Turbopuffer Audit Logs
Turbopuffer audit logs provide a record of actions performed within your organization. These logs capture user activity such as invitation management, API key creation and expiration, session lifecycle events, and automatic system actions. They are available on Scale and Enterprise plans and can be streamed to external destinations including S3, GCS, and custom HTTPS endpoints.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
- AWS S3
- AWS S3 Bucket with Custom SQS
- Azure Storage Account
- Google Cloud Storage
- Cloudflare R2 Bucket
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.
Setup
- Contact Turbopuffer to enable audit logs for your organization (available on Scale and Enterprise plans).
- Configure audit log streaming to your preferred object storage destination (S3, GCS, or a custom HTTPS endpoint).
- Create a new Turbopuffer source in RunReveal and configure the storage settings to point at your bucket.
For more details, see the Turbopuffer audit logs documentation.
Verification
After setup, verify events are flowing by running a query in RunReveal:
Event Types
Turbopuffer audit logs capture the following actions:
| Action | Description |
|---|---|
invitation-created | A user initiated an invitation |
invitation-accepted | A user accepted an invitation |
invitation-revoked | A user revoked an invitation |
user-added | System automatically added a user |
user-removed | A user removed another user |
api-key-created | A user generated an API key |
api-key-marked-as-expired | A user expired an API key |
session-created | A user initiated a session |
session-revoked | A user revoked a session |
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: turbopuffer_audit_logs (22 columns)
turbopuffer_audit_logs (22 columns)| Column | Type |
|---|---|
id | String |
receivedAt | DateTime |
workspaceID | String |
sourceType | String |
sourceID | String |
eventID | String |
eventName | String |
eventTime | DateTime |
readOnly | Bool |
srcIP | String |
resources | Array(String) |
serviceName | String |
srcASOrganization | Nullable(String) |
srcASNumber | Nullable(UInt32) |
srcASCountryCode | Nullable(String) |
dstIP | String |
dstASOrganization | Nullable(String) |
dstASNumber | Nullable(UInt32) |
dstASCountryCode | Nullable(String) |
actor | Map(String, String) |
tags | Map(String, String) |
rawLog | String |
Helpful Links
- Turbopuffer Audit Logs - Official documentation for audit log streaming and event schema