- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Logs are essential for security investigations, aiding in threat detection, compliance tracking, and security monitoring. Log Management systems correlate logs with observability data for rapid root cause detection. Log management also enables efficient troubleshooting, issue resolution, and security audits.
Once log management is enabled for your organization, you can create a logs monitor to alert you when a specified log type exceeds a user-defined threshold over a given period of time. The logs monitor only evaluates indexed logs.
To create a log monitor in Datadog, use the main navigation: Monitors > New Monitor > Logs.
As you define the search query, the graph above the search fields updates.
Construct a search query using the same logic as a Log Explorer search.
Choose to monitor over a log count, facet, an attribute, or measure:
Unique value count
of the attribute. For example, if you have an attribute such as user.email
, the unique value count is the number of unique user emails. Any attribute can be used in a monitor, but only facets are shown in the autocompletion.min
, avg
, sum
, median
, pc75
, pc90
, pc95
, pc98
, pc99
, or max
).Group logs by multiple dimensions (optional):
All logs matching the query are aggregated into groups based on the value of tags, attributes, and up to four facets. When there are multiple dimensions, the top values are determined according to the first dimension, then according to the second dimension within the top values of the first dimension, and so on up to the last dimension. Dimensions limit depends on the total number of dimension:
Configure the alerting grouping strategy (optional):
system.disk.in_use
by device
to receive a separate alert for each device that is running out of space.Trigger when the query meets one of the following conditions compared to a threshold value:
above
above or equal to
below
below or equal to
equal to
not equal to
NO DATA
is a state given when no logs match the monitor query during the timeframe.
To receive a notification when all groups matching a specific query have stopped sending logs, set the condition to below 1
. This notifies when no logs match the monitor query in a given timeframe across all aggregate groups.
When splitting the monitor by any dimension (tag or facet) and using a below
condition, the alert is triggered if and only if there are logs for a given group, and the count is below the threshold—or if there are no logs for all of the groups.
Examples:
backend
:For detailed instructions on the advanced alert options (evaluation delay, new group delay, etc.), see the Monitor configuration page.
For detailed instructions on the Configure notifications and automations section, see the Notifications page.
When a logs monitor is triggered, samples or values can be added to the notification message. Logs without a message are not included in samples. In order to add the content of a log attribute to the monitor’s message, use Log monitor template variables directly in the monitor’s message body.
Monitor Setup | Can be added to notification message |
---|---|
Ungrouped Simple-Alert Log count | Up to 10 log samples. |
Grouped Simple-Alert Log count | Up to 10 facet or measure values. |
Grouped Multi Alert Log count | Up to 10 log samples. |
Ungrouped Simple-Alert measure | Up to 10 log samples. |
Grouped Simple-Alert measure | Up to 10 facet or measure values. |
Grouped Multi Alert Log measure | Up to 10 facet or measure values. |
These are available for notifications sent to Slack, Jira, webhooks, Microsoft Teams, Pagerduty, and email. Note: Samples are not displayed for recovery notifications.
To disable log samples, uncheck the box at the bottom of the Configure notification & automations section. The text next to the box is based on your monitor’s grouping (as stated above).
Include a table of the top 10 breaching values:
Include a sample of 10 logs in the alert notification: