I am setting up logging on AWS, based on official AWS Centralized logging (source). Cloudwatch log groups are added with command like:
aws logs put-subscription-filter --destination-arn DEST --log-group-name NAME --filter-name FILTER --filter-pattern " "
What surprises me is they are storing all log groups data into single 24-h rotated Elasticsearch index for all Cloudwatch log groups, using AWS::KinesisFirehose::DeliveryStream.
Shouldn't data of separate log groups be usually stored in separate ES indices? Or is it ok to set filters inside Elasticsearch for all data with specific @log_group parameter? Concerning 10000 logs/day, 1-2kB, 10-20 different log groups.
