Splunk Search

Search query to check failed login attempt to ec2 instances

Path Finder

Hi fellow Splunk users,

I need help to set up search query (later will be saved as an alert) to check failed login attempts to our ec2 instances.
In my organization, we dont allow SSH login.
On top of that, I also want to see if a person tried to change any sensitive config files inside that instance.

Logs are already coming from aws cloudtrail, below is what I got so far. Thanks in advance for all the help and input.

index="main" sourcetype="aws:cloudtrail" | spath errorCode | search errorCode=AccessDenied

{ [-]
   awsRegion: eu-west-1
   errorCode: AccessDenied
   errorMessage: User: User is not authorized to perform: glue:GetSecurityConfigurations
   eventID: faf2053d-2bd2-41b3-93ff-a7e841979cea
   eventName: GetSecurityConfigurations
   eventSource: glue.amazonaws.com
   eventTime: 2020-02-20T20:43:14Z
   eventType: AwsApiCall
   eventVersion: 1.05
   recipientAccountId: 155166966842
   requestID: 86a20648-687a-4c3e-9f4a-ce07f1704217
   requestParameters: null
   responseElements: null
   sourceIPAddress: 18.221.72.80
   userAgent: aws-sdk-java/1.11.699 Linux/4.14.77-70.59.amzn1.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 groovy/2.4.15 vendor/Oracle_Corporation
   userIdentity: { [+]
   }
}
0 Karma

SplunkTrust
SplunkTrust

Can you check sourceIPAddress, 18.221.72.80?

index="main" sourcetype="aws:cloudtrail" 
| spath 
| search errorCode=AccessDenied

This will be better.

0 Karma

Splunk Employee
Splunk Employee

You will need to monitor the linux secure file (/var/log/secure). Here's a link that explains its function. You can get this done either by adding a Splunk Universal Forwarder on the EC2 instance, or setting up the CloudWatch Agent to monitor the file. EIther way, you need to monitor that file in order to get the login attempts to your machine.

If you decide to use the Splunk UF, you can use many of the default apps found on Splunk base to monitor the secure file (e.g. Linux Secure TA etc.) And the docs to build your own monitoring of files can be found here.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!