Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Are there any fixes that we could do to forward our logs from Gravityzone into Splunk Cloud?

JacksonModlin
Explorer
‎08-17-2022 01:24 PM

Hello, 

We are using splunk cloud to centralize all our logs, and are currently struggling with Bitdefenders implementation. We have added the HTTP Event Collector, and are now struggling with the final step of sending the logs from Bitdefender to Splunk, When i run the code to connect the two

 

 

curl -k -X POST OUR_GRAVITYZONE_API/v1.0/jsonrpc/push -H 'authorization: Basic GRAVITYZONE_API_KEY' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{
    "params": {
        "status": 1,
        "serviceType": "splunk",
        "serviceSettings": {
            "url": "https://input-OUR_SPLUNK_CLOUD_LINK:8088/services/collector",
            "requireValidSslCertificate": false,
            "splunkAuthorization": "Splunk HTTP_EVENT_KEY"
        },
        "subscribeToEventTypes": {
            "hwid-change": true,
            "modules": true,
            "sva": true,
            "registration": true,
            "supa-update-status": true,
            "av": true,
            "aph": true,
            "fw": true,
            "avc": true,
            "uc": true,
            "dp": true,
            "device-control": true,
            "sva-load": true,
            "task-status": true,
            "exchange-malware": true,
            "network-sandboxing": true,
            "malware-outbreak": true,
            "adcloud": true,
            "exchange-user-credentials": true,
            "exchange-organization-info": true,
            "hd": true,
            "antiexploit": true
        },
        "jsonrpc": "2.0",
        "method": "setPushEventSettings",
        "id": "1"
    }'
}

 

 

 It returns the Error

 

 

{
    "id": null,
    "jsonrpc": "2.0",
    "error": {
        "code": -32600,
        "message": "Invalid Request",
        "data": {
            "details": "Invalid or missing request id. Notifications are not supported"
        }
    }
}

 


Are there any fixes that we could do to forward our logs from Gravityzone into Splunk Cloud?

Labels (1)
Labels
0 Karma
Reply

Stainer
Engager
Tuesday

UPDATE: Here are the setPushEventSettings public IPs that need to be whitelisted: setPushEventSettings

Sup friends,

So I just came across this Bitdefender issue and here's what worked for me:

1. Ensure your HEC endpoint supports TLS 1.2 (it most certainly does):

 

openssl s_client -connect http-inputs-namehere.splunkcloud.com:443 -tls1_2

 


2. Ensure your Splunk Cloud HEC access for ingestion IP Allow List has the IP ranges for IPs Bitdefender Cloud API responses - Splunk Cloud > Settings > Server settings > IP allow list - I'm still not sure what they are, but you probably get these from Bitdefender Support.

3. Ensure the integration command is properly formatted - if your stack is on GCP the HEC URL will be different. I believe it would be http-inputs.namehere.splunkcloud.com. My example below is for stacks hosted in AWS (more info on that here https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector

 

curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push -H 'authorization: Basic <Auth header base64>' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"status": 1, "serviceType": "splunk", "serviceSettings": {"url": "https://http-inputs-namehere.splunkcloud.com:443/services/collector", "requireValidSslCertificate": false, "splunkAuthorization": "Splunk <Splunk Cloud HEC Token>"}, "subscribeToEventTypes": {"hwid-change": true,"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"device-control": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"malware-outbreak": true,"adcloud": true,"exchange-user-credentials": true,"exchange-organization-info": true,"hd": true,"antiexploit": true}}, "jsonrpc": "2.0", "method":"setPushEventSettings", "id": "1"}'

 


So without the Bitdefender IPs, I had to test by opening up the HEC allow list with 0.0.0.0/0 (takes a couple of  minutes for the change to take effect), getting a successful response, and then immediately removing it, but this will let you know if this is the issue. Or you could wait to get the IPs from Bitdefender.

If you do get a successful response, you can send a test event with this:

 

curl -k -X POST https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push -H 'authorization: Basic <Auth header base64>' -H 'cache-control: no-cache' -H 'content-type: application/json' -d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

 


Hope this helps!

Tags (2)
0 Karma
Reply

chaker
Contributor
‎08-17-2022 10:08 PM

Just to confirm, are you following these instructions:

https://www.bitdefender.com/business/support/en/77211-158569-send-security-telemetry-from-gravityzon...

For this addon?

https://splunkbase.splunk.com/app/4142/

There is also an app, both are supported on Splunk Cloud according to splunkbase.

https://splunkbase.splunk.com/app/4151/

 

Reply

JacksonModlin
Explorer
‎08-18-2022 09:07 AM

I have been following this documentation provided by bitdefender, is this not the one i should be using?

 

https://www.bitdefender.com/business/support/en/77211-171475-splunk.html

0 Karma
Reply

chaker
Contributor
‎08-18-2022 09:50 PM

That looks like the right doc.

Have you tried the script they offer called bdpusheventconfig.sh? 

0 Karma
Reply

JacksonModlin
Explorer
‎08-19-2022 01:20 PM

I went ahead and ran the script, and now i get the error

{"id":"1","jsonrpc":"2.0","error":{"code":-32602,"message":"Invalid params","data":{"details":"The web server with this URL must support TLS 1.2, at least"}}}

is this a problem that i have to take up with bitdefender, or splunk?

 

Thanks,
Jackson

0 Karma
Reply

chaker
Contributor
‎08-19-2022 03:34 PM

Reading over some other posts, it seems the Splunk HEC only accepts TLS1.2.

I did see a bit defender doc about upgrading gravity to TLS1.2. Make sure this has been covered off.


https://www.bitdefender.com.au/support/how-to-upgrade-to-tls-1-2-and-why-its-crucial-for-bitdefender...

To answer your question, the addon is a vendor supplied and supported addon, and not Splunk supported, so it's unlikely Splunk Support will be able to help. It certainly can't hurt creating a case if you have the entitlement, but they may tell you to contact Bitdefender.

0 Karma
Reply

AvinashShivhare
Loves-to-Learn Lots
‎04-19-2023 05:59 AM

Looking for update on this I am also trying to do same but instead I am integrating Gravityzone with Splunk on-premise. Please note I am also getting the above errors. 

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...