ccure add-on

Technical Add-on for C-Cure ID Badging, version 1.0.0 Hardware Requirements C-Cure 800/8000 Access Control + Security Management Solutions. -This add-on was tested with C-Cure 800/8000 Access Control + Security Management Solutions. There could be syntax differences in logs between other versions. Unfortunately unless redacted logs are provided I won't be able to update this add-on. Installation Steps 1. Install db_connect. https://splunkbase.splunk.com/app/2686/ a. for help with db_connect installation/setup please visit https://docs.splunk.com/Documentation/DBX/3.1.3/DeployDBX/Checklist. b. Under the "New Input" (Metadata) make sure of the following - Sourcetype = ccure:journal - Index = ccure 2. Install this add-on for the following Splunk Servers a. Search Head(s) / Indexer(s) - If this is building into the Enterprise Security app. Please install the CIM app on your Enterprise Secrity Search. https://splunkbase.splunk.com/app/1621/ Additional Incorrect Timestamps could be related to a variety of reasons. Please Check the following items. 1. db_connect: Under "Configurations" double check "Timezone" is setup 2. Splunk: Under the login drop menu in "Preferances" double check "Timezone" is setup. 3. For additional support please visit the community forum https://answers.splunk.com/index.html. Redacted Log Sample 2018-12-20 13:29:58.000, MessageUTC="2018-12-20 18:29:58.0", MessageType="CardAdmitted", PrimaryObjectName="liechtenstein, ulrich", PrimaryObjectIdentity="AA11A11A-AA11-11AA-A1A1-AAAAAA111111", SecondaryObjectName="potentially the name of entrance area", SecondaryObjectIdentity="B2B2B2B2-BB22-22BB-B2B2-BBBBBB22222", XmlMessage="InDirection12345AdmitAdmitliechtenstein, ulrichpotentially the name of entrance area" if you'd like to attribute additional redacted log samples or have comments/concerns. Please contact me at mfeeley@nuharborsecurity.com with the Subject line containing the add-on name.