# Secureworks to Elastic Integration

## STEP 1: Enable Log Sending from Secureworks

> This step happens inside your **Secureworks dashboard**.

### Step-by-step:

1. **Login to Secureworks:**
    
    
    - Go to the Secureworks portal:
    - https://portal.secureworks.com
    - Enter your **Username** and **Password**
2. **Go to Log Export Settings:**
    
    
    - On the left-hand menu, look for **Settings** or **Administration**
    - Click **Data Export** or **Syslog Settings**
3. **Add a New Syslog Destination:**
    
    
    - Click **Add Destination** or **New Configuration**
    - In the form, fill in:
        
        
        - **IP Address** → Enter the IP of your Logstash server
        - **Port Number** → Enter `514`
        - **Protocol** → Select `UDP` or `TCP`  
            (Ask IT which one your server accepts)
    - Check any box that says **"Enable"** or **"Activate"**
    - usually IT),Click **Save** or **Apply**

Secureworks is now ready to send logs!

---

## STEP 2: Set Up Logstash to Receive Logs

> This step is done by whoever manages your Logstash server, but here’s exactly what they need to do.

### Step-by-step:

1. **Connect to the server (via SSH or terminal)**
2. Go to the folder:
    
    ```
    /etc/logstash/conf.d/
    ```
3. Create a new file:
    
    ```
    CopyEdit
    ```
    secureworks.conf
    ```
    ```
4. Paste this configuration inside:

```
input {
  udp {
    port => 514
    type => "secureworks"
  }
}

filter {
  if [type] == "secureworks" {
    json {
      source => "message"
      skip_on_invalid_json => true
    }
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "secureworks-%{+YYYY.MM.dd}"
  }
}
```

5. Save the file
6. Restart Logstash by typing:
    
    ```
    nginx
    CopyEdit
    ```
    sudo systemctl restart logstash
    ```
    ```

Logstash is now waiting to receive logs.

---

## STEP 3: View Logs in Kibana

> Now let's **see the logs** inside the Kibana dashboard.

### Step-by-step:

1. **Open Kibana in your browser:**
    
    
    - Type the URL like:
        
        ```
        cpp
        CopyEdit
        ```
        http://<your-kibana-server-ip>:5601
        ```
        ```
2. **Go to Discover:**
    
    
    - On the left side menu, click **“Discover”**
3. **If it's your first time:**
    
    
    - A popup may ask you to create an **Index Pattern**
    - Click **Create index pattern**
    - In the box, type:
        
        ```
        CopyEdit
        ```
        secureworks-*
        ```
        ```
    - Click **Next step**
    - Choose `@timestamp` (or the default time field)
    - Click **Create index pattern**
4. You will now see log data from Secureworks.

---

## Optional

- Click **Dashboard** &gt; Create new dashboard
- Add graphs or tables from Secureworks data
- Click **Alerts** to set up notifications for certain events

---

## Troubleshooting (If You Don’t See Logs)

<table cellpadding="2" cellspacing="0" id="bkmrk-problem-solution-no-" width="619"><colgroup><col width="160"></col> <col width="452"></col> </colgroup><thead><tr><th width="160">Problem

</th><th width="452">Solution

</th></tr></thead><tbody><tr><td width="160">No logs in Kibana

</td><td width="452">Check that Secureworks export is enabled and points to the correct IP

</td></tr><tr><td width="160">Still empty?

</td><td width="452">Check if Logstash is running and port 514 is open

</td></tr><tr><td width="160">JSON parsing error?

</td><td width="452">check if logs are plain text or JSON

</td></tr></tbody></table>

---