If I started with a single AWS CloudTrail source (📄 How do I add new AWS CloudTrail log sources to Panther when the original does not have a prefix?) which currently is not using a prefix, and now I want to add more, do I need to migrate the original source or create new prefixes for the new sources/"trails"?
There are multiple ways to add a new AWS CloudTrail log source when an existing source added to Panther lacks a prefix.
Options include the following:
Create a new prefix in AWS, move all the current logs there, and set up the original source in Panther to have a Prefix filter. This will keep everything consistent.
Leave the logs where they are and set up S3 Prefix Exclusion Filter(s) for the original log source to exclude the prefixes from the logs from other organizations. This allows you to keep the original log source structured the way it is.
If you'd like to leave the original logs where they are, you can make the other organizations' prefixes two-level deep. If you want to add more organizations in the future, you can avoid needing to add additional prefix exclusion filters. For example:
Bucket/other_orgs/org1_logs/log.json
With the above structure of prefixes, and assuming your current logs are going straight to the bucket, you can exclude logs within the S3 prefix Bucket/other_orgs/
and not have to update your exclusion filter for each new organization in the original log source.
You can also check our relevant article📄 How do I configure an S3 log source in Panther with a prefix exclusion or inclusion? for additional details on how to add prefixes and exclusion filters to your log sources.