The header value is Basic base64encode. To obtain the authorization header, run the echo command followed by API key with colon (":").
  • > echo –n 'Ge9HCYqdU7jIDR90wN0eE1zbB5Snc5HN:' | base64

    The result should be something like this:

    R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46
  • Splunk URL. You find it in your Splunk Cloud platform and it should be something like this: https://prd-p-xlpxkqpw84k2.cloud.splunk.com. If you use Splunk on-premises, the URL is already in place.
  • HTTP Event Collector token.

Once you have the above data, run this command (the settings you have to edit are underlined):

> curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {"status": 1, "serviceType": "splunk", "serviceSettings": {"url": "https://input-prd-p-r2rmnllpzv4n.cloud.splunk.com:8088/services/collector", "requireValidSslCertificate": false, "splunkAuthorization": "Splunk EA900DEB-22C8-402B-A7F9-A926C1633E7A"}, "subscribeToEventTypes": {"modules": true, "sva": true, "registration": true, "supa-update-status": true, "av": true, "aph": true, "fw": true, "avc": true, "uc": true, "dp": true, "sva-load": true, "task-status": true, "exchange-malware": true, "network-sandboxing": true, "adcloud": true, "exchange-user-credentials": true}}, "jsonrpc": "2.0", "method": "setPushEventSettings", "id": "1"}'

The result should be similar to:

{"id":"1","jsonrpc":"2.0","result":true}

GravityZone starts sending events to Splunk after the Event Push Service settings are reloaded. This happens every 10 minutes.

To start sending events immediately, run this command (the settings you have to edit are underlined):

> curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {}, "jsonrpc": "2.0", "method": "getPushEventSettings", "id": "2"}'

To test the integration, run this command (the settings you have to edit are underlined):

> curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

Enable the Splunk integration by running a script

You can also start sending events from GravityZone to Splunk by running a script created by Bitdefender. You can do this in your favorite terminal emulator on Linux or Mac.

  1. Download the script from here.
  2. Make the script executable by running the command:

    chmod +x bdpusheventconfig.sh

  3. Run the script with the command:

    ./bdpusheventconfig.sh -g [console_url] -k [api_key] -t [service_type] -u [service_url] -a [splunk_auth_token] -v -c [events]

The script includes the following options:

Option Description
-g [console url] Gravity Zone API url
-k [api_key] Gravity Zone API key
-t [service_type] Service type: splunk or jsonRPC
-u [service_url] Splunk or RPC url
-a [splunk_auth_token] Splunk authorization token
-v Verify service SSL certificate
-c [events] Connect to Splunk Cloud. Adds 'input-' the the service url.
-h, --help Help

These options are similar to the ones used when enabling the integration manually.

The –c [events] option refers to one event or to a space-separated list of events that are to be send from GravityZone to Splunk. These events are described in the table below:

Event type identifier Description
modules Product Modules event
sva Security Server Status event
registration Product Registration event
supa-update-status Outdated Update Server event (where the Update Server is a Relay)
av Antimalware event
aph Antiphishing event
fw Firewall event
avc ATC/IDS event
uc User Control event
dp Data Protection event
sva-load Overloaded Security Server event
task-status Task Status event
exchange-malware Exchange Malware Detection event
network-sandboxing Sandbox Analyzer Detection
adcloud Active Directory Integration Issue
exchange-user-credentials Exchange User Credentials

To subscribe to all events, use the value all or specify each one of them. If the events list is empty (-c with no event specified) then the integration is disabled.

Examples

Enable Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -c modules sva registration supa-update-status av aph fw avc uc dp sva-load task-status exchange-malware network-sandboxing adcloud exchange-user-credentials

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 -c all

Configure a json RPC service

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t jsonRPC -u https://rpc.example.com modules sva registration supa-update-status av aph fw avc uc dp sva-load task-status exchange-malware network-sandboxing adcloud exchange-user-credentials

Disable Splunk integration

./bdpusheventconfig.sh -g https://gz.example.com/api/v1.0/jsonrpc/push -k abcdefghijklmnopqrstuvwxyz123456 -t splunk -u https://splunk.example.com -a 11111111-2222-3333-4444-555555555555 –c

For details about Push Events Service, refer to the GravityZone API Documentation guide for Cloud, the chapter "Push".

For details about creating reports based on data from GravityZone in Splunk, refer to this KB article.

Can't find a solution for your problem? Open an email ticket and we will answer the question or concern in the shortest time possible.

Rate this article:

Submit