I would like to understand if the following requirement can be made to work..
We are ingesting AWS Cloudtrail events, via the Splunk Add on for AWS. The app is installed on our indexer so we aren't currently going via a heavy forwarder. The Cloudtrail event data currently goes from our AWS account to an S3 bucket and then into Splunk via SQS.
Our client has a new requirement to ensure that only particular Cloudtrail events, like 'password reset' or 'failed login' are sent to a third party log rhythm server but are also still indexed in our Splunk environment. I've read the documentation and this seems to fall under the following articles: