Issue

When trying to onboard a new custom S3 log source the following issue occurs:

No data is being pulled from the log source.

Resolution

To resolve this issue:

Check for log classification errors by clicking on your new custom S3 log source and clicking "Health" on the upper left-hand side of your Panther Console, or by using the following Data Explorer Query:

select * from panther_monitor.public.classification_failures
where p_occurs_since('48 hours') -- adjust as needed
and p_source_label = 'your-new-s3-log-source'
order by p_parse_time desc
limit 10

Cause

This issue occurs when

  1. No new data is coming into the log source's S3 bucket
    Panther only pulls data that comes into the bucket after the source has been onboarded. Old data will not be pulled in.

  2. The new data coming into the S3 bucket doesn't match the schemas for any of the log types associated with that log source
    This can happen when logs do not include required fields or are not formatted the way specified in the schema and cannot be parsed. (JSON vs CSV, etc.)

  3. When set up manually and editing the CF or Terraform template, values can get deleted or roles may have conflicting names with existing AWS IAM role names. It's good to double-check when debugging that the template is complete.