Skip to main content

Sumo Logic

Configure Bitdefender GravityZone source for Sumo Logic

You can view Bitdefender GravityZone data in Sumo Logic. To collect this type of data, you need to add a source to a Hosted Collector in Sumo Logic and configure the Bitdefender GravityZone APIs.

Prerequisites

  • Sumo Logic account

  • Bitdefender GravityZone (cloud) account

  • Hosted Collector set up on a machine in your Sumo Logic environment

To collect Bitdefender GravityZone data via its APIs, follow these steps:

Add source to a Hosted Collector

  1. Log in to Sumo Logic.

  2. Navigate to Manage Data > Collection.

  3. Click Add Source next to a Hosted Collector.

  4. Select HTTP Logs & Metrics.

  5. Enter a Name for the source.

  6. Configure Source details and advanced options for logs.

    For more information, refer to the following Sumo Logic help article.

  7. Click Save to add the source.

    This source has a unique URL. Bitdefender GravityZone will send its data to this URL after you configure Event Push Service API.

Access source URL

  1. Navigate to Manage Data > Collection.

  2. Find the Hosted Collector by name and click Show URL.

  3. Copy the HTTP source address.

Generate Bitdefender GravityZone API key

  1. Log in to GravityZone Control Center.

  2. Click the username at the upper-right corner and choose My Account.

  3. Go to the API keys section and click Add at in this table.

  4. Enable Event Push Service API.

    You can enable other APIs to source more information from Bitdefender GravityZone.

  5. Click Save.

    To prevent the leaking of sensitive information, do not share or distribute your own generated API keys.

  6. Copy the Access URL from the Control Center API section.

    You need this key to configure Event Push Service API.

Configure Event Push Service API

Follow this procedure to set up the subscription for GravityZone Control Center events that you want to see in Sumo Logic.

  1. Open a MAC or Linux terminal.

  2. Run the echo command followed by the Bitdefender GravityZone API key with a colon (":")

    • For Linux terminal:

      > echo –n 'Ge9HCYqdU7jIDR90wN0eE1zbB5Snc5HN:' | base64 –w 0

    • For MAC terminal:

      > echo –n 'Ge9HCYqdU7jIDR90wN0eE1zbB5Snc5HN:' | base64 –b 0

    This encodes the API key in a base64 string.

    Return value example:

    R2U5SENZcWRVN2pJRFI5MHdOMGVFMXpiQjVTbmM1SE46 
    4oCTbiBhY2M1ZGY2ODU2YTdiZWUwODE3MmJlM2I2NDQ3YjMyNTg2OWIzM2M2ZjU2ZGJjNGNjMmRkYjJmZmM0OWFkYzRjOgo=

    You will use this encoded string as a token for POST authorization.

    Note

    Sumo Logic does not currently support authentication via the authentication header used in setPushEventSettings method. The header is still needed for the event push forwarding mechanism to work but the header itself can contain any random string as the Sumo Logic https collector will ignore it.

  3. Run the following curl commands and edit the bolded settings:

    curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5QndOMGVFMXpiQjVTbmNISE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {"status": 1,"serviceType": "jsonRPC","serviceSettings": {"url": "SumoLogic URL","requireValidSslCertificate": false, "authorization":"auth header value"},"subscribeToEventTypes": {"modules": true,"sva": true,"registration": true,"supa-update-status": true,"av": true,"aph": true,"fw": true,"avc": true,"uc": true,"dp": true,"hd": true,"sva-load": true,"task-status": true,"exchange-malware": true,"network-sandboxing": true,"adcloud": true,"exchange-user-credentials": true}},"jsonrpc": "2.0","method": "setPushEventSettings","id": "1"}'

    Return value example:

    {"id":"1","jsonrpc":"2.0","result":true}

    GravityZone starts sending events to Sumo Logic after the Event Push Service settings are reloaded. This happens every 10 minutes.

    This table indicates the event types that GravityZone can send to Sumo Logic.

    Event type identifier

    Description

    modules

    Product Modules event

    sva

    Security Server Status event

    registration

    Product Registration event

    supa-update-status

    Outdated Update Server event (where the Update Server is a Relay)

    av

    Antimalware event

    aph

    Antiphishing event

    fw

    Firewall event

    avc

    ATC/IDS event

    uc

    User Control event

    dp

    Data Protection event

    hd

    HyperDetect event

    sva-load

    Overloaded Security Server event

    task-status

    Task Status event

    exchange-malware

    Exchange Malware Detection event

    network-sandboxing

    Sandbox Analyzer Detection

    adcloud

    Active Directory Integration Issue

    exchange-user-credentials

    Exchange User Credentials

  4. To start sending events immediately, run the following command and edit the emphasized settings:

    curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5QndOMGVFMXpiQjVTbmNISE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {}, "jsonrpc": "2.0", "method": "getPushEventSettings", "id": "2"}'

  5. To test the integration, run the following command and edit the emphasized settings:

    curl -k -X POST \
https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \
-H 'authorization: Basic R2U5SENZcWRVN2pJRFI5QndOMGVFMXpiQjVTbmNISE46' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{"params": {"eventType": "av"}, "jsonrpc": "2.0", "method": "sendTestPushEvent", "id": "3"}'

    You can now see Bitdefender GravityZone data in Manage Data > Collection.

    For details about Push Events Service, refer to the GravityZone Cloud API Documentation guide, the chapter "Push".

In this section: