Optionally, Check the box next to I want Panther to configure bucket notifications for me to allow Panther to configure bucket notifications automatically.
Panther uses S3 Event Notifications for notifications about new files added to your bucket. If you check the box, the provided CloudFormation template will add extra permissions to the IAM role, and Panther will configure bucket notifications automatically. Existing configurations will not be removed or overwritten. Otherwise, you will be prompted to configure bucket notifications manually, at a later step.
We strongly suggest you allow Panther to configure bucket notifications, as it will help you monitor the health of the CloudWatch logs and surface issues through Panther's system health notifications.
When the IAM role is ready, fill in the Bucket Name and Role ARN.
After the CloudFormation stack creation is complete, you can find the role ARN in the "Outputs" section of the stack in AWS.
Click Continue Setup.
In order to enable real-time processing of log data, Panther will create a Firehose Delivery Stream and an S3 Bucket that will be used as the Delivery Stream's destination. A subscription filter is then configured for the Cloudwatch Logs log group using the Firehose Delivery Stream as its destination. The required read permissions for processing files added by Firehose to the newly created S3 bucket are granted to the IAM role.
Configure bucket notifications and finish source setup
If you have opted in for Panther-managed notifications in step 2, click Finish Setup. Your S3 source is ready to ingest data and a success page is shown. Optionally, you can configure a log drop-off alarm to be alerted if this source stops processing events within a specified time interval.
Viewing Collected Logs
After log sources are configured, your data can be searched with Data Explorer.