Events Forwarding

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Overview

Events Forwarding sends logs, audit logs, security spans, security signals, and cloud workload security events from Datadog to custom destinations such as Splunk, Elasticsearch, and HTTP endpoints. Use Events Forwarding to route security and observability data to third-party SIEMs, data lakes, or internal tools.

Events Forwarding supports the following data types:

Data TypeDescription
LogsApplication and infrastructure logs
Audit LogsDatadog platform audit events
Security SpansTraces from App and API Protection
Security SignalsSignals generated by Detection Rules
Cloud Workload Security EventsRuntime security events from Workload Protection
The Events Forwarding page showing the list of configured destinations for different data types.

Note: For logs, additional destination types are available (Microsoft Sentinel, Google Chronicle). See Forwarding Logs to Custom Destinations for details.

Prerequisites

Permissions

Forwarding rules require data-type-specific permissions. The following table lists the required permission for each data type.

Data TypePermission
Logslogs_write_forwarding_rules
Audit Logsaudit_logs_write
Security Spansapm_pipelines_write
Security Signalssecurity_monitoring_signals_write
Cloud Workload Security Eventssecurity_monitoring_cws_agent_rules_write

Set up events forwarding

Events Forwarding uses the same destination types and configuration as log forwarding. For detailed instructions on setting up destinations, see Forwarding Logs to Custom Destinations.

Sending events to a custom destination is outside of the Datadog GovCloud environment, which is outside the control of Datadog. Datadog shall not be responsible for any events that have left the Datadog GovCloud environment, including without limitation, any obligations or requirements that the user may have related to FedRAMP, DoD Impact Levels, ITAR, export compliance, data residency or similar regulations applicable to such events.

To set up a forwarding rule:

  1. Navigate to Security Settings > Events Forwarding.
  2. Click New Destination.
  3. Select the data type you want to forward.
  4. Enter a query to filter events. Only matching events are forwarded.
  5. Select and configure the destination type.
  6. Click Save.
The new destination configuration page showing data type selection, query filter, and destination type options.

Supported destination types

The following destination types are available for all data types:

  • HTTP - Send events to any HTTPS endpoint with basic authentication or custom headers.
  • Splunk - Forward events using Splunk’s HTTP Event Collector (HEC).
  • Elasticsearch - Send events to an Elasticsearch cluster with configurable index rotation.

For logs, these destinations are also supported: Microsoft Sentinel and Google Chronicle. See Forwarding Logs to Custom Destinations for setup details.

Monitoring

The following metrics report on events that have been forwarded successfully, including events that were sent successfully after retries, as well as events that were dropped:

  • datadog.forwarding.<data_type>.bytes
  • datadog.forwarding.<data_type>.count

Where <data_type> corresponds to the forwarded data type (for example, logs, trace, signal, secruntime).

Further reading

お役に立つドキュメント、リンクや記事:

Forwarding Logs to Custom DestinationsDOCUMENTATION more more Detection RulesDOCUMENTATION more more Workload ProtectionDOCUMENTATION more more