AWS service logs are usually stored in S3 buckets or CloudWatch Log groups. It is possible to subscribe to these logs and forward them to an Amazon Kinesis stream to then forward them to one or multiple destinations. Datadog is one of the default destinations for Amazon Kinesis Delivery streams. AWS fully manages Amazon Kinesis Data Firehose, so you don’t need to maintain any additional infrastructure or forwarding configurations for streaming logs. You can set up a Kinesis Firehose Delivery Stream in the AWS Firehose console, or automatically set up the destination using a CloudFormation template:
Datadog recommends using a Kinesis stream as input when using the Datadog Kinesis destination. It gives you the ability to forward your logs to multiple destinations in case Datadog is not the only consumer for those logs. If you only want to send logs to Datadog, or if you already have a Kinesis Datastream with your logs, ignore step 1.
DatadogLogStream, and give it a shard count of 1 (increase the shard count for each MB/s throughput that you need).DatadogLogsforwarder.Direct PUT or other sources if you don’t want to use a Kinesis stream) and select DatadogLogStream (or the existing Kinesis stream that already contains your logs).next.Datadog destination and select the Datadog US or Datadog EU region, depending on the Datadog Region of your account.
APIKEY into the AccessKey box. (You can get your API key from your Datadog API settings page).parameters, which are added as custom tags to your logs.To ensure that logs that fail through the Delivery Stream are still sent to Datadog, configure the Datadog Lambda function to trigger on this S3 bucket.
Alternatively, customize this CloudFormation template and install it from the AWS Console: See the full Kinesis CloudFormation template.
Subscriptions column on the log groups index page to see current subscriptions to your relevant log groups. Add the new Kinesis stream as a subscriber. Note: CloudWatch Log groups can only have two subscriptions each.aws iam create-role command to create the IAM role that gives CloudWatch Logs permission to put logs data into the Kinesis stream.
b. Create a permissions policy allowing the firehose:PutRecord firehose:PutRecordBatch, kinesis:PutRecord and kinesis:PutRecordBatch actions.
c. Attach the permissions policy to your newly created IAM role using the aws iam put-role-policy command.
d. Use the aws logs put-subscription-filter command to subscribe your Kinesis stream to each CloudWatch log group you want to ingest into Datadog.
Example of subscription filter:
aws logs put-subscription-filter \
--log-group-name "MYLOGGROUPNAME" \
--filter-name "MyFilterName" \
--filter-pattern "" \
--destination-arn "DESTINATIONARN (data stream or delivery stream)" \
--role-arn "MYROLEARN"
Important note: The destination of the subscription filter must be in the same account as the log group, as described in the AWS documentation.
3. Check the Subscriptions column in the log groups index page to confirm that the new Kinesis stream is now subscribed to your log groups.
If you want to push logs directly to the delivery stream without going through a Kinesis data stream, you can subscribe the CloudWatch log groups directly to the Kinesis Firehose Destination by adding the Kinesis Firehose ARN in the destination-arn parameter of the subscription filter, as shown in the AWS Subscription Filters documentation (step 12).
Once you have set up an Amazon Kinesis delivery stream, you can analyze the logs subscribed to your delivery stream in Datadog.
To populate all logs by ARN:
@aws.firehose.arn:"<ARN>", replace <ARN> with your Amazon Kinesis Data Firehose ARN, and press Enter.