QUESTION

How do I add custom schemas to a Panther-managed log source that ingests EKS logs into Panther? When trying to add new schemas, I don't see any options to select more schemas and only the two Panther-managed schemas Amazon.EKS.Authenticator and Amazon.EKS.Audit are selected.

ANSWER

Panther-managed log sources are restricted to specific log types and do not support adding custom schemas. However, you can work around this limitation by creating a custom log source.

To handle logs that require custom schemas alongside the existing Panther-managed schemas Amazon.EKS.Authenticator and Amazon.EKS.Audit you can:

1. Delete the existing Panther-managed log source,

2. Create a new log source,

3. Select the AWS CloudWatch Logs (custom onboarding) and

4. Add both your custom schemas and the two required Panther-managed schemas to the new source.

This behavior is a known limitation, and there is an existing feature request to allow adding custom schemas to Panther-managed log sources. If you'd like to be added to that feature request, please contact the Panther Support Team.