Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search query to check failed login attempt to ec2 instances

mufthmu
Path Finder
‎02-20-2020 12:58 PM

Hi fellow Splunk users,

I need help to set up search query (later will be saved as an alert) to check failed login attempts to our ec2 instances.
In my organization, we dont allow SSH login.
On top of that, I also want to see if a person tried to change any sensitive config files inside that instance.

Logs are already coming from aws cloudtrail, below is what I got so far. Thanks in advance for all the help and input.

index="main" sourcetype="aws:cloudtrail" | spath errorCode | search errorCode=AccessDenied

{ [-]
   awsRegion: eu-west-1
   errorCode: AccessDenied
   errorMessage: User: User is not authorized to perform: glue:GetSecurityConfigurations
   eventID: faf2053d-2bd2-41b3-93ff-a7e841979cea
   eventName: GetSecurityConfigurations
   eventSource: glue.amazonaws.com
   eventTime: 2020-02-20T20:43:14Z
   eventType: AwsApiCall
   eventVersion: 1.05
   recipientAccountId: 155166966842
   requestID: 86a20648-687a-4c3e-9f4a-ce07f1704217
   requestParameters: null
   responseElements: null
   sourceIPAddress: 18.221.72.80
   userAgent: aws-sdk-java/1.11.699 Linux/4.14.77-70.59.amzn1.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 groovy/2.4.15 vendor/Oracle_Corporation
   userIdentity: { [+]
   }
}
0 Karma
Reply

to4kawa
Ultra Champion
‎02-20-2020 02:03 PM

Can you check sourceIPAddress, 18.221.72.80?

index="main" sourcetype="aws:cloudtrail" 
| spath 
| search errorCode=AccessDenied

This will be better.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎02-20-2020 01:10 PM

You will need to monitor the linux secure file (/var/log/secure). Here's a link that explains its function. You can get this done either by adding a Splunk Universal Forwarder on the EC2 instance, or setting up the CloudWatch Agent to monitor the file. EIther way, you need to monitor that file in order to get the login attempts to your machine.

If you decide to use the Splunk UF, you can use many of the default apps found on Splunk base to monitor the secure file (e.g. Linux Secure TA etc.) And the docs to build your own monitoring of files can be found here.

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...