Generic Log Sources

Generic log sources allow you to send any source logs to RunReveal. Whether you have custom application logs, system metrics, or third-party data, RunReveal can ingest and analyze it. Choose from multiple ingestion methods including cloud storage solutions and direct webhook integration.

Setup Guides: For detailed setup instructions for each cloud storage source, see the links below, or use the instructions for setting up a generic webhook source to send logs to a webhook located on this page.

Ingest Methods

RunReveal offers the following ways to ingest Generic log sources:

If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.

arn:aws:sns:<REGION>:253602268883:runreveal_generic

SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.

Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.

Webhook

Webhooks are a simple way to send data to RunReveal. Just make an HTTP POST request with your JSON data.

Setup

Go to Sources in RunReveal
Click the Webhook Generic Logs source tile
Give it a name and click Connect Source to generic a unique webhook url and bearer token (if needed)
Copy your webhook URL which you'll use to send logs to as well as the bearer token you've set or generated (optional)

Testing with curl

Test your webhook with a simple curl command:

With Bearer Token (Recommended):

curl -X POST https://api.runreveal.com/sources/hook/YOUR_WEBHOOK_ID \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "level": "INFO",
    "message": "User authentication successful",
    "user": "[email protected]",
    "ip": "192.168.1.100"
  }'

Without Bearer Token: Edit your webhook source and delete the token field, then:

curl -X POST https://api.runreveal.com/sources/hook/YOUR_WEBHOOK_ID \
  -H "Content-Type: application/json" \
  -d '{
    "level": "WARN",
    "message": "Authentication disabled",
    "service": "webhook-test"
  }'

Viewing Your Data

Webhook data appears in the logs table with sourceType = 'webhook'.

Go to the Explore tab and run:

SELECT * FROM logs 
WHERE sourceType = 'webhook' 
ORDER BY receivedAt DESC 
LIMIT 10

Example Log Data

You can send any JSON data you want. Here are some examples:

# User activity
curl -X POST https://api.runreveal.com/sources/hook/YOUR_WEBHOOK_ID \
  -H "Content-Type: application/json" \
  -d '{
    "user": "[email protected]",
    "action": "login",
    "ip": "192.168.1.100"
  }'
 
# Application error
curl -X POST https://api.runreveal.com/sources/hook/YOUR_WEBHOOK_ID \
  -H "Content-Type: application/json" \
  -d '{
    "level": "ERROR",
    "message": "Database connection failed",
    "service": "my-app",
    "error_code": "DB_CONN_ERROR"
  }'
 
# System status
curl -X POST https://api.runreveal.com/sources/hook/YOUR_WEBHOOK_ID \
  -H "Content-Type: application/json" \
  -d '{
    "status": "healthy",
    "cpu_usage": 45.2,
    "memory_usage": 67.8,
    "hostname": "web-server-01"
  }'

Querying Your Data

Since webhook data is stored as JSON, use JSONExtractString() to get specific fields from the rawLog column:

-- Find all error messages
SELECT receivedAt, 
       sourceType,
       JSONExtractString(rawLog, 'level') as level,
       JSONExtractString(rawLog, 'message') as message,
       JSONExtractString(rawLog, 'service') as service,
       JSONExtractString(rawLog, 'error_code') as error_code,
       rawLog
FROM logs 
WHERE sourceType = 'webhook' 
  AND JSONExtractString(rawLog, 'level') = 'ERROR'
ORDER BY receivedAt DESC 
LIMIT 5;
 
-- Find specific user actions
SELECT receivedAt, 
       sourceType,
       JSONExtractString(rawLog, 'user') as user,
       JSONExtractString(rawLog, 'action') as action,
       JSONExtractString(rawLog, 'ip') as ip,
       rawLog
FROM logs 
WHERE sourceType = 'webhook' 
  AND JSONExtractString(rawLog, 'user') = '[email protected]'
ORDER BY receivedAt DESC 
LIMIT 5;
 
-- Count events by level
SELECT 
  JSONExtractString(rawLog, 'level') as level,
  count() as count
FROM logs 
WHERE sourceType = 'webhook' 
GROUP BY level
ORDER BY count DESC;

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: runreveal_logs (22 columns)

Column	Type
`id`	String
`receivedAt`	DateTime
`workspaceID`	String
`sourceType`	String
`sourceID`	String
`eventID`	String
`eventName`	String
`eventTime`	DateTime
`readOnly`	Bool
`srcIP`	String
`resources`	Array(String)
`serviceName`	String
`srcASOrganization`	Nullable(String)
`srcASNumber`	Nullable(UInt32)
`srcASCountryCode`	Nullable(String)
`dstIP`	String
`dstASOrganization`	Nullable(String)
`dstASNumber`	Nullable(UInt32)
`dstASCountryCode`	Nullable(String)
`actor`	Map(String, String)
`tags`	Map(String, String)
`rawLog`	String

On this page