--- title: Events Forwarding description: Forward security and observability events to custom destinations breadcrumbs: Docs > Datadog Security > Events Forwarding --- # Events Forwarding ## Overview{% #overview %} Events Forwarding sends logs, audit logs, security spans, security signals, and cloud workload security events from Datadog to custom destinations such as Splunk, Elasticsearch, and HTTP endpoints. Use Events Forwarding to route security and observability data to third-party SIEMs, data lakes, or internal tools. Events Forwarding supports the following data types: | Data Type | Description | | ---------------------------------- | ------------------------------------------------------------------------------------------------------------ | | **Logs** | Application and infrastructure logs | | **Audit Logs** | Datadog platform audit events | | **Security Spans** | Traces from [App and API Protection](https://docs.datadoghq.com/security/application_security/) | | **Security Signals** | Signals generated by [Detection Rules](https://docs.datadoghq.com/security/detection_rules/) | | **Cloud Workload Security Events** | Runtime security events from [Workload Protection](https://docs.datadoghq.com/security/workload_protection/) | {% image source="https://datadog-docs.imgix.net/images/security/events_forwarding/events_forwarding_overview.cb6a6420e3b4cc183966da8f612895f3.png?auto=format" alt="The Events Forwarding page showing the list of configured destinations for different data types." /%} **Note**: For logs, additional destination types are available (Microsoft Sentinel, Google Chronicle). See [Forwarding Logs to Custom Destinations](https://docs.datadoghq.com/logs/log_configuration/forwarding_custom_destinations/) for details. ## Prerequisites{% #prerequisites %} ### Permissions{% #permissions %} Forwarding rules require data-type-specific permissions. The following table lists the required permission for each data type. | Data Type | Permission | | ------------------------------ | -------------------------------------------------------------------------------------------------------------- | | Logs | [`logs_write_forwarding_rules`](https://docs.datadoghq.com/account_management/rbac/permissions/) | | Audit Logs | [`audit_logs_write`](https://docs.datadoghq.com/account_management/rbac/permissions/) | | Security Spans | [`apm_pipelines_write`](https://docs.datadoghq.com/account_management/rbac/permissions/) | | Security Signals | [`security_monitoring_signals_write`](https://docs.datadoghq.com/account_management/rbac/permissions/) | | Cloud Workload Security Events | [`security_monitoring_cws_agent_rules_write`](https://docs.datadoghq.com/account_management/rbac/permissions/) | ## Set up Events Forwarding{% #set-up-events-forwarding %} Events Forwarding uses the same destination types and configuration as log forwarding. For detailed instructions on setting up destinations, see [Forwarding Logs to Custom Destinations](https://docs.datadoghq.com/logs/log_configuration/forwarding_custom_destinations/). {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} - Sending events to a custom destination is outside of the Datadog GovCloud environment, which is outside the control of Datadog. Datadog shall not be responsible for any events that have left the Datadog GovCloud environment, including without limitation, any obligations or requirements that the user may have related to FedRAMP, DoD Impact Levels, ITAR, export compliance, data residency, or similar regulations applicable to such events. - Due to security protocols for the GovCloud site, only ports `443` and `8088` are available for Events Forwarding. If your custom destination uses a different port, contact [Datadog Support](https://docs.datadoghq.com/help) to explore opening your port for outbound communications. {% /alert %} {% /callout %} To set up a forwarding rule: 1. Navigate to [**Security Settings** > **Events Forwarding**](https://app.datadoghq.com/security/configuration/events-forwarding). 1. Click **New Destination**. 1. Select the **data type** you want to forward. 1. Enter a query to filter events. Only matching events are forwarded. 1. Select and configure the **destination type**. 1. Click **Save**. {% image source="https://datadog-docs.imgix.net/images/security/events_forwarding/new_destination.964c340f56140c8d8fddb6808deb489b.png?auto=format" alt="The new destination configuration page showing data type selection, query filter, and destination type options." /%} ### Supported destination types{% #supported-destination-types %} The following destination types are available for all data types: - **HTTP** - Send events to any HTTPS endpoint with basic authentication or custom headers. - **Splunk** - Forward events using Splunk's HTTP Event Collector (HEC). - **Elasticsearch** - Send events to an Elasticsearch cluster with configurable index rotation. For logs, these destinations are also supported: **Microsoft Sentinel** and **Google Chronicle**. See [Forwarding Logs to Custom Destinations](https://docs.datadoghq.com/logs/log_configuration/forwarding_custom_destinations/) for setup details. ## Monitoring{% #monitoring %} The following metrics report on events that have been forwarded successfully, including events that were sent successfully after retries, as well as events that were dropped: - `datadog.forwarding..bytes` - `datadog.forwarding..count` Where `` corresponds to the forwarded data type (for example, `logs`, `trace`, `signal`, `secruntime`). ## Further reading{% #further-reading %} - [Forwarding Logs to Custom Destinations](https://docs.datadoghq.com/logs/log_configuration/forwarding_custom_destinations) - [Detection Rules](https://docs.datadoghq.com/security/detection_rules/) - [Workload Protection](https://docs.datadoghq.com/security/workload_protection/)