AWS Cross Account Cloudtrails Parsing

So I have multiple AWS accounts and have turned on CloudTrail in each account.

Using cross account permissions I gather all of these events in a central account which has a GrayLog server. This server has the AWS Plugin configured for CloudTrail and happily ingests events from six or so AWS accounts.

The question I have is how do I tell which account each event is coming from? I wanted to split these into account specific streams but I can’t seem to see a unique field. The events seem to differ for different AWS services which makes it difficult to lock down to a specific account. Has anyone else come across this?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.