Log Collection and Integrations

Docs > Log Management > Log Collection and Integrations

Overview

Choose a configuration option below to begin ingesting your logs. If you are already using a log-shipper daemon, refer to the dedicated documentation for Rsyslog, Syslog-ng, NXlog, FluentD, or Logstash.

Consult the list of available Datadog log collection endpoints if you want to send your logs directly to Datadog.

Note: When sending logs in a JSON format to Datadog, there is a set of reserved attributes that have a specific meaning within Datadog. See the Reserved Attributes section to learn more.

Setup

Install the Datadog Agent.
To enable log collection, change logs_enabled: false to logs_enabled: true in your Agent’s main configuration file (datadog.yaml). See the Host Agent Log collection documentation for more information and examples.
Once enabled, the Datadog Agent can be configured to tail log files or listen for logs sent over UDP/TCP, filter out logs or scrub sensitive data, and aggregate multi-line logs.

Install the Datadog Agent.
To enable log collection, change logs_enabled: false to logs_enabled: true in your Agent’s main configuration file (datadog.yaml). See the Host Agent Log collection documentation for more information and examples.
Follow your application language installation instructions to configure a logger and start generating logs:

Choose a container or orchestrator provider and follow their dedicated log collection instructions:

Notes:

The Datadog Agent can collect logs directly from container stdout/stderr without using a logging driver. When the Agent’s Docker check is enabled, container and orchestrator metadata are automatically added as tags to your logs.
It is possible to collect logs from all your containers or only a subset filtered by container image, label, or name.
Autodiscovery can also be used to configure log collection directly in the container labels.
In Kubernetes environments, you can also leverage the daemonset installation.

Use the Datadog Forwarder, an AWS Lambda function that ships logs from your environment to Datadog. To enable log collection in your AWS serverless environment, refer to the Datadog Forwarder documentation.

Select your Cloud provider below to see how to automatically collect your logs and forward them to Datadog:

Datadog integrations and log collection are tied together. You can use an integration’s default configuration file to enable dedicated processors, parsing, and facets in Datadog. To begin log collection with an integration:

Select an integration from the Integrations page and follow the setup instructions.
Follow the integration’s log collection instructions. This section covers how to uncomment the logs section in that integration’s conf.yaml file and configure it for your environment.

Reduce data transfer fees

Use Datadog’s Network Performance Monitoring to identify your organization’s highest throughput applications. Connect to Datadog over supported private connections and send data over a private network to avoid the public internet and reduce your data transfer fees. After you switch to private links, use Datadog’s Cloud Cost Management tools to verify the impact and monitor the reduction in your cloud costs.

For more information, see How to send logs to Datadog while reducing data transfer fees.

Additional configuration options

Logging endpoints

Datadog provides logging endpoints for both SSL-encrypted connections and unencrypted connections. Use the encrypted endpoint when possible. The Datadog Agent uses the encrypted endpoint to send logs to Datadog. More information is available in the Datadog security documentation.

Supported endpoints

Use the site selector dropdown on the right side of the page to see supported endpoints by Datadog site.

Site	Type	Endpoint	Port	Description
US	HTTPS	`http-intake.logs.datadoghq.com`	443	Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation.
US	HTTPS	`agent-http-intake-pci.logs.datadoghq.com`	443	Used by the Agent to send logs over HTTPS to an org with PCI DSS compliance enabled. See PCI DSS compliance for Log Management for more information.
US	HTTPS	`agent-http-intake.logs.datadoghq.com`	443	Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation.
US	HTTPS	`lambda-http-intake.logs.datadoghq.com`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS.
US	HTTPS	`logs.`	443	Used by the Browser SDK to send logs in JSON format over HTTPS.
US	TCP	`agent-intake.logs.datadoghq.com`	10514	Used by the Agent to send logs without TLS.
US	TCP and TLS	`agent-intake.logs.datadoghq.com`	10516	Used by the Agent to send logs with TLS.
US	TCP and TLS	`intake.logs.datadoghq.com`	443	Used by custom forwarders to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection.
US	TCP and TLS	`functions-intake.logs.datadoghq.com`	443	Used by Azure functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection. Note: This endpoint may be useful with other cloud providers.
US	TCP and TLS	`lambda-intake.logs.datadoghq.com`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection.

