Hello,
I realize this is a rather specific request so I'll keep it short and simple to see if anyone has had previous experience or any creative resolutions to this issue.
I have successfully configured an AWS IAM role and user within a dedicated account on our AWS environment, where cloudtrail logs are sent to and kept in cold storage in the form of an s3 bucket.
I have also successfully configured an incremental S3 input which I've tested as working, but currently the volume of cloudtrail data from our AWS accounts exceeds that which we are licensed for in Splunk.
I'm hoping there's some way within the Log Prefix field to basically choose what accounts/directory paths you want to monitor within the dedicated S3 bucket so I can only monitor the accounts I want without ingesting data from all other accounts.
I'm sure this can be done in the form of an SQS queue on the AWS side of things, but before going that far I'm wondering what can be done given the access and configurations I've already made and obtained.
Thanks in advance!