So I have multiple AWS accounts and have turned on CloudTrail in each account.
Using cross account permissions I gather all of these events in a central account which has a GrayLog server. This server has the AWS Plugin configured for CloudTrail and happily ingests events from six or so AWS accounts.
The question I have is how do I tell which account each event is coming from? I wanted to split these into account specific streams but I can’t seem to see a unique field. The events seem to differ for different AWS services which makes it difficult to lock down to a specific account. Has anyone else come across this?