Push Data to a Red Canary-Managed Amazon S3 Bucket
- 30 May 2025
- 2 Minutes to read
- PDF
Push Data to a Red Canary-Managed Amazon S3 Bucket
- Updated on 30 May 2025
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Any external data source that can be configured to forward logs to an Amazon S3 bucket using access keys can forward data to the Red Canary Security Data Lake. All data forwarded in this way is storable and exportable from the Security Data Lake, and if it is newline-delimited JSON, it can be queried via the Search page.
How does it work?
This ingest method works by creating a Red Canary-managed Amazon S3 bucket/folder that you can use to receive logs from your external data source. You will be provided a fully qualified URL containing the bucket name, folder name (i.e.: prefix), and region to which you will point your external data source. Authentication is handled via Amazon’s long-term access keys. If your data source only supports role assumption for authentication, consider using the Data Source via S3 (Self-Managed) ingest method instead.
By integrating your security logs with the Red Canary Security Data Lake, you can meet data retention requirements, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate an external data source with Red Canary through a Red Canary-managed Amazon S3 bucket, follow the procedure below from beginning to end.
Prerequisites
Before you start the Amazon S3 integration, please make sure the following requirements are met:
You have an active Red Canary Security Data Lake license.
You have validated that your external data source supports log forwarding to Amazon S3 using access keys.
You have validated that your external data source emit logs in a supported format.
Ensure that your data source is configured to emit logs as either gzip, zstd, or uncompressed files.
When possible, we recommend configuring your external data source to emit logs as newline-delimited JSON to maximize your visibility into the data, but any line-delimited text format can be ingested.
You have appropriate admin permissions to make configuration changes to your external data source.
1 | Red Canary | Add a new data lake integration
From your Red Canary dashboard navigate to Integrations, click the split button to the right of Add Integration, and click Add Data Lake Integration.
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D "image(317).png")
Next to Add Integration, enter a name for your integration.
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
Choose how Red Canary will receive this data:
Under Ingest Format / Method, select Data Source via S3 (Managed by Red Canary).
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
Click the Next button.
Configure Red Canary to retrieve data from this integration:
Click the Provision button.
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
This will save and activate your integration. If successful, you should get a “User provisioned successfully” notification.
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
Under Set up log forwarding in your external log source, there will be an S3 Folder URL, AWS Access ID, and AWS Secret Key that you can use to send data to Red Canary. Copy and save these values. You will use them in a later step.
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
The AWS Access ID and AWS Secret Key can take time to generate. If they say “(pending…)”, wait 10 minutes and reload the page.
Click the Next button.
Customize how data from this integration is handled:
Specify your desired data retention period in days.
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
Click Save in the bottom right corner.
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D "image(317).png")
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
.png?sv=2022-11-02&spr=https&st=2025-06-02T18%3A59%3A43Z&se=2025-06-02T19%3A09%3A43Z&sr=c&sp=r&sig=44LBcZn7Fe%2B6yLih3brKvCu7XeeKsO%2BcSscQBSVVdi8%3D)
2 | External Data Source | Configure log forwarding
From your external data source, set up log forwarding using the S3 Folder URL, AWS Access ID, and AWS Secret Key values noted in the previous section.
Ensure that the data source is configured to emit logs as either gzip, zstd, or uncompressed files.
If possible, ensure that the data source is configured to emit logs as newline-delimited JSON. Other line-delimited formats are supported for data retention only.
Examples of line-delimited file formats: newline separated JSON, CSV, TSV, CEF, CLF, etc.
Was this article helpful?