Log Management Data Security
This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the Security
The Log Management product supports multiple environments and formats, allowing you to submit to Datadog nearly any data you choose. This article describes the main security guarantees and filtering controls available to you when submitting logs to Datadog.
Note: Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product.
The Datadog Agent submits logs to Datadog either through HTTPS or through TLS-encrypted TCP connection on port 10516, requiring outbound communication (see Agent Transport for logs).
Datadog uses symmetric encryption at rest (AES-256) for indexed logs. Indexed logs are deleted from the Datadog platform once their retention period, as defined by you, expires.
In version 6 or above, the Agent can be configured to filter logs sent by the Agent to the Datadog application. To prevent the submission of specific logs, use the
log_processing_rules setting, with the exclude_at_match or include_at_match
type. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to filter out logs based on the inclusion or exclusion rules supplied.
As of version 6, the Agent can be configured to obfuscate specific patterns within logs sent by the Agent to the Datadog application. To mask sensitive sequences within your logs, use the
log_processing_rules setting, with the mask_sequences
type. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to redact sensitive data within your logs.
Datadog will sign a Business Associate Agreement (BAA) with customers that transmit protected health information (ePHI) via Datadog’s Log Management Service.
These features are not available to customers who have signed Datadog’s BAA:
- Users cannot request support through chat.
- Group-by dimensions are limited to host tags, source, service, and status for Log-based Metrics.
- Notifications from Log Monitors cannot include log samples.
- You cannot configure Log Monitors with a
- You cannot share logs, security signals, or traces from the explorer through web integrations.
- Security rules cannot include triggering group-by values in notification title.
- Security rules cannot include message template variables.
- Security rules cannot be notified by webhooks.
If you have any questions about how the Log Management Service satisfies the applicable requirements under HIPAA, contact your account manager. HIPAA-enabled customers do not need to use specific endpoints to submit logs to enforce specific encryptions. The encryptions are enabled on all log submission endpoints.
PCI DSS compliance for Log Management
PCI DSS compliance for Log Management is only available for new Datadog orgs created in the US1 site
Datadog allows customers to send logs to PCI DSS compliant Datadog orgs upon request. To set up a PCI-complaint Datadog org, follow these steps:
- Set up a new Datadog org in the US1 site. PCI DSS compliance is only supported for new orgs created in US1.
- Contact Datadog support or your Customer Success Manager to request that the new org be configured as a PCI-compliant org.
- Enable Audit Trail in the new org. Audit Trail must be enabled and remain enabled for PCI DSS compliance.
- Datadog support or Customer Success confirms that the new org is PCI DSS compliant.
- Update the Datadog Agents to ship logs to the following dedicated PCI-compliant endpoint:
If you have any questions about how the Log Management service satisfies the applicable requirements under PCI DSS, contact your account manager.
PCI DSS compliance for Log Management is not available for the site.
All log submission endpoints are encrypted. These legacy endpoints are still supported:
Additional helpful documentation, links, and articles: