Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search query to check failed login attempt to ec2 instances

mufthmu
Path Finder
‎02-20-2020 12:58 PM

Hi fellow Splunk users,

I need help to set up search query (later will be saved as an alert) to check failed login attempts to our ec2 instances.
In my organization, we dont allow SSH login.
On top of that, I also want to see if a person tried to change any sensitive config files inside that instance.

Logs are already coming from aws cloudtrail, below is what I got so far. Thanks in advance for all the help and input.

index="main" sourcetype="aws:cloudtrail" | spath errorCode | search errorCode=AccessDenied

{ [-]
   awsRegion: eu-west-1
   errorCode: AccessDenied
   errorMessage: User: User is not authorized to perform: glue:GetSecurityConfigurations
   eventID: faf2053d-2bd2-41b3-93ff-a7e841979cea
   eventName: GetSecurityConfigurations
   eventSource: glue.amazonaws.com
   eventTime: 2020-02-20T20:43:14Z
   eventType: AwsApiCall
   eventVersion: 1.05
   recipientAccountId: 155166966842
   requestID: 86a20648-687a-4c3e-9f4a-ce07f1704217
   requestParameters: null
   responseElements: null
   sourceIPAddress: 18.221.72.80
   userAgent: aws-sdk-java/1.11.699 Linux/4.14.77-70.59.amzn1.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 groovy/2.4.15 vendor/Oracle_Corporation
   userIdentity: { [+]
   }
}
0 Karma
Reply

to4kawa
Ultra Champion
‎02-20-2020 02:03 PM

Can you check sourceIPAddress, 18.221.72.80?

index="main" sourcetype="aws:cloudtrail" 
| spath 
| search errorCode=AccessDenied

This will be better.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎02-20-2020 01:10 PM

You will need to monitor the linux secure file (/var/log/secure). Here's a link that explains its function. You can get this done either by adding a Splunk Universal Forwarder on the EC2 instance, or setting up the CloudWatch Agent to monitor the file. EIther way, you need to monitor that file in order to get the login attempts to your machine.

If you decide to use the Splunk UF, you can use many of the default apps found on Splunk base to monitor the secure file (e.g. Linux Secure TA etc.) And the docs to build your own monitoring of files can be found here.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...