I have multiple accounts to which I send my cloudtrails to a single bucket.
When the graylog plugin attempts to read the SQS, I see the following in the graylog logs:
2019-05-23T15:01:16.514-04:00 DEBUG [CloudtrailSNSNotificationParser] Reading message envelope {“Records”:[{“eventVersion”:“2.1”,“eventSource”:“aws:s3”,“awsRegion”:“us-east-1”,“eventTime”:“2019-05-18T19:03:18.956Z”,“eventName”:“ObjectCreated:Put”,“userIdentity”:{“principalId”:“AWS:XXX:regionalDeliverySession”},“requestParameters”:{“sourceIPAddress”:“81.20.14.19”},“responseElements”:{“x-amz-request-id”:“XXX”,“x-amz-id-2”:“nXXX=”},“s3”:{“s3SchemaVersion”:“1.0”,“configurationId”:“SNS”,“bucket”:{“name”:“my-centralized-logs”,“ownerIdentity”:{“principalId”:“XXX”},“arn”:“arn:aws:s3:::my-centralized-logs”},“object”:{“key”:“AWSLogs/0123456789/CloudTrail/us-east-1/2019/05/18/210811600188_CloudTrail_us-east-1_20190518T1900Z_3632732723.json.gz”,“size”:47199,“eTag”:“AAA”,“sequencer”:“BBB”}}}]}.
2019-05-23T15:01:16.514-04:00 DEBUG [CloudtrailSNSNotificationParser] No S3 object keys parsed.
Any hints are to where to look next as to my untrained eye, it appears that an S3 object key is returned from server.