Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Are there any fixes that we could do to forward our logs from Gravityzone into Splunk Cloud?

JacksonModlin
Explorer
‎08-17-2022 01:24 PM

Hello, 

We are using splunk cloud to centralize all our logs, and are currently struggling with Bitdefenders implementation. We have added the HTTP Event Collector, and are now struggling with the final step of sending the logs from Bitdefender to Splunk, When i run the code to connect the two

 

 

curl -k -X POST OUR_GRAVITYZONE_API/v1.0/jsonrpc/push -H 'authorization: Basic GRAVITYZONE_API_KEY' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{
    "params": {
        "status": 1,
        "serviceType": "splunk",
        "serviceSettings": {
            "url": "https://input-OUR_SPLUNK_CLOUD_LINK:8088/services/collector",
            "requireValidSslCertificate": false,
            "splunkAuthorization": "Splunk HTTP_EVENT_KEY"
        },
        "subscribeToEventTypes": {
            "hwid-change": true,
            "modules": true,
            "sva": true,
            "registration": true,
            "supa-update-status": true,
            "av": true,
            "aph": true,
            "fw": true,
            "avc": true,
            "uc": true,
            "dp": true,
            "device-control": true,
            "sva-load": true,
            "task-status": true,
            "exchange-malware": true,
            "network-sandboxing": true,
            "malware-outbreak": true,
            "adcloud": true,
            "exchange-user-credentials": true,
            "exchange-organization-info": true,
            "hd": true,
            "antiexploit": true
        },
        "jsonrpc": "2.0",
        "method": "setPushEventSettings",
        "id": "1"
    }'
}

 

 

 It returns the Error

 

 

{
    "id": null,
    "jsonrpc": "2.0",
    "error": {
        "code": -32600,
        "message": "Invalid Request",
        "data": {
            "details": "Invalid or missing request id. Notifications are not supported"
        }
    }
}

 


Are there any fixes that we could do to forward our logs from Gravityzone into Splunk Cloud?

Labels (1)
Labels
0 Karma
Reply

chaker
Contributor
‎08-17-2022 10:08 PM

Just to confirm, are you following these instructions:

https://www.bitdefender.com/business/support/en/77211-158569-send-security-telemetry-from-gravityzon...

For this addon?

https://splunkbase.splunk.com/app/4142/

There is also an app, both are supported on Splunk Cloud according to splunkbase.

https://splunkbase.splunk.com/app/4151/

 

Reply

JacksonModlin
Explorer
‎08-18-2022 09:07 AM

I have been following this documentation provided by bitdefender, is this not the one i should be using?

 

https://www.bitdefender.com/business/support/en/77211-171475-splunk.html

0 Karma
Reply

chaker
Contributor
‎08-18-2022 09:50 PM

That looks like the right doc.

Have you tried the script they offer called bdpusheventconfig.sh? 

0 Karma
Reply

JacksonModlin
Explorer
‎08-19-2022 01:20 PM

I went ahead and ran the script, and now i get the error

{"id":"1","jsonrpc":"2.0","error":{"code":-32602,"message":"Invalid params","data":{"details":"The web server with this URL must support TLS 1.2, at least"}}}

is this a problem that i have to take up with bitdefender, or splunk?

 

Thanks,
Jackson

0 Karma
Reply

chaker
Contributor
‎08-19-2022 03:34 PM

Reading over some other posts, it seems the Splunk HEC only accepts TLS1.2.

I did see a bit defender doc about upgrading gravity to TLS1.2. Make sure this has been covered off.


https://www.bitdefender.com.au/support/how-to-upgrade-to-tls-1-2-and-why-its-crucial-for-bitdefender...

To answer your question, the addon is a vendor supplied and supported addon, and not Splunk supported, so it's unlikely Splunk Support will be able to help. It certainly can't hurt creating a case if you have the entitlement, but they may tell you to contact Bitdefender.

0 Karma
Reply

AvinashShivhare
Loves-to-Learn Lots
‎04-19-2023 05:59 AM

Looking for update on this I am also trying to do same but instead I am integrating Gravityzone with Splunk on-premise. Please note I am also getting the above errors. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...