Skip to main content
 
 
Splunk Lantern

Monitoring usage of wireless access points

 

As a wireless network service owner, you are responsible for the security of your networks. One major area of concern is ensuring that your access points are only accessed by users with the correct permissions at the expected times and from the expected locations. You are also responsible for uptime and bandwidth of your network, so you want to monitor usage for volume and potential issues. This guide provides a number of searches from which you can create dashboards for both your security and IT modernization needs.

​Data required

  • Time series network access data
  • Wireless access point logs

Procedures

  • Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
  • Your typical telecommunications transactions may include more than four steps, and some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Stage 1: Search and investigation

WAP networks with active connections

If some users are not allowed to connect to WAPs but are nevertheless present on the WAP, you want to raise an alert or incident. This search allows you to monitor connections to your WAPs in specific geolocations. This information might be used for connection analytics or alerts in the case of restricted networks, such as admin or point-of-sale.

This search requires time-series data that tracks access to network access points.

| sourcetype <network access data> 
| eval _time=strptime(accessTime, "%Y-%m-%d %H:%M:%S") 
| sort - _time 
| stats count values(apInfoNetwork) AS apInfoNetworks BY apID apInfoNetwork 
| stats list(apInfoNetwork) AS apInfoNetwork list(apID) AS apID list(count) AS Count 
| rename apInfoNetwork AS "Connected Network" apID AS "Access Point Connected" Count AS "Connection Count"

WAPs with no connections during business hours

This search shows how to alert when there are no connections to a service found during defined business hours. For example, seeing zero users accessing a WAP/service during the defined business hours might be indicative of a problem that you'd want proactive alerting for. This example doesn't look for events that are outside of business hours because there is no SLA in this location, nor are customers supposed to be in these spaces.

This search requires time-series data of access to the wireless access points you want to monitor and a defined start and end of business hours in the search. The access time range is then compared to such returned hours. Then, it aggregates these connections and looks for values less than one during business hours. When this search returns results, you can trigger an alert.

| sourcetype <network access data> 
| eval _time=strptime(accessTime, "%Y-%m-%d %H:%M:%S") 
| fields _time apID 
| eval EndofBusinessHour=strftime(_time,"00:30") 
| eval StartofBusinessHour=strftime(_time,"05:30") 
| eval CurrentTime=strftime(_time,"%H:%M") 
| where CurrentTime > EndofBusinessHour OR CurrentTime > StartofBusinessHour 
| bin span=15minutes _time 
| stats count by apID _time 
| stats values(count) AS "Connections" BY apID _time 
| convert ctime(_time) 
| rename apID AS "WAP Name" _time AS "Connection Time" 
| where Connections < 1
Stage 2: Proactive monitoring

WAP access duration statistics

This search gives insight into the connection durations across WAPs by displaying average, maximum, and minimum connection durations per WAP. This might be beneficial for capacity planning, troubleshooting, and security.

This search requires time-series data of access to the network access points, along with name mapping of the access points.

| sourcetype <network access data> 
| eval _time=strptime(accessTime, "%Y-%m-%d %H:%M:%S") 
| sort _time 
| convert timeformat="%Y-%m-%d %T" mktime(accessTime) AS accessTime mktime(accessDisconnectTime) AS accessDisconnectTime 
| eval accessDuration = accessDisconnectTime-accessTime 
| stats avg(accessDuration) as avgAccessDur max(accessDuration) as maxAccessdur min(accessDuration) AS minAccessdur BY apID 
| eval avgAccessDur=round(avgAccessDur/60,2) 
| eval maxAccessdur=round(maxAccessdur/60,2) 
| eval minAccessdur=round(minAccessdur/60,2) 
| rename apID AS "WIFI AP Name" avgAccessDur AS "Average Duration (Minutes)" maxAccessdur AS "Maximum Duration (Minutes)" minAccessdur AS "Minimum Duration (Minutes)"

WAP connection statistics

This search can give you the ability to monitor access points and the users connected to them. With this data, you might be able to validate that APs are available and have capacity. Finally, you might be able to monitor who is joining the APs and utilize related metrics.

This search requires time-series data of access to the monitored wireless access points.

| sourcetype <network access data> 
| eval _time=strptime(accessTime, "%Y-%m-%d %H:%M:%S") 
| sort - _time 
| timechart count fixedrange=false span=15m BY apID
Stage 3: Operational visibility

Abnormal user connectivity to monitored WAPs

This search identifies users who access multiple WAPs and the duration for which such users have been connected to the access points. While such data in itself isn't indicative of malicious behavior, you could use it to identify abnormal connections. You could also use this search to fulfill legal or compliance requirements to provide connection trails for devices and users.

This search requires time series data of access and disconnect times to the wireless access points, along with enrichment data that contains associated data such as a username or unique identifier that can be used to associate with a connection to individual WAPs.

| sourcetype <network access data> 
| eval _time=strptime(accessTime, "%Y-%m-%d %H:%M:%S") 
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(accessDisconnectTime) AS disconnectTime 
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(accessTime) AS accessTime 
| eval duration = disconnectTime - accessTime 
| fields _time userHash apID accessTime disconnectTime duration 
| convert ctime(*Time) 
| stats count values(accessTime) as accessTime list(disconnectTime) AS disconnectTime list(duration) AS duration list(apID) AS apID BY userHash _time 
| search count > 1 
| rename userHash AS User accessTime AS "WAP Access Time" disconnectTime AS "Disconnect Time" duration AS Duration apID AS "WAP Name" 
| fields User "WAP Name" "WAP Access Time" "Disconnect Time" Duration 
| sort _time 
| fields - _time

Top home cities of WAP users

This search returns the home cities of top users based on their contract or billing information. This search could give you an understanding of where connected users call from. With this data, you could provide marketing teams with associated user metrics, potentially allowing them to generate targeted marketing campaigns.

This search requires time-series data that tracks access to network access points, along with data that contains metrics such as age, billing location, and gender.

| sourcetype <network access data> 
| eval _time=strptime(accessTime, "%Y-%m-%d %H:%M:%S") 
| sort - _time 
| where userCity != "UNKNOWN" 
| stats count BY userCity 
| sort - count 
| head 10

WAP geographic access by location and time

Ascertain number of users connecting to access points by geographic location. This search might give you the ability to monitor access points and the users connected to them. With this data, you could validate that APs are available and have capacity. Finally, you might be able to monitor who joins the APs and utilize metrics around such data.

This search requires time-series data that tracks access to network access points.

| sourcetype <network access data> 
| geostats latfield=apLat longfield=apLong binspanlat=20 binspanlong=20 count BY accessTime

Next steps

The searches in this guide are also included in the Splunk Essentials for Telecommunications the app, which provides more information about how to implement them successfully in your telecom services maturity journey. This is a Splunk Field supported App. If you find it useful, have any feedback for use case additions, or general comments about what you would like in the next releases, contact the field at #telco-media on Splunk-Usergroups Slack or [email protected].

You might be interested in the following additional telecommuncations use cases:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at [email protected] if you would like assistance.