[question] Is it possible to monitor more than one S3 log bucket?

[4sm-ops]

Looks like I cannot add additional existing S3 bucket to load logs.

SIEM is able to load data from single S3 bucket.

I can only replace default bucket with some other bucket in current or other account.

Correct?

[nakajiak]

Hi, it's not correct. We can import log from additional buckets. We have three way

1. We can ingest from contorl tower or security lake buckets. See https://github.com/aws-samples/siem-on-amazon-opensearch-service/blob/main/docs/securitylake.md and https://github.com/aws-samples/siem-on-amazon-opensearch-service/blob/main/docs/configure_aws_service.md
2. Modify paremeter, additional_s3_buckets, https://github.com/aws-samples/siem-on-amazon-opensearch-service/blob/v2.10.2/source/cdk/cdk.json.public.sample#L30 and deploy with CDK
3. See https://github.com/aws-samples/siem-on-amazon-opensearch-service/blob/v2.10.2/docs/configure_siem.md#near-real-time-loading-from-other-s3-buckets