Skip to main content
Panther Knowledge Base

How can I set up multiple CloudTrail log sources in Panther?

QUESTION

If I point multiple AWS CloudTrail sources (e.g. org trails from different organizations) into the same S3 bucket, will the CloudTrail log ingestion still function successfully?

 

ANSWER

In general, we recommend that each organization, or "org," have its own log source defined, with different orgs going to different S3 prefixes within the same S3 bucket. To do this, set up each org's logs to go to a separate S3 prefix in the same bucket, and then create a log source for each org, defining the S3 Prefix Filter to point to the prefix for that org.

This helps ensure the health of each org's log processing. It would be harder to know if there is a problem with any particular org's log ingestion later on if the orgs were combined into a single log source. Since the health of a log source is determined by any logs being processed, it would count any CloudTrail logs coming in as keeping the log source healthy, ultimately masking if any particular org failed to have their logs ingested.