Skip to main content

 

Splunk Lantern

Secure facilities access auditing

You might need to audit and report on security facilities access when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Auditing of physical access is often a requirement for regulatory bodies and industrial certifications. You need to be able to associate ingress and egress traffic for designated rooms and zones to specific badges in near real-time.

To optimize the search shown below, you should specify a time range.  You may also need to adjust field names to match what is available in your lookup files. 

  1. Ensure your lookup file is uploaded to your Splunk deployment.
  2. Run the following search:
    | sourcetype=<physical card reader logs>
    | lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description active
    | lookup <badge to user info mapping> cardId AS badgeId 
    | search description="LV-DC-2-DC-003-*" 
    | stats count list(description) AS Room list(status) AS Status list(badgeId) AS BadgeID list(employeeId) AS userId BY _time 
    | eval Personnel=if(match(userId,"-"),"Customer Card","Datacenter Staff") 
    | eval Direction=case(match(Room,"-in"),"Ingress",match(Room,"-out"),"Egress") 
    | eval Room=case(match(Room,"LV-DC-2-DC-003-"),"Secure Room - 3") 
    | fields _time Room Personnel Direction 
    | rename _time AS "Time" 
    | convert ctime(Time)
    

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<physical card reader logs>
 
Search only your physical card reader data.
| lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description active Look for matches between the badgereaderId field in your events and the readerID field in the <badge reader ID to location> lookup table. When matches are found, output the values in the readerID field into a field called description.
| lookup <badge to user info mapping> cardId AS badgeId  Look for matches between the badgeId field in your events and the cardId field in the <badge to user info> lookup table. 
| search description="LV-DC-2-DC-003-*"  Search for a specific room, in this case represented by any room ID that begins with LV-DC-2-DC-003-.
| stats count list(description) AS Room list(status) AS Status list(badgeId) AS BadgeID list(employeeId) AS userId BY _time  Count and list the rooms, event type, badge ID and employee ID, grouping the results by time the events took place.
| eval Personnel=if(match(userId,"-"),"Customer Card","Datacenter Staff")  If the userID is -, assign the Personnel field a value of Customer Card. Otherwise, assign a value of Datacenter Staff. Doing so masks badge numbers.
| eval Direction=case(match(Room,"-in"),"Ingress",match(Room,"-out"),"Egress")  If the badge reader data contains "-in", assign the event a value of Ingress in the Direction field. If the badge reader data contains "-out", assign the event a value of Egress in the Direction field.
| eval Room=case(match(Room,"LV-DC-2-DC-003-"),"Secure Room - 3")  If the badge reader data matches the room number shown, assign the event a value of Secure Room - 3 in the Room field.
| fields _time Room Personnel Direction  Display only the fields shown in the search results.
| rename _time AS "Time"  Rename the fields as shown for better readability.
| convert ctime(Time) Convert epoch time to a human readable time.

Result

Reporting from this may potentially be used for security, compliance, or customer reporting requirements.