We should support cross-account log collection for Cloudwatch. We almost have this functionality today, but there is a small hurdle to overcome, as detailed below.
Cross-account logs are supported by the FilterLogEvents API (which we already use). However there is a caveat hidden away in the docs:
If the log group is in a source account and you are using a monitoring account, you must use the log group ARN.
If the log group name is used for log groups in linked source accounts, the request does not succeed. In our cloudwatch logs input, we utilize the log group name exclusively (even parsing the name from the ARN, if provided https://github.com/elastic/beats/blob/main/x-pack/filebeat/input/awscloudwatch/input.go#L72).
In order for cross-account monitoring to work for cloudwatch logs, we need to switch to using log group ARNs and
logGroupIdentifier in the API requests, instead of log group names (and logGroupName).
We should support cross-account log collection for Cloudwatch. We almost have this functionality today, but there is a small hurdle to overcome, as detailed below.
Cross-account logs are supported by the FilterLogEvents API (which we already use). However there is a caveat hidden away in the docs:
If the log group name is used for log groups in linked source accounts, the request does not succeed. In our cloudwatch logs input, we utilize the log group name exclusively (even parsing the name from the ARN, if provided https://github.com/elastic/beats/blob/main/x-pack/filebeat/input/awscloudwatch/input.go#L72).
In order for cross-account monitoring to work for cloudwatch logs, we need to switch to using log group ARNs and
logGroupIdentifierin the API requests, instead of log group names (andlogGroupName).