https://community.splunk.com/t5/Splunk-Search/Search-query-to-check-failed-login-attempt-to-ec2-instances/m-p/474949#M133525 <P>You will need to monitor the linux secure file (/var/log/secure). Here's a <A href="https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/#secure">link</A> that explains its function. You can get this done either by adding a <A href="https://www.splunk.com/en_us/download/universal-forwarder.html">Splunk Universal Forwarder</A> on the EC2 instance, or setting up the <A href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-EC2-Instance.html">CloudWatch Agent</A> to monitor the file. EIther way, you need to monitor that file in order to get the login attempts to your machine. </P> <P>If you decide to use the Splunk UF, you can use many of the default apps found on Splunk base to monitor the secure file (e.g. <A href="https://splunkbase.splunk.com/app/3476/">Linux Secure TA</A> etc.) And the docs to build your own monitoring of files can be found <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Monitorfilesanddirectories">here</A>. </P> Thu, 20 Feb 2020 21:10:23 GMT amiracle 2020-02-20T21:10:23Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-check-failed-login-attempt-to-ec2-instances/m-p/474948#M133524 <P>Hi fellow Splunk users,</P> <P>I need help to set up search query (later will be saved as an alert) to check failed login attempts to our ec2 instances.<BR /> In my organization, we dont allow SSH login.<BR /> On top of that, I also want to see if a person tried to change any sensitive config files inside that instance.</P> <P>Logs are already coming from aws cloudtrail, below is what I got so far. Thanks in advance for all the help and input.</P> <PRE><CODE>index="main" sourcetype="aws:cloudtrail" | spath errorCode | search errorCode=AccessDenied { [-] awsRegion: eu-west-1 errorCode: AccessDenied errorMessage: User: User is not authorized to perform: glue:GetSecurityConfigurations eventID: faf2053d-2bd2-41b3-93ff-a7e841979cea eventName: GetSecurityConfigurations eventSource: glue.amazonaws.com eventTime: 2020-02-20T20:43:14Z eventType: AwsApiCall eventVersion: 1.05 recipientAccountId: 155166966842 requestID: 86a20648-687a-4c3e-9f4a-ce07f1704217 requestParameters: null responseElements: null sourceIPAddress: 18.221.72.80 userAgent: aws-sdk-java/1.11.699 Linux/4.14.77-70.59.amzn1.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 groovy/2.4.15 vendor/Oracle_Corporation userIdentity: { [+] } } </CODE></PRE> Thu, 20 Feb 2020 20:58:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-check-failed-login-attempt-to-ec2-instances/m-p/474948#M133524 mufthmu 2020-02-20T20:58:23Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-check-failed-login-attempt-to-ec2-instances/m-p/474949#M133525 <P>You will need to monitor the linux secure file (/var/log/secure). Here's a <A href="https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/#secure">link</A> that explains its function. You can get this done either by adding a <A href="https://www.splunk.com/en_us/download/universal-forwarder.html">Splunk Universal Forwarder</A> on the EC2 instance, or setting up the <A href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-EC2-Instance.html">CloudWatch Agent</A> to monitor the file. EIther way, you need to monitor that file in order to get the login attempts to your machine. </P> <P>If you decide to use the Splunk UF, you can use many of the default apps found on Splunk base to monitor the secure file (e.g. <A href="https://splunkbase.splunk.com/app/3476/">Linux Secure TA</A> etc.) And the docs to build your own monitoring of files can be found <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Monitorfilesanddirectories">here</A>. </P> Thu, 20 Feb 2020 21:10:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-check-failed-login-attempt-to-ec2-instances/m-p/474949#M133525 amiracle 2020-02-20T21:10:23Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-check-failed-login-attempt-to-ec2-instances/m-p/474950#M133526 <P>Can you check sourceIPAddress, <CODE>18.221.72.80</CODE>?</P> <PRE><CODE>index="main" sourcetype="aws:cloudtrail" | spath | search errorCode=AccessDenied </CODE></PRE> <P>This will be better.</P> Thu, 20 Feb 2020 22:03:21 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-check-failed-login-attempt-to-ec2-instances/m-p/474950#M133526 to4kawa 2020-02-20T22:03:21Z