All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to integrate Bitdefender Gravityzone Event Push Service SSL with TLS 1.2 or higher?

muradgh
Path Finder
‎06-07-2022 11:56 PM

Hi Splunkers.

I'm trying to integrate Bitdefender Gravityzone (Cloud) with Splunk on-premises, I have used the official documentation from the Bitdefender website:

https://www.bitdefender.com/business/support/en/77211-171475-splunk.html

but I'm stuck in the "Enable the Splunk integration" step;

In the beginning, I have tried using the "Enable the Splunk integration manually" method,  I have put everything in place and run the command in the documentation, but ended up with an error stating that "The web server with this URL must support TLS 1.2, at least" as shown in the below screenshot:

muradgh_0-1654668681685.png

I have reviewed the documenting again in this link:

https://www.bitdefender.com/business/support/en/77209-135319-setpusheventsettings.html

Under the "Important" note:
"Event Push Service requires the HTTP collector running on the third-party platforms to support SSL with TLS 1.2 or higher, to send events successfully."

But here is the thing, I think that HEC by default only supports TLSv1.2 despite sslVersions=*

 

$ cat /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf
[http]
disabled=1
port=8088
enableSSL=1
dedicatedIoThreads=2
maxThreads = 0
maxSockets = 0
useDeploymentServer=0
# ssl settings are similar to mgmt server
sslVersions=*,-ssl2
allowSslCompression=true
allowSslRenegotiation=true
ackIdleCleanup=true

 

I have tried to use:
sslVersions=tls1.2 but nothing happened, it still shows the same issue.

Can someone please help me figure out how to solve this TLS issue?

Afterward, I have tried to use the "Enable the Splunk integration by running a script" method, aging I have put everything in place and run the script, but ended up with an error stating that:

 

FAIL - server response:
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

 

as shown in the below screenshot:

muradgh_1-1654671183339.png

Any Idea why this happens?

Much thanks.

Labels (3)
Tags (2)
0 Karma
Reply

Tai-bdev-vn
Loves-to-Learn
‎06-29-2023 04:28 PM

Hello,

This meant We cannot use API Push Event to Splunk Cloud Trial, is it right?

Because, When I use this method for Collector trial link port 8088 still face this issue:

{"id":"1","jsonrpc":"2.0","error":{"code":-32602,"message":"Invalid params","data":{"details":"The web server with this URL must support TLS 1.2

Thanks

0 Karma
Reply

Tai-bdev-vn
Loves-to-Learn
‎06-29-2023 02:31 AM

Hello AndyG, 

Do you need to modify port 8088 on Splunk Global setting?

I try to do the same your recommend but still face issue.

Thanks

0 Karma
Reply

AndyG
Loves-to-Learn
‎06-29-2023 03:11 AM

So according to this page:

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Data/UsetheHTTPEventCollector?ref=hk&_ga=...

Port 8088 is only for trial accounts. Full accounts should use port 443 in their command. Hope this helps!

0 Karma
Reply

Tai-bdev-vn
Loves-to-Learn
‎05-10-2023 07:13 AM

Hello,

I'm facing the same problem when pushing events via API from GravityZone Cloud to Splunk Cloud. 

Do you have the guide to troubleshoot it?

Thanks!

0 Karma
Reply

Jeewan
Loves-to-Learn
‎04-27-2023 07:52 AM

Hello Guys, did anyone find any resolution for that issue. i am also facing the same issue. i tried in Splunk cloud and splunk enterprise. getting the same error in both 

0 Karma
Reply

retloc
New Member
‎09-12-2022 03:40 PM

Did you ever figure out this problem? I have the same issue trying to integrate Bitdefender. 

0 Karma
Reply

muradgh
Path Finder
‎09-12-2022 10:55 PM

Unfortunately, not yet, I have opened a case with Splunk to work on this but still, the issue is pending ☹️

0 Karma
Reply

jdjacopodario
Observer
‎10-27-2022 02:45 AM

I've the same error when i try to configure the event push between Splunk and BitDefender. Have you any news about it?

0 Karma
Reply

muradgh
Path Finder
‎10-27-2022 02:52 AM

Unfortunately no answer anywhere 🥲

0 Karma
Reply

andrew15
Loves-to-Learn Lots
‎06-02-2023 11:36 AM

Did you ever get this resolved? Our team is facing the same issue

0 Karma
Reply

muradgh
Path Finder
‎06-03-2023 05:30 AM

Unfortunately, I couldn't resolve this, I gave up trying to integrate this with Splunk 😔

0 Karma
Reply

AndyG
Loves-to-Learn
‎06-27-2023 01:30 AM

For @muradgh and anyone else struggling with this, I've managed to get it working.

The BitDefender guide is out of date/incorrect about the Splunk address to use.

I found the correct format on this page:

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Data/UsetheHTTPEventCollector?ref=hk#Send...

Long story short, you need to add http-inputs- before your URL and use port 443, not 8088 as BD say.

So my full URL (with hostname removed, obviously) is:

https://http-inputs-[hostname].splunkcloud.com:443/services/collector 

After doing that, I now get the success return value that the BD guide shows. Hope this helps other people!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...