Skip to main content
 
Splunk Lantern

Secure facilities access auditing

 

Auditing of physical access is often a requirement for regulatory bodies and industrial certifications. You need to be able to associate ingress and egress traffic for designated rooms and zones to specific badges in near real-time.

Required data

Procedure

  1. Ensure your lookup file is uploaded to your Splunk deployment.
  2. If needed, adjust field names to match what is available in your lookup files.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.  
    | sourcetype=<physical card reader logs>
    | lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description active
    | lookup <badge to user info mapping> cardId AS badgeId 
    | search description="LV-DC-2-DC-003-*" 
    | stats count list(description) AS Room list(status) AS Status list(badgeId) AS BadgeID list(employeeId) AS userId BY _time 
    | eval Personnel=if(match(userId,"-"),"Customer Card","Datacenter Staff") 
    | eval Direction=case(match(Room,"-in"),"Ingress",match(Room,"-out"),"Egress") 
    | eval Room=case(match(Room,"LV-DC-2-DC-003-"),"Secure Room - 3") 
    | fields _time Room Personnel Direction 
    | rename _time AS "Time" 
    | convert ctime(Time)
    

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<physical card reader logs>
 
Search only your physical card reader data.
| lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description active Look for matches between the badgereaderId field in your events and the readerID field in the <badge reader ID to location> lookup table. When matches are found, output the values in the readerID field into a field called description.
| lookup <badge to user info mapping> cardId AS badgeId  Look for matches between the badgeId field in your events and the cardId field in the <badge to user info> lookup table. 
| search description="LV-DC-2-DC-003-*"  Search for a specific room, in this case represented by any room ID that begins with LV-DC-2-DC-003-.
| stats count list(description) AS Room list(status) AS Status list(badgeId) AS BadgeID list(employeeId) AS userId BY _time  Count and list the rooms, event type, badge ID and employee ID, grouping the results by time the events took place.
| eval Personnel=if(match(userId,"-"),"Customer Card","Datacenter Staff")  If the userID is -, assign the Personnel field a value of Customer Card. Otherwise, assign a value of Datacenter Staff. Doing so masks badge numbers.
| eval Direction=case(match(Room,"-in"),"Ingress",match(Room,"-out"),"Egress")  If the badge reader data contains "-in", assign the event a value of Ingress in the Direction field. If the badge reader data contains "-out", assign the event a value of Egress in the Direction field.
| eval Room=case(match(Room,"LV-DC-2-DC-003-"),"Secure Room - 3")  If the badge reader data matches the room number shown, assign the event a value of Secure Room - 3 in the Room field.
| fields _time Room Personnel Direction  Display only the fields shown in the search results.
| rename _time AS "Time"  Rename the fields as shown for better readability.
| convert ctime(Time) Convert epoch time to a human readable time.

Next steps

Reporting from this may potentially be used for security, compliance, or customer reporting requirements.

Finally, you might be interested in other processes associated with the Monitoring badges for facilities access use case.