Log Collection and Integrations
Overview
Choose a configuration option below to begin ingesting your logs. If you are already using a log-shipper daemon, refer to the dedicated documentation for Rsyslog, Syslog-ng, NXlog, FluentD, or Logstash.
Consult the list of available Datadog log collection endpoints if you want to send your logs directly to Datadog.
Note: When sending logs in a JSON format to Datadog, there is a set of reserved attributes that have a specific meaning within Datadog. See the Reserved Attributes section to learn more.
Setup
- Install the Datadog Agent.
- To enable log collection, change
logs_enabled: false
to logs_enabled: true
in your Agent’s main configuration file (datadog.yaml
). See the Host Agent Log collection documentation for more information and examples. - Follow your application language installation instructions to configure a logger and start generating logs:
Choose a container or orchestrator provider and follow their dedicated log collection instructions:
Notes:
Use the Datadog Forwarder, an AWS Lambda function that ships logs from your environment to Datadog. To enable log collection in your AWS serverless environment, refer to the Datadog Forwarder documentation.
Select your Cloud provider below to see how to automatically collect your logs and forward them to Datadog:
Datadog integrations and log collection are tied together. You can use an integration’s default configuration file to enable dedicated processors, parsing, and facets in Datadog. To begin log collection with an integration:
- Select an integration from the Integrations page and follow the setup instructions.
- Follow the integration’s log collection instructions. This section covers how to uncomment the logs section in that integration’s
conf.yaml
file and configure it for your environment.
Reduce data transfer fees
Use Datadog’s Cloud Network Monitoring to identify your organization’s highest throughput applications. Connect to Datadog over supported private connections and send data over a private network to avoid the public internet and reduce your data transfer fees. After you switch to private links, use Datadog’s Cloud Cost Management tools to verify the impact and monitor the reduction in your cloud costs.
For more information, see How to send logs to Datadog while reducing data transfer fees.
Additional configuration options
Logging endpoints
Datadog provides logging endpoints for both SSL-encrypted connections and unencrypted connections. Use the encrypted endpoint when possible. The Datadog Agent uses the encrypted endpoint to send logs to Datadog. More information is available in the Datadog security documentation.
Supported endpoints
Use the site selector dropdown on the right side of the page to see supported endpoints by Datadog site.
Site | Type | Endpoint | Port | Description |
---|
US | HTTPS | http-intake.logs.datadoghq.com | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation. |
US | HTTPS | agent-http-intake-pci.logs.datadoghq.com | 443 | Used by the Agent to send logs over HTTPS to an org with PCI DSS compliance enabled. See PCI DSS compliance for Log Management for more information. |
US | HTTPS | agent-http-intake.logs.datadoghq.com | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation. |
US | HTTPS | lambda-http-intake.logs.datadoghq.com | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. |
US | HTTPS | logs.
| 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. |
US | TCP | agent-intake.logs.datadoghq.com | 10514 | Used by the Agent to send logs without TLS. |
US | TCP and TLS | agent-intake.logs.datadoghq.com | 10516 | Used by the Agent to send logs with TLS. |
US | TCP and TLS | intake.logs.datadoghq.com | 443 | Used by custom forwarders to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection. |
US | TCP and TLS | functions-intake.logs.datadoghq.com | 443 | Used by Azure functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection. Note: This endpoint may be useful with other cloud providers. |
US | TCP and TLS | lambda-intake.logs.datadoghq.com | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection. |
Site | Type | Endpoint | Port | Description |
---|
EU | HTTPS | http-intake.logs.datadoghq.eu | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation. |
EU | HTTPS | agent-http-intake.logs.datadoghq.eu | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation. |
EU | HTTPS | lambda-http-intake.logs.datadoghq.eu | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. |
EU | HTTPS | logs.
| 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. |
EU | TCP and TLS | agent-intake.logs.datadoghq.eu | 443 | Used by the Agent to send logs in protobuf format over an SSL-encrypted TCP connection. |
EU | TCP and TLS | functions-intake.logs.datadoghq.eu | 443 | Used by Azure functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection. Note: This endpoint may be useful with other cloud providers. |
EU | TCP and TLS | lambda-intake.logs.datadoghq.eu | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection. |
Site | Type | Endpoint | Port | Description |
---|
US3 | HTTPS | http-intake.logs.us3.datadoghq.com | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation. |
US3 | HTTPS | lambda-http-intake.logs.us3.datadoghq.com | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. |
US3 | HTTPS | agent-http-intake.logs.us3.datadoghq.com | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation. |
US3 | HTTPS | logs.
| 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. |
Site | Type | Endpoint | Port | Description |
---|
US5 | HTTPS | http-intake.logs.us5.datadoghq.com | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation. |
US5 | HTTPS | lambda-http-intake.logs.us5.datadoghq.com | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. |
US5 | HTTPS | agent-http-intake.logs.us5.datadoghq.com | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation. |
US5 | HTTPS | logs.
