- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
The Log Management product supports multiple environments and formats, allowing you to submit to Datadog nearly any data you choose. This article describes the main security guarantees and filtering controls available to you when submitting logs to Datadog.
Note: Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product.
The Datadog Agent submits logs to Datadog either through HTTPS or through TLS-encrypted TCP connection on port 10516, requiring outbound communication (see Agent Transport for logs).
Datadog uses symmetric encryption at rest (AES-256) for indexed logs. Indexed logs are deleted from the Datadog platform once their retention period, as defined by you, expires.
In version 6 or above, the Agent can be configured to filter logs sent by the Agent to the Datadog application. To prevent the submission of specific logs, use the log_processing_rules
setting, with the exclude_at_match or include_at_match type
. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to filter out logs based on the inclusion or exclusion rules supplied.
As of version 6, the Agent can be configured to obfuscate specific patterns within logs sent by the Agent to the Datadog application. To mask sensitive sequences within your logs, use the log_processing_rules
setting, with the mask_sequences type
. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to redact sensitive data within your logs.
Alteratively, use Sensitive Data Scanner in the cloud or with the Agent to identify, tag, and redact sensitive data. In Sensitive Data Scanner, you set up a scanning group to define what data to scan and then set up scanning rules to determine what sensitive information to match within the data. You can choose whether to redact the data if there is a match. Datadog provides a library of predefined rules to detect sensitive information such as credit card numbers, email addresses, IP addresses, API keys, and more. You can also define your own regex-based scanning rules to identify sensitive information.
Sensitive Data Scanner is also available as a processor in Observability Pipelines. With Observability Pipelines, you can collect and process logs within your own infrastructure and then route them to downstream integrations.
Datadog will sign a Business Associate Agreement (BAA) with customers that transmit protected health information (ePHI) through Datadog’s HIPAA-eligible services.
These restrictions are imposed on customers who have signed Datadog’s BAA:
If you have any questions about how the Log Management Service satisfies the applicable requirements under HIPAA, contact your account manager. HIPAA-enabled customers do not need to use specific endpoints to submit logs to enforce specific encryptions. The encryptions are enabled on all log submission endpoints.
Datadog allows customers to send logs to PCI DSS compliant Datadog organizations upon request. To set up a PCI-compliant Datadog org, follow these steps:
To set up PCI-compliant Log Management, you must meet the following requirements:
To begin onboarding:
agent-http-intake-pci.logs.datadoghq.com:443
for Agent traffichttp-intake-pci.logs.datadoghq.com:443
for non-Agent trafficpci.browser-intake-datadoghq.com:443
for browser logslogs_config:
logs_dd_url: <agent-http-intake-pci.logs.datadoghq.com:443>
To finish onboarding and be moved to compliant:
If you have any questions about how your now PCI-compliant Log Management satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up PCI-compliant Application Performance Monitoring.
See PCI DSS Compliance for more information. To enable PCI compliance for APM, see PCI DSS compliance for APM.
PCI DSS compliance for Log Management is not available for the site.
All log submission endpoints are encrypted. These legacy endpoints are still supported:
tcp-encrypted-intake.logs.datadoghq.com
lambda-tcp-encrypted-intake.logs.datadoghq.com
gcp-encrypted-intake.logs.datadoghq.com
http-encrypted-intake.logs.datadoghq.com