Gitlab S3 Streaming Audit Logs
Gitlab S3 streaming is only available to Gitlab Ultimate customers.
GitLab Audit Logs provide a detailed record of events and actions taken within a GitLab instance, helping organizations track changes for security and compliance purposes. The logs capture information such as user activity (e.g., login attempts, project changes, and group modifications), timestamps, and the specific actions performed, enabling administrators to monitor user behavior, investigate incidents, and ensure adherence to security policies.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_gitlabSNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.
Setup
Follow Gitlab’s docs on how to enable log streaming in your account. RunReveal does not currently support Gitlab HTTP destinations.
https://docs.gitlab.com/ee/user/compliance/audit_event_streaming.html
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: gitlab_logs (48 columns)
gitlab_logs (48 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
| Column | Type |
|---|---|
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
rawLog | String |
gitlabID | String |
createdAt | String |
eventType | String |
authorID | String |
authorName | String |
ipAddress | String |
entityID | String |
entityType | String |
entityPath | String |
targetID | String |
targetType | String |
targetDetails | String |
details | String |