This article is part of a series on data security.
The Log Management product supports multiple environments and formats, allowing customers the flexibility to submit to Datadog nearly any data they choose. This article describes the main security guarantees and filtering controls available to users when submitting Logs to Datadog.
The Datadog Agent submits Logs to Datadog over a TLS-encrypted TCP connection, requiring an outbound communication over port 10516. Datadog uses symmetric encryption at rest (AES-256) for indexed Logs. Indexed Logs are deleted from the Datadog platform once their retention period, as defined by the customer, expires.
For customers using release 6, the Agent can be configured to filter Logs sent by the Agent to the Datadog application. To prevent the submission of specific Logs, use the log_processing_rules setting, with the exclude_at_match or include_at_match type. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to filter out Logs based on a whitelist or blacklist.
For customers using release 6, the Agent can be configured to obfuscate specific patterns within Logs sent by the Agent to the Datadog application. To mask sensitive sequences within your Logs, use the log_processing_rules setting, with the mask_sequences type. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to redact sensitive data within your Logs.
Additional helpful documentation, links, and articles:
