Issue

I am seeing the following error message when ingesting VPC flow logs through CloudWatch: invalid header

The payload looks correct when compared to the schema.

Resolution

To avoid this error, send your VPC Flow logs directly to your S3 bucket and then to Panther, using Panther's AWS.VPCFlow schema.

Also ensure that the logs are in CSV format with a header.

Cause

Sending your VPC Flow logs to Panther through CloudWatch is not supported using our native integration. This issue can also be caused by sending logs in an incompatible format.