| 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. |
Site | Type | Endpoint | Port | Description |
---|
AP1 | HTTPS | http-intake.logs.ap1.datadoghq.com | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation. |
AP1 | HTTPS | lambda-http-intake.logs.ap1.datadoghq.com | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. |
AP1 | HTTPS | agent-http-intake.logs.ap1.datadoghq.com | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation. |
AP1 | HTTPS | logs.
| 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. |
Site | Type | Endpoint | Port | Description |
---|
US1-FED | HTTPS | http-intake.logs.ddog-gov.com | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation. |
US1-FED | HTTPS | lambda-http-intake.logs.ddog-gov.datadoghq.com | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. |
US1-FED | HTTPS | agent-http-intake.logs.ddog-gov.datadoghq.com | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation. |
US1-FED | HTTPS | logs.
| 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. |
Custom log forwarding
Any custom process or logging library able to forward logs through TCP or HTTP can be used in conjunction with Datadog Logs.
You can manually test your connection using OpenSSL, GnuTLS, or another SSL/TLS client. For GnuTLS, run the following command:
gnutls-cli intake.logs.datadoghq.com:10516
For OpenSSL, run the following command:
openssl s_client -connect intake.logs.datadoghq.com:10516
You must prefix the log entry with your Datadog API Key and add a payload.
<DATADOG_API_KEY> Log sent directly using TLS
Your payload, or Log sent directly using TLS
as written in the example, can be in raw, Syslog, or JSON format. If your payload is in JSON format, Datadog automatically parses its attributes.
<DATADOG_API_KEY> {"message":"json formatted log", "ddtags":"env:my-env,user:my-user", "ddsource":"my-integration", "hostname":"my-hostname", "service":"my-service"}
You can manually test your connection using OpenSSL, GnuTLS, or another SSL/TLS client. For GnuTLS, run the following command:
gnutls-cli tcp-intake.logs.datadoghq.eu:443
For OpenSSL, run the following command:
openssl s_client -connect tcp-intake.logs.datadoghq.eu:443
You must prefix the log entry with your Datadog API Key and add a payload.
<DATADOG_API_KEY> Log sent directly using TLS
Your payload, or Log sent directly using TLS
as written in the example, can be in raw, Syslog, or JSON format. If your payload is in JSON format, Datadog automatically parses its attributes.
<DATADOG_API_KEY> {"message":"json formatted log", "ddtags":"env:my-env,user:my-user", "ddsource":"my-integration", "hostname":"my-hostname", "service":"my-service"}
The TCP endpoint is not recommended for this site. Contact support for more information.
The TCP endpoint is not supported for this site.
Notes:
- The HTTPS API supports logs of sizes up to 1MB. However, for optimal performance, it is recommended that an individual log be no greater than 25K bytes. If you use the Datadog Agent for logging, it is configured to split a log at 256kB (256000 bytes).
- A log event should not have more than 100 tags, and each tag should not exceed 256 characters for a maximum of 10 million unique tags per day.
- A log event converted to JSON format should contain less than 256 attributes. Each of those attribute’s keys should be less than 50 characters, nested in less than 20 successive levels, and their respective value should be less than 1024 characters if promoted as a facet.
- Log events can be submitted with a timestamp that is up to 18h in the past.
Log events that do not comply with these limits might be transformed or truncated by the system or not indexed if outside the provided time range. However, Datadog tries to preserve as much user data as possible.
There is an additional truncation in fields that applies only to indexed logs: the value is truncated to 75 KiB for the message field and 25 KiB for non-message fields. Datadog still stores the full text, and it remains visible in regular list queries in the Logs Explorer. However, the truncated version will be displayed when performing a grouped query, such as when grouping logs by that truncated field or performing similar operations that display that specific field.
Attributes prescribe logs facets, which are used for filtering and searching in Log Explorer. See the dedicated attributes and aliasing documentation for a list of reserved and standard attributes and to learn how to support a naming convention with logs attributes and aliasing.
Attributes for stack traces
When logging stack traces, there are specific attributes that have a dedicated UI display within your Datadog application such as the logger name, the current thread, the error type, and the stack trace itself.
To enable these functionalities use the following attribute names:
Attribute | Description |
---|
logger.name | Name of the logger |
logger.thread_name | Name of the current thread |
error.stack | Actual stack trace |
error.message | Error message contained in the stack trace |
error.kind | The type or “kind” of an error (for example, “Exception”, or “OSError”) |
Note: By default, integration Pipelines attempt to remap default logging library parameters to those specific attributes and parse stack traces or traceback to automatically extract the error.message
and error.kind
.
For more information, see the complete source code attributes documentation.
Next steps
Once logs are collected and ingested, they are available in Log Explorer. Log Explorer is where you can search, enrich, and view alerts on your logs. See the Log Explorer documentation to begin analyzing your log data, or see the additional log management documentation below.
Further Reading
Additional helpful documentation, links, and articles:
*Logging without Limits is a trademark of Datadog, Inc.