AWS Redshift Audit Logs
Collect audit logs from Amazon Redshift data warehouses exported from CloudWatch Logs to S3, including connection logs, user activity logs, and security events.
Ingest Methods
RunReveal offers the following ways to ingest AWS Redshift Audit Logs logs:
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_redshift_auditReplace <REGION> with the AWS region where your S3 bucket is located (e.g., us-east-1, us-west-2, eu-west-1).
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: redshift_audit_logs (45 columns)
redshift_audit_logs (45 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
| Column | Type |
|---|---|
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
database | String |
username | String |
logLevel | String |
query | String |
tlsVersion | String |
cipher | String |
authMethod | String |
pid | String |
duration | String |