I sometimes get Classification Failures on my AWS Config log source, from files nested within an OversizedChangeNotification
folder. Can I exclude these files from Panther?
Yes, you can safely exclude these files! These files are created by AWS if an object's configuration is too large, and the change notification exceeds the maximum message size allowed over SNS. When this happens, AWS will send a summary via SNS, and dump the full configuration change message in S3.
These files have no relevance to Panther, and can be safely ignored by adding the following exclusion prefix to your log source:
*/OversizedChangeNotification/*.json.gz