Login
        Contents x
        How Amazon S3 Works with Red Canary
        • 30 May 2025
        • 1 Minute to read
        • PDF
        Contents

        How Amazon S3 Works with Red Canary

        • Updated on 30 May 2025
        • 1 Minute to read
        • PDF
        Article summary

        Any external data source that can be configured to write logs to an Amazon S3 bucket can forward data to the Red Canary Security Data Lake. All data forwarded in this way is storable and exportable from the Security Data Lake, and if it is newline-delimited JSON, it can be queried via the Search page.

        There are two methods of integration:

        1. Configure your external data source to push logs directly to a Red Canary-managed S3 bucket.

        2. Configure Red Canary to pull logs from an S3 bucket in your AWS account.

        What kinds of file formats are supported?

        Any line-delimited text-based format can be stored in the data lake for long-term retention and export on-demand (CSV, TSV, CEF, CLF, etc.), but files containing newline-delimited JSON (NDJSON) will automatically support SQL searches as well. When possible, we recommend configuring your external data source to emit logs as JSON / NDJSON to maximize your visibility into the data.

        Can I forward compressed files?

        Yes! Ensure that your data source is configured to emit logs as either gzip, zstd, or uncompressed files.

        What fields are available when querying JSON sources?

        If the data you are forwarding to S3 is in JSON format, the Security Data Lake will automatically parse the file structure and generate corresponding tables that can be queried from the Search page.

        All Security Data Lake sources include a set of metadata columns — data generated by Red Canary at time of ingest. These always begin with rc_:

        Column Name

        Data Type

        Description

        rc_id

        String

        Internal row identifier.

        rc_customer_id

        String

        Red Canary subdomain name.

        rc_source_id

        String

        Internal source identifier.

        rc_format

        String

        Internal source type.

        rc_source_file

        String

        Internal file name.

        rc_source_file_line_number

        Numeric

        Internal file line number.

        rc_ingested_at

        Timestamp

        Red Canary ingestion date.

        rc_created_at

        Timestamp

        Red Canary creation date.

        rc_timestamp

        Timestamp

        Set to Red Canary ingestion date if timestamp when vendor timestamp isn’t available.

        JSON sources will also include a set of columns automatically parsed from the original JSON logs. These will vary, as they are based on the schema/structure of the data ingested.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout