How Amazon S3 Works with Red Canary
    • 30 May 2025
    • 1 Minute to read
    • PDF

    How Amazon S3 Works with Red Canary

    • PDF

    Article summary

    Any external data source that can be configured to write logs to an Amazon S3 bucket can forward data to the Red Canary Security Data Lake. All data forwarded in this way is storable and exportable from the Security Data Lake, and if it is newline-delimited JSON, it can be queried via the Search page.

    There are two methods of integration:

    1. Configure your external data source to push logs directly to a Red Canary-managed S3 bucket.

    2. Configure Red Canary to pull logs from an S3 bucket in your AWS account.

    What kinds of file formats are supported?

    Any line-delimited text-based format can be stored in the data lake for long-term retention and export on-demand (CSV, TSV, CEF, CLF, etc.), but files containing newline-delimited JSON (NDJSON) will automatically support SQL searches as well. When possible, we recommend configuring your external data source to emit logs as JSON / NDJSON to maximize your visibility into the data.

    Can I forward compressed files?

    Yes! Ensure that your data source is configured to emit logs as either gzip, zstd, or uncompressed files.

    What fields are available when querying JSON sources?

    If the data you are forwarding to S3 is in JSON format, the Security Data Lake will automatically parse the file structure and generate corresponding tables that can be queried from the Search page.

    All Security Data Lake sources include a set of metadata columns — data generated by Red Canary at time of ingest. These always begin with rc_:

    Column Name

    Data Type

    Description

    rc_id

    String

    Internal row identifier.

    rc_customer_id

    String

    Red Canary subdomain name.

    rc_source_id

    String

    Internal source identifier.

    rc_format

    String

    Internal source type.

    rc_source_file

    String

    Internal file name.

    rc_source_file_line_number

    Numeric

    Internal file line number.

    rc_ingested_at

    Timestamp

    Red Canary ingestion date.

    rc_created_at

    Timestamp

    Red Canary creation date.

    rc_timestamp

    Timestamp

    Set to Red Canary ingestion date if timestamp when vendor timestamp isn’t available.

    JSON sources will also include a set of columns automatically parsed from the original JSON logs. These will vary, as they are based on the schema/structure of the data ingested.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.