SourcesSource TypesAuthentik

Authentik Audit Logs

Ingest authentik audit logs from a variety of sources.

Authentik supports multiple ingestion methods including S3, Azure Blob Storage, Google Cloud Storage, and Cloudflare R2.

Ingest Methods

Setup the ingestion of this source using one of the following guides.

If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.

arn:aws:sns:<REGION>:253602268883:runreveal_authentik
⚠️

SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.

Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.

Setup

Authentik logs can be ingested via object storage. Configure your Authentik instance to export logs to one of the supported storage providers.

Verify It’s Working

Once added, the source logs should begin flowing within a few minutes.

You can validate we are receiving your logs by running the following SQL query.

SELECT * FROM runreveal.logs WHERE sourceType = 'authentik' LIMIT 1

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: authentik_logs (22 columns)

ColumnType
idString
receivedAtDateTime
workspaceIDString
sourceTypeString
sourceIDString
eventIDString
eventNameString
eventTimeDateTime
readOnlyBool
srcIPString
resourcesArray(String)
serviceNameString
srcASOrganizationNullable(String)
srcASNumberNullable(UInt32)
srcASCountryCodeNullable(String)
dstIPString
dstASOrganizationNullable(String)
dstASNumberNullable(UInt32)
dstASCountryCodeNullable(String)
actorMap(String, String)
tagsMap(String, String)
rawLogString
Auth0ALB