Skip to content

Collecting from Bitdefender GravityZone

TeskaLabs LogMan.io supports the ingestion of security and operational events from Bitdefender GravityZone using the push mechanism described in the official GravityZone API documentation. This allows organizations to seamlessly integrate endpoint protection data into their centralized SIEM for correlation, analysis, and compliance reporting.

Required setup

Bitdefender GravityZone is designed to push events over HTTPS to an external system. Instead of polling or periodically retrieving data, GravityZone actively sends log messages whenever relevant security events occur. To enable this integration, you must configure GravityZone to point to a public IP address that you control. On the receiving side, the LogMan.io Collector must be deployed and properly configured to listen on that IP address and accept HTTPS connections.

This setup ensures:

  • Real-time delivery of security events without delays.
  • Secure transport of log data using encrypted HTTPS.
  • Direct integration into the LogMan.io pipeline, where the events are parsed, normalized, and made available for correlation with other log sources.

In practice, this means that the Collector should be accessible on the internet (or through the necessary firewall/NAT rules) so that GravityZone can successfully reach it and deliver the events.

Bitdefender GravityZone Configuration

To enable push-based log collection, you first need to create and configure an API key within the Bitdefender GravityZone cloud portal. This key is required to authenticate the push notification service and manage the configuration of event delivery. It also provides access to statistics and state information about the push service.

Follow these steps:

1) Log in to the GravityZone portal

Navigate to your account details page within the Bitdefender GravityZone portal.

2) Locate the API Keys section

Click the user icon in the upper-right corner of the console and select My Account.

If your account has sufficient administrative privileges, you will see an “API keys” section near the bottom of the page.

3) Create a new key

Click “Add” to create a new API key.

  • Enter a meaningful description (e.g., "TeskaLabs LogMan.io Event Push").
  • Make sure to tick the checkbox labeled “Event Push Service API” and “Network”. This option specifically allows the key to be used for configuring and retrieving push notification settings.

4) Copy the key value

After the key is created, click on the blue key value to display it. Then, click the clipboard icon to copy the API key to your computer’s clipboard.

5) Store the key securely

Save the API key in a secure location. You will need it later during the LogMan.io Collector configuration to authenticate and finalize the integration.

LogMan.io Collector Configuration

Once you have prepared the API key in GravityZone, the next step is to configure the LogMan.io Collector so it can securely receive and process the incoming event stream.

Danger

Bitdefender GravityZone sends push notifications over TCP port 443 (HTTPS). Ensure this port is accessible from the Internet or that the necessary firewall/NAT rules are in place so the LogMan.io Collector can accept incoming connections. There is currently no way how to set a different port than 443. If needed, use a proxy (NGINX for instance) before the Collector.

Below is a sample configuration snippet for the LogMan.io Collector:

input:Bitdefender:GravityZone:
  listen: 443 ssl
  authorization: "Bearer <The secret token>"
  output: bitdefender-gz

output:CommLink:bitdefender-gz: {}

Key configuration points:

  • listen: 443 ssl

Configures the Collector to listen for incoming HTTPS connections on port 443. SSL/TLS is required to establish a secure channel for log delivery. Bitdefender GravityZone requires TLS 1.2, at least.

  • authorization

Specifies the token that GravityZone must present in order to send data.

Danger

Replace <The secret token> with a unique, sufficiently long, and secure token. This acts as an authentication mechanism to ensure that only your trusted GravityZone instance can deliver events.

Tip

We recommend to restrict the access to this connecter only from IP allow-list.

Enable the integration

After both GravityZone and the LogMan.io Collector are configured, you must enable the push service so that GravityZone starts delivering events to your Collector endpoint. This is done by invoking the helper script bundled with the LogMan.io Collector container.

$ docker exec \
  -e API_KEY="<API key>" \
  lmio-collector \
  python3 bitdefender.py set \
    --auth-header "Bearer <The secret token>" \
    --url https://<Collector IP address>/bitdefender-gz

Explanation of parameters

  • API_KEY

The API key you created earlier in the GravityZone portal (with Event Push Service API enabled). This key authorizes the LogMan.io Collector to configure push notification settings in GravityZone.

  • --auth-header "Bearer <The secret token>"

The same token you configured in the Collector’s authorization field. GravityZone will include this value in every HTTPS request, allowing the LogMan.io Collector to validate the source.

  • --url https://<Collector IP address>/bitdefender-gz

The publicly accessible URL of your LogMan.io Collector. Replace <Collector IP address> with the actual public IP or DNS name of your LogMan.io Collector. The /bitdefender-gz path is the endpoint that will handle GravityZone push events.

Expected response

If the setup is successful, GravityZone responds with a confirmation in JSON-RPC format:

{
  "id": "1",
  "jsonrpc": "2.0",
  "result": true
}

This indicates that the push service has been enabled and that GravityZone will now start sending events directly to your LogMan.io Collector. It may take up to 10 minutes to see first logs in TeskaLabs LogMan.io.

Troubleshooting

Bundled script provides more options for troubleshooting Bitdefender GravityZone integration:

  • get: Get current push event settings (getPushEventSettings)
  • get-stats: Get push event statistics (getPushEventStats)
  • reset-stats: Reset push event statistics (resetPushEventStats)
  • test: Send a test push event (sendTestPushEvent)

The example:

$ docker exec -e 
  -e API_KEY="<API key>" \
  lmio-collector \
  python3 bitdefender.py test