Skip to main content

 

Splunk Lantern

Badge activity monitoring

You might need to track activity for facilities access badges when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

In your organization, employees must swipe a badge to enter any building and some secure spaces. Access to locations depends on an employee's role. You work in your organization's SOC and monitoring badge activity is part of regular security protocols. This search takes data logged from RFID / Proximity badge readers, enriches it with facilities and logging information, and then shows activity for a designated badge.

To optimize the search shown below, you should specify a time range.  You may also need to adjust field names to match what is available in your lookup files. 

  1. Ensure your lookup file is uploaded to your Splunk deployment.
  2. Run the following search:
    | sourcetype=<physical card reader logs>
    | lookup <error code to status mapping> errorCode OUTPUTNEW status
    | lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description
    | lookup <badge to user info mapping> cardId AS badgeId OUTPUTNEW firstName lastName emailAddress employeeId note officeId
    | search employeeId="25020002"
    | fields - badgereaderId,envAlarm,errorCode,powerStatus
    | eval fullName = firstName+" "+lastName
    | fields _time badgeId employeeId fullName officeId description status note
    | rename badgeId AS "Badge ID #" employeeId AS "Employee Number" fullName AS "Employee Name" officeId AS "Home Office" description AS "Card Reader Location" status AS "Read Status" note AS "Additional Notes.."

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<physical card reader logs>
 
Search only your physical card reader data.
| lookup <error code to status mapping> errorCode OUTPUTNEW status Look up the error codes and output the associated status for each.
| lookup <badge reader ID to location mapping> readerID AS badgereaderId OUTPUTNEW description Look for matches between the badgereaderId field in your events and the readerID field in the <badge reader ID to location> lookup table. When matches are found, output the values in the readerID field into a field called description.
| lookup <badge to user info mapping> cardId AS badgeId OUTPUTNEW firstName lastName emailAddress employeeId note officeId Look for matches between the badgeId field in your events and the cardId field in the <badge to user info> lookup table. When matches are found, output the values from the lookup fields shown.
| search employeeId="25020002" Search for a specific employee ID number.
| fields - badgereaderId,envAlarm,errorCode,powerStatus Remove the fields shown from the results.
| eval fullName = firstName+" "+lastName Concatenate the first and last name fields into a single value called fullName.
| fields _time badgeId employeeId fullName officeId description status note Display only the fields shown in the search results.
| rename badgeId AS "Badge ID #" employeeId AS "Employee Number" fullName AS "Employee Name" officeId AS "Home Office" description AS "Card Reader Location" status AS "Read Status" note AS "Additional Notes.." Rename the fields as shown for better readability.

Result

This search may be used for a variety of reasons such as activity logging, compliance, regulatory reporting, and HR related requests.

  • Was this article helpful?