I need help to set up search query (later will be saved as an alert) to check failed login attempts to our ec2 instances.
In my organization, we dont allow SSH login.
On top of that, I also want to see if a person tried to change any sensitive config files inside that instance.
Logs are already coming from aws cloudtrail, below is what I got so far. Thanks in advance for all the help and input.
You will need to monitor the linux secure file (/var/log/secure). Here's a link that explains its function. You can get this done either by adding a Splunk Universal Forwarder on the EC2 instance, or setting up the CloudWatch Agent to monitor the file. EIther way, you need to monitor that file in order to get the login attempts to your machine.
If you decide to use the Splunk UF, you can use many of the default apps found on Splunk base to monitor the secure file (e.g. Linux Secure TA etc.) And the docs to build your own monitoring of files can be found here.