MENU
      Contents x
      S3
      • 12 Jun 2025
      • 2 Minutes to read
      • Print
      • Dark
      Contents

      S3

      • Updated on 12 Jun 2025
      • 2 Minutes to read
      • Print
      • Dark
      Article summary

      Overview

      This Adapter allows you to ingest files/blobs stored in AWS S3.

      Note that this adapter operates as a sink by default, meaning it will "consume" files from the S3 bucket by deleting them once ingested.

      Configurations

      Adapter Type: s3

      • client_options: common configuration for adapter as defined here.

      • bucket_name: the name of the bucket to ingest from.

      • access_key: an Access Key from S3 used to access the bucket.

      • secret_key: the secret key associated with the access_key used to access the bucket.

      • prefix: only ingest files with a given path prefix. Do not include a leading / in the prefix.

      • single_load: if true, the adapter will not operate as a sink, it will ingest all files in the bucket once and will then exit.

      Infrastructure as Code Deployment

      # AWS S3 Specific Docs: https://docs.limacharlie.io/docs/adapter-types-s3

sensor_type: "s3"
s3:
  bucket_name: "your-s3-bucket-name-for-logs" # (required) the name of the bucket to ingest from.
  access_key: "YOUR_AWS_ACCESS_KEY_ID" # (required) an Access Key from AWS IAM used to access the bucket.
  secret_key: "YOUR_AWS_SECRET_ACCESS_KEY" # (required) the secret key associated with the access_key.
  single_load: false # (optional) if true, ingest all files once then exit. Default is false (continuous).
  prefix: "logs/application_xyz/" # (optional) only ingest files with a given path prefix. Do not include a leading / in the prefix.
  parallel_fetch: 5 # (optional) Number of files to fetch in parallel. e.g., 5. Default may vary.
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required)
      installation_key: "YOUR_LC_INSTALLATION_KEY_S3" # (required)
    hostname: "aws-s3-adapter-prod-01.example.com" # (required if not using sensor_hostname_path)
    platform: "aws_lambda" # (required) e.g., "aws_lambda", "linux"
    architecture: "x86_64" # (optional)
    mapping:
      # S3 often contains structured logs (JSON, CSV, etc.) or gzipped text.
      # parsing_re might be used if files are line-delimited text needing regex.
      # For JSON lines, parsing_re would be null, and event fields accessed directly.
      parsing_re: null # Example for JSON lines: null. For text lines: "^(?P<timestamp>\\S+) (?P<source_ip>\\S+) \\[(?P<user_id>\\S+)\\] (?P<request>.*)$"
      sensor_key_path: "file_metadata.s3_object_key" # (optional) Example using S3 object key or a field within the log data.
      sensor_hostname_path: null # (optional) If client_options.hostname is not set. e.g., "log_data.source_host"
      event_type_path: "S3_LOG_{{ .log_data.event_category | token | upper | default \"GENERIC\" }}" # (optional)
      event_time_path: "log_data.event_timestamp" # (optional)
      investigation_id_path: "log_data.alert_id" # (optional)
      transform:
        "+data_source_type": "aws_s3_bucket"
        "+s3_bucket_name": "{{ .config.bucket_name }}" # Accessing adapter config
        "+s3_object_key": "{{ .routing.original_file_path }}" # If adapter provides this in routing
        # "-raw_log_line": null # If raw log was intermediate
      drop_fields:
      - "internal_s3_metadata_field"
    # mappings: null
    indexing:
      enabled: true
      default_index: "aws-s3-logs-{{ .identity.oid | substr 0 8 }}"
    is_compressed: true # (optional) Often true for S3 logs (e.g., .gz). Adapter usually handles decompression.
    sensor_seed_key: "SEED_KEY_S3_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
      YAML

      API Doc

      See the official documentation.

      Was this article helpful?
      Related articles
      What's Next