Multiple Cloudtrail logs into centralized Cloudwatch log account

While there are many ways to achieve this, one approach is well documented here - https://aws.amazon.com/solutions/implementations/centralized-logging/.

Are you interested in combining multiple CloudTrail trails with CloudWatch logs in a single logging account? If yes, then the above post is a solution. Otherwise, if you just want to consolidate all your CloudTrail trails in a single location (single account), then I'd recommend looking at CloudTrail Lake , a managed data lake that lets organizations aggregate, immutably store, and query events recorded by CloudTrail. It does not require you to create any other CloudTrail trails, S3 buckets, use Athena to log and query events or create data pipelines to move your CloudTrail events to a central location.

The key component of a CloudTrail Lake is an event data store. Once set up, you may immediately query CloudTrail events in the event data store (or multiple event data stores) using SQL-based queries with the built-in Query editor. Also, as with CloudTrail trails, you may choose to log management and/or data events in an event data store with further selection of sources for data events (so that you may log only desired data and optimize costs). You may also copy existing CloudTrail trails into an event data store.

With CloudTrail Lake and AWS Organizations, you may enable CloudTrail event logging across all member accounts in one or more regions to a single account (management account or delegated account like a Security account).

Yes, it would be all the cloudtrails from sub-accounts into one account cloudwatch. So looking at the link, looks like the subscription filter would be the way to go?

The environment is for a landing zone accelerator deployment.

If the sub-accounts are under the same ORG; I could configure a ORG cloudtrail, but then would I be able to send all those logs into cloudwatch in another account?

Delegated administration of CloudTrail to the destination member account in the AWS Organization should help. Refer https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-delegated-administrator.html