Hi fellow Splunk users,
I need help to set up search query (later will be saved as an alert) to check failed login attempts to our ec2 instances.
In my organization, we dont allow SSH login.
On top of that, I also want to see if a person tried to change any sensitive config files inside that instance.
Logs are already coming from aws cloudtrail, below is what I got so far. Thanks in advance for all the help and input.
index="main" sourcetype="aws:cloudtrail" | spath errorCode | search errorCode=AccessDenied
{ [-]
awsRegion: eu-west-1
errorCode: AccessDenied
errorMessage: User: User is not authorized to perform: glue:GetSecurityConfigurations
eventID: faf2053d-2bd2-41b3-93ff-a7e841979cea
eventName: GetSecurityConfigurations
eventSource: glue.amazonaws.com
eventTime: 2020-02-20T20:43:14Z
eventType: AwsApiCall
eventVersion: 1.05
recipientAccountId: 155166966842
requestID: 86a20648-687a-4c3e-9f4a-ce07f1704217
requestParameters: null
responseElements: null
sourceIPAddress: 18.221.72.80
userAgent: aws-sdk-java/1.11.699 Linux/4.14.77-70.59.amzn1.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 groovy/2.4.15 vendor/Oracle_Corporation
userIdentity: { [+]
}
}
Can you check sourceIPAddress, 18.221.72.80
?
index="main" sourcetype="aws:cloudtrail"
| spath
| search errorCode=AccessDenied
This will be better.
You will need to monitor the linux secure file (/var/log/secure). Here's a link that explains its function. You can get this done either by adding a Splunk Universal Forwarder on the EC2 instance, or setting up the CloudWatch Agent to monitor the file. EIther way, you need to monitor that file in order to get the login attempts to your machine.
If you decide to use the Splunk UF, you can use many of the default apps found on Splunk base to monitor the secure file (e.g. Linux Secure TA etc.) And the docs to build your own monitoring of files can be found here.