Bitdefender is an antivirus software. This integration allows you to send Bitdefender logs to your Logz.io SIEM account.
Before you begin, you’ll need:
- Access to the Bitdefender GravityZone Control Center
- A MAC or Linux Terminal
- An API key for the Bitdefender cloud instance
- A Cloud Access URL for the Bitdefender cloud instance
Generate Bitdefender GravityZone API key
- Log in to your Bitdefender GravityZone Control Center.
- Click the username in the upper-right corner and select My Account.
- Go to API keys and click + Add (top left).
- Enable Event Push Service API and REST API.
- Click Save.
Copy the Bitdefender GravityZone API Access URL
Open Control Center API and copy the Access URL. Keep it handy for the following steps.
It is needed to replace the placeholder <<ACCESS_URL>>
below.
Encode the API Key in Base64
Open a MAC or linux terminal. Run the echo command with the new API Key created in the previous section.
echo -n "[<API_KEY]>" | base64
Sample response (shortened for simplicity): AeFgjU5N0Eg4rRMwFGG=AeFgjU5N0Eg4rRMwFGG=
Copy the encoded API Kay. Keep it handy for the next step. It is needed to replace the placeholder <<ENCODED_API_KEY_BASE_64>>
below.
Configure event push settings
Use a CURL command to configure Bitdefender event push settings.
Edit the placeholders before running the command:
curl -k -X POST
<<ACCESS_URL>>/v1.0/jsonrpc/push
-H 'authorization: Basic <<ENCODED_API_KEY_BASE_64>>'
-H 'cache-control: no-cache'
-H 'content-type: application/json'
-d '{"params": {"status": 1,"serviceType": "cef","serviceSettings": {"url": "https://<<LISTENER-HOST>>:8071?token=<<LOG-SHIPPING-TOKEN>>&type=bitdefender_grzone","requireValidSslCertificate": false,"authorization": "Basic <<ENCODED_API_KEY_BASE_64>>"},"subscribeToEventTypes": {"adcloud":true,"antiexploit":true,"aph":true,"av":true,"avc":true,"dp":true,"endpoint-moved-in":true,"endpoint-moved-out":true,"exchange-malware":true,"exchange-user-credentials":true,"fw":true,"hd":true,"hwid-change":true,"install":true,"modules":true,"network-monitor":true,"network-sandboxing":true,"new-incident":true,"registration":true,"supa-update-status":true,"sva":true,"sva-load":true,"task-status":true,"troubleshooting-activity":true,"uc":true,"uninstall":true}},"jsonrpc": "2.0","method": "setPushEventSettings","id": "1"}'
Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>
):
-
Replace
<<LOG-SHIPPING-TOKEN>>
with the token of the account you want to ship to. -
Replace
<<LISTENER-HOST>>
with the host for your region. For example,listener.logz.io
if your account is hosted on AWS US East, orlistener-nl.logz.io
if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071. <<ACCESS_URL>>
: Replace with the Access URL copied in a previous step.<<ENCODED_API_KEY_BASE_64>>
: Replace with the encoded key returned in the previous step. (Do NOT delete the termbasic
. It belongs there.)
Expected returned value
The returned value should look like this:
{"id":"1","jsonrpc":"2.0","result":true}
Contact support to request custom parsing assistance
The logs will require customized parsing so they can be effectively mapped in Open Search Dashboards.
Email our support to request custom parsing assistance.