Directly contact our Support Team

Building an Event Push Service API Connector for CEF standard

Integration Overview

CEF (Common Event Format) is an extensible text-based format used for log management. Bitdefender GravityZone is now able to provide alerts using the CEF standard through integration with your ESM.

For this example of CEF standard integration, the communication between GravityZone and the ESM is done through a Node.js Connector. The connector uses the POST method to receive authenticated requests from the GravityZone Event Push Service API. The request is parsed, followed by event forwarding to a local or a remote Syslog server.

Prerequisites

• Advanced Node.js knowledge

• Ubuntu 16.04 server

• Node.js installed with Node version 8.1.x or higher

HTTP Message

• Event Push Service Request Header

Authorization: {authorization_string}

• Event Push Service Payload

{
 "cef": "0",
 "events": [
 "CEF:0|Bitdefender|GravityZone|6.4.0-
8|70000|Registration|3|BitdefenderGZModule=registration
dvchost=TEST_ENDPOINTasdad BitdefenderGZComputerFQDN=testendpoint.dsd.ro dvc=10.10.18.227 ",
 "CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product Modules
Status|5|BitdefenderGZModule=modules dvchost=TEST_ENDPOINTasdad
BitdefenderGZComputerFQDN=test-endpoint.dsd.ro dvc=10.10.18.227
",
 "CEF:0|Bitdefender|GravityZone|6.4.0-8|35|Product Modules
Status|5|BitdefenderGZModule=modules dvchost=TEST_ENDPOINTasdad
BitdefenderGZComputerFQDN=test-endpoint.dsd.ro dvc=10.10.18.227 "
 ]
}

Building the Node.js Connector

To build the Node.js Connector, follow these steps:

Step 1: Create a directory for the connector

 

Create a directory on your server in which you would like to place the application.

Step 2: Create a package.json file

 

Create a new file named package.json as follows:

{
"name": "app-name",
"version": "1.0.0",
"private": true,
"description": "client that will be able to receive authenticated POST
request and write each row in the local or remote syslog",
"main": "server.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "MIT",
"dependencies": {
}
}

Step 3: Fetch dependencies

 

• Express framework

Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.

Use Express to create the http server and enter the following command to put it within your package.json file

$ npm install express --save

• Body parser

Follow Node.js body parsing middleware instructions to parse incoming request bodies in a middleware before your handlers, available under the req.body property.

$ npm install body-parser --save

• Syslog Client

Follow Syslog client module instructions to send event notification messages across networks.

$ npm install syslog-client --save

Step 4: Create a config.json file

 

This file contains config info used by server.js on run.

Use the following path for the config file:

APP_ROUTE/api/config

File variables:

authentication_string: used in server.js to validate the value from req.headers.authorization.

target: the IP for your syslog client.

transport: valid values for the transport (TCP/UDP), also used to configure the syslog client.

syslog_port: TCP or UDP port to send messages.

port 3200: Start the server on port 3200.

Example:

{
"port": 3200,
"syslog_port": 515,
"transport": "Tcp",
"target": "10.17.23.68",
"authentication_string": "Basic dGVzdDp0ZXN0"
}

Step 5: Create the server.js file

Required app dependencies:

server.js
// Require express and create an instance of it
const express = require('express');
const app = express();
Require node File System module
const fs = require('fs');
// Require bodyParser and create an instance of a json textParser
const bodyParser = require('body-parser');
const textParser = bodyParser.json();
// Require epsSyslogHelper -> this part will be explained below
const epsSyslogHelper = require('./api/epsSyslogHelper');
  1. Load the config file. The config file path is received as a parameter on node server run:
    node server.js {path for config file}
     
    server.js
    if (!process.argv[2]) {
     throw "Missing input file parameter";
    }
    let configPath = process.argv[2];
    const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
  2. Check the req.header.authorization 
    If the authorization string is the same as the one from your config file, continue. Otherwise, enter not return to stop the execution.
  3. server.js
    // use basic HTTP auth to secure the api
    app.use('/api', (req, res, next) => {
     console.log(req.headers.authorization);
     // check for basic auth header
     if (!req.headers.authorization) {
     return res.status(401).json({ message: 'Missing Authorization
    Header' });
     }
     // verify auth credentials
     const authorizationString = req.headers.authorization;
     if (config.authentication_string !== authorizationString) {
     return res.status(401).json({ message: 'Invalid Authentication
    Credentials' });
     }
     next();
    });
  4. Add a route that answers to the request coming from Event Push Service API. Parse the body and log it using epsSyslogHelper.js
    server.js
    // url: http://{server_url}:{port}/api/
    app.post('/api', textParser, (request, response) => {
     const body = request.body;
     let syslogHelper = new epsSyslogHelper(config);
     syslogHelper.log(body);
     response.sendStatus(200);
    });
  5. Set the server to listen on the port configured in the config.json file:
    app.listen(config.port, () => console.log(`Listening on port
    ${config.port}`));

Step 6: Create the epsSyslogHelper.js file

Required dependencies:

epsSyslogHelper.js
const syslog = require('syslog-client');
const os = require('os');

EpsSyslogHelper construct:

  1. Start the Client server based on the config file.
    epsSyslogHelper.js
    /**
    * EventConverter class
    */
    EpsSyslogHelper = function (config) {
     let hostName = os.hostname();
     if (!hostName) {
     hostName = 'localhost';
     }
     let dot = hostName.indexOf('.');
     if (dot > 0) {
     hostName = hostName.substring(0, dot);
     }
     console.log('Logging using host name %s', hostName);
     this._client = syslog.createClient(config.target, {
     syslogHostname: hostName,
     port: config.syslog_port,
     transport: syslog.Transport[config.transport],
     });
     this._client.on('error', function(err) {
     console.error('Error from syslog network: %s', err);
     });
    };
  2. Parse the message and log the event.
    epsSyslogHelper.js
    EpsSyslogHelper.prototype.log = function _log(msg) {
     let options = {
     facility: syslog.Facility.Local0,
     severity: syslog.Severity.Informational
     };
     let events;
     if(msg.hasOwnProperty('cef')){
     //events = msg.params.events;
     events = msg.events;
     }
     if(events){
     for(let eventKey in events) {
     let syslogMessage = events[eventKey];
     if(typeof syslogMessage !== 'string') {
     syslogMessage = JSON.stringify(syslogMessage);
     }
     console.log("Event key = " + eventKey + " is = " +
    syslogMessage);
     this._client.log(syslogMessage, options, function (err) {
     if (err) {
     console.log(err);
     } else {
     console.log('Sent to syslog')
     }
     });
     }
     }
    };

Step 7: Start the node server

To start using the config file, enter the following command:

node server.js {path_to_your_config-file} (in this case
api/config/config.json)

Rate this article:

Submit