Skip to main content
Panther Knowledge Base

How do I add new AWS CloudTrail log sources to Panther when the original does not have a prefix?

  1. Last updated
  2. Save as PDF

QUESTION

If I started with a single AWS CloudTrail source which currently is not using a prefix, and now I want to add more, do I need to migrate the original source or create new prefixes for the new sources/"trails"?

 

ANSWER

There are multiple ways to add a new AWS CloudTrail log source when an existing source added to Panther lacks a prefix.

Options include the following:

  • Create a new prefix in AWS, move all the current logs there, and set up the original source in Panther to have a Prefix filter. This will keep everything consistent.
  • Leave the logs where they are and set up S3 Prefix Exclusion Filter(s) for the original log source to exclude the prefixes from the logs from other organizations. This allows you to keep the original log source structured the way it is.

 

If you'd like to leave the original logs where they are, like the solution in the second bullet above, you can make the other organizations' prefixes two deep. This way, if you want to add more organizations in the future, you can avoid needing to add additional prefix exclusion filters. For example: 

Bucket/other_orgs/org1_logs/log.json

With the above structure of prefixes, and assuming your current logs are going straight to the bucket, you can exclude logs within the S3 prefix Bucket/other_orgs/ and not have to update your exclusion filter for each new organization in the original log source.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.