Issue

When ingesting AWS EKS CloudWatch logs into Panther, the following classification errors may occur due to log truncation:

parse failed: Field_0_Responseobject: Field_2_Spec: readStringSlowPath: 
unexpected end of input, error found in #10 byte of ...|ncated...]|..., 
bigger context ...|Specify whether the ConfigMap or its[Truncated...]|...

Cause

This error occurs when an AWS EKS log exceeds the size limit of 256KB for CloudWatch logs. When this happens, AWS automatically truncates the logs, which can result in invalid JSON during ingestion by Panther due to incomplete event data.

Resolution

To resolve the issue, create a raw event filter to filter out events with fields containing "Truncated". This helps prevent classification errors by ensuring that invalid or partial events are not ingested into Panther.