Splunk Cloud Platform

Are there any fixes that we could do to forward our logs from Gravityzone into Splunk Cloud?

JacksonModlin
Explorer

Hello, 

We are using splunk cloud to centralize all our logs, and are currently struggling with Bitdefenders implementation. We have added the HTTP Event Collector, and are now struggling with the final step of sending the logs from Bitdefender to Splunk, When i run the code to connect the two

 

 

curl -k -X POST OUR_GRAVITYZONE_API/v1.0/jsonrpc/push -H 'authorization: Basic GRAVITYZONE_API_KEY' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{
    "params": {
        "status": 1,
        "serviceType": "splunk",
        "serviceSettings": {
            "url": "https://input-OUR_SPLUNK_CLOUD_LINK:8088/services/collector",
            "requireValidSslCertificate": false,
            "splunkAuthorization": "Splunk HTTP_EVENT_KEY"
        },
        "subscribeToEventTypes": {
            "hwid-change": true,
            "modules": true,
            "sva": true,
            "registration": true,
            "supa-update-status": true,
            "av": true,
            "aph": true,
            "fw": true,
            "avc": true,
            "uc": true,
            "dp": true,
            "device-control": true,
            "sva-load": true,
            "task-status": true,
            "exchange-malware": true,
            "network-sandboxing": true,
            "malware-outbreak": true,
            "adcloud": true,
            "exchange-user-credentials": true,
            "exchange-organization-info": true,
            "hd": true,
            "antiexploit": true
        },
        "jsonrpc": "2.0",
        "method": "setPushEventSettings",
        "id": "1"
    }'
}

 

 

 It returns the Error

 

 

{
    "id": null,
    "jsonrpc": "2.0",
    "error": {
        "code": -32600,
        "message": "Invalid Request",
        "data": {
            "details": "Invalid or missing request id. Notifications are not supported"
        }
    }
}

 


Are there any fixes that we could do to forward our logs from Gravityzone into Splunk Cloud?

Labels (1)
0 Karma

chaker
Contributor

Just to confirm, are you following these instructions:

https://www.bitdefender.com/business/support/en/77211-158569-send-security-telemetry-from-gravityzon...

For this addon?

https://splunkbase.splunk.com/app/4142/

There is also an app, both are supported on Splunk Cloud according to splunkbase.

https://splunkbase.splunk.com/app/4151/

 

JacksonModlin
Explorer

I have been following this documentation provided by bitdefender, is this not the one i should be using?

 

https://www.bitdefender.com/business/support/en/77211-171475-splunk.html

0 Karma

chaker
Contributor

That looks like the right doc.

Have you tried the script they offer called bdpusheventconfig.sh? 

0 Karma

JacksonModlin
Explorer

I went ahead and ran the script, and now i get the error

{"id":"1","jsonrpc":"2.0","error":{"code":-32602,"message":"Invalid params","data":{"details":"The web server with this URL must support TLS 1.2, at least"}}}

is this a problem that i have to take up with bitdefender, or splunk?

 

Thanks,
Jackson

0 Karma

chaker
Contributor

Reading over some other posts, it seems the Splunk HEC only accepts TLS1.2.

I did see a bit defender doc about upgrading gravity to TLS1.2. Make sure this has been covered off.


https://www.bitdefender.com.au/support/how-to-upgrade-to-tls-1-2-and-why-its-crucial-for-bitdefender...

To answer your question, the addon is a vendor supplied and supported addon, and not Splunk supported, so it's unlikely Splunk Support will be able to help. It certainly can't hurt creating a case if you have the entitlement, but they may tell you to contact Bitdefender.

0 Karma

AvinashShivhare
Loves-to-Learn Lots

Looking for update on this I am also trying to do same but instead I am integrating Gravityzone with Splunk on-premise. Please note I am also getting the above errors. 

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...