Log Management Data Security

This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the Security section.

The Log Management product supports multiple environments and formats, allowing you to submit to Datadog nearly any data you choose. This article describes the main security guarantees and filtering controls available to you when submitting logs to Datadog.

Note: Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product.

Information security

The Datadog Agent submits logs to Datadog either through HTTPS or through TLS-encrypted TCP connection on port 10516, requiring outbound communication (see Agent Transport for logs).

Datadog uses symmetric encryption at rest (AES-256) for indexed logs. Indexed logs are deleted from the Datadog platform once their retention period, as defined by you, expires.

Logs filtering

In version 6 or above, the Agent can be configured to filter logs sent by the Agent to the Datadog application. To prevent the submission of specific logs, use the log_processing_rules setting, with the exclude_at_match or include_at_match type. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to filter out logs based on the inclusion or exclusion rules supplied.

Logs obfuscation

As of version 6, the Agent can be configured to obfuscate specific patterns within logs sent by the Agent to the Datadog application. To mask sensitive sequences within your logs, use the log_processing_rules setting, with the mask_sequences type. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to redact sensitive data within your logs.

HIPAA-enabled customers

Datadog will sign a Business Associate Agreement (BAA) with customers that transmit protected health information (ePHI) through Datadog’s HIPAA-eligible services.

These restrictions are imposed on customers who have signed Datadog’s BAA:

  • Users cannot request support through Zendesk Live Chat.
  • Users cannot share logs or security signals from the Datadog explorer.

If you have any questions about how the Log Management Service satisfies the applicable requirements under HIPAA, contact your account manager. HIPAA-enabled customers do not need to use specific endpoints to submit logs to enforce specific encryptions. The encryptions are enabled on all log submission endpoints.

PCI DSS compliance for Log Management

PCI DSS compliance for Log Management is only available for Datadog organizations in the US1 site.

Datadog allows customers to send logs to PCI DSS compliant Datadog organizations upon request. To set up a PCI-compliant Datadog org, follow these steps:

To set up PCI-compliant Log Management, you must meet the following requirements:

  • Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven’t already enabled Audit Trail, it is automatically enabled once the org is configured as PCI-compliant (after following the steps below).
  • Your Datadog organization is in the US1 site.
  • All logs sent to the PCI endpoints using HTTPS only. If you are using the Agent to send logs, you should enforce HTTPS transport.
  • All your endpoints need to be changed to the PCI endpoints.
  • You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on Datadog’s Trust Center - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support.

To begin onboarding:

  1. Contact Datadog support or your Customer Success Manager to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met.
  2. After Datadog support or Customer Success confirms that the org is ready to onboard, configure the respective configuration file to send all your logs to the dedicated PCI compliant endpoint(s):
  • agent-http-intake-pci.logs.datadoghq.com:443 for Agent traffic
  • http-intake-pci.logs.datadoghq.com:443 for non-Agent traffic
  • pci.browser-intake-datadoghq.com:443 for browser logs
  1. For example, add the following lines to the Agent configuration file:
logs_config:
  logs_dd_url: <agent-http-intake-pci.logs.datadoghq.com:443>
  1. All logs that are sent to the PCI compliant endpoint(s) automatically have a set of Sensitive Data Scanner PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enalbed for PCI DSS compliance and are included with no additional charge.

To finish onboarding and be moved to compliant:

  1. Inform your Datadog support or your Customer Success Manager that you have moved over all your endpoints to the PCI compliant endpoint(s).
  2. Once confirmed by Datadog, your Logs and Log Management is considered to be PCI-compliant.

If you have any questions about how your now PCI-compliant Log Management satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up PCI-compliant Application Performance Monitoring.

See PCI DSS Compliance for more information. To enable PCI compliance for APM, see PCI DSS compliance for APM.

PCI DSS compliance for Log Management is not available for the site.

Endpoint encryption

All log submission endpoints are encrypted. These legacy endpoints are still supported:

  • tcp-encrypted-intake.logs.datadoghq.com
  • lambda-tcp-encrypted-intake.logs.datadoghq.com
  • gcp-encrypted-intake.logs.datadoghq.com
  • http-encrypted-intake.logs.datadoghq.com

Further Reading

Additional helpful documentation, links, and articles:

Review the main categories of data submitted to DatadogDOCUMENTATION more more Set up a PCI-compliant Datadog organizationDOCUMENTATION more more Announcing PCI-Compliant Log Management and APM from DatadogBLOG more more
PREVIEWING: bartol/timeshift-docs