Site	Type	Endpoint	Port	Description
EU	HTTPS	`http-intake.logs.datadoghq.eu`	443	Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation.
EU	HTTPS	`agent-http-intake.logs.datadoghq.eu`	443	Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation.
EU	HTTPS	`lambda-http-intake.logs.datadoghq.eu`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS.
EU	HTTPS	`logs.`	443	Used by the Browser SDK to send logs in JSON format over HTTPS.
EU	TCP and TLS	`agent-intake.logs.datadoghq.eu`	443	Used by the Agent to send logs in protobuf format over an SSL-encrypted TCP connection.
EU	TCP and TLS	`functions-intake.logs.datadoghq.eu`	443	Used by Azure functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection. Note: This endpoint may be useful with other cloud providers.
EU	TCP and TLS	`lambda-intake.logs.datadoghq.eu`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over an SSL-encrypted TCP connection.

Site	Type	Endpoint	Port	Description
US3	HTTPS	`http-intake.logs.us3.datadoghq.com`	443	Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation.
US3	HTTPS	`lambda-http-intake.logs.us3.datadoghq.com`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS.
US3	HTTPS	`agent-http-intake.logs.us3.datadoghq.com`	443	Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation.
US3	HTTPS	`logs.`	443	Used by the Browser SDK to send logs in JSON format over HTTPS.

Site	Type	Endpoint	Port	Description
US5	HTTPS	`http-intake.logs.us5.datadoghq.com`	443	Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation.
US5	HTTPS	`lambda-http-intake.logs.us5.datadoghq.com`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS.
US5	HTTPS	`agent-http-intake.logs.us5.datadoghq.com`	443	Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation.
US5	HTTPS	`logs.`	443	Used by the Browser SDK to send logs in JSON format over HTTPS.

Site	Type	Endpoint	Port	Description
AP1	HTTPS	`http-intake.logs.ap1.datadoghq.com`	443	Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation.
AP1	HTTPS	`lambda-http-intake.logs.ap1.datadoghq.com`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS.
AP1	HTTPS	`agent-http-intake.logs.ap1.datadoghq.com`	443	Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation.
AP1	HTTPS	`logs.`	443	Used by the Browser SDK to send logs in JSON format over HTTPS.

Site	Type	Endpoint	Port	Description
US1-FED	HTTPS	`http-intake.logs.ddog-gov.com`	443	Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the Logs HTTP API documentation.
US1-FED	HTTPS	`lambda-http-intake.logs.ddog-gov.datadoghq.com`	443	Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS.
US1-FED	HTTPS	`agent-http-intake.logs.ddog-gov.datadoghq.com`	443	Used by the Agent to send logs in JSON format over HTTPS. See the Host Agent Log collection documentation.
US1-FED	HTTPS	`logs.`	443	Used by the Browser SDK to send logs in JSON format over HTTPS.

Custom log forwarding

Any custom process or logging library able to forward logs through TCP or HTTP can be used in conjunction with Datadog Logs.

You can send logs to Datadog platform over HTTP. Refer to the Datadog Log HTTP API documentation to get started.

You can manually test your connection using OpenSSL, GnuTLS, or another SSL/TLS client. For GnuTLS, run the following command:

gnutls-cli intake.logs.datadoghq.com:10516

For OpenSSL, run the following command:

openssl s_client -connect intake.logs.datadoghq.com:10516

You must prefix the log entry with your Datadog API Key and add a payload.

<DATADOG_API_KEY> Log sent directly using TLS

Your payload, or Log sent directly using TLS as written in the example, can be in raw, Syslog, or JSON format. If your payload is in JSON format, Datadog automatically parses its attributes.

<DATADOG_API_KEY> {"message":"json formatted log", "ddtags":"env:my-env,user:my-user", "ddsource":"my-integration", "hostname":"my-hostname", "service":"my-service"}

You can manually test your connection using OpenSSL, GnuTLS, or another SSL/TLS client. For GnuTLS, run the following command:

gnutls-cli tcp-intake.logs.datadoghq.eu:443

For OpenSSL, run the following command:

openssl s_client -connect tcp-intake.logs.datadoghq.eu:443

You must prefix the log entry with your Datadog API Key and add a payload.

<DATADOG_API_KEY> Log sent directly using TLS

Your payload, or Log sent directly using TLS as written in the example, can be in raw, Syslog, or JSON format. If your payload is in JSON format, Datadog automatically parses its attributes.

<DATADOG_API_KEY> {"message":"json formatted log", "ddtags":"env:my-env,user:my-user", "ddsource":"my-integration", "hostname":"my-hostname", "service":"my-service"}

Notes:

The HTTPS API supports logs of sizes up to 1MB. However, for optimal performance, it is recommended that an individual log be no greater than 25K bytes. If you use the Datadog Agent for logging, it is configured to split a log at 256kB (256000 bytes).
A log event should not have more than 100 tags, and each tag should not exceed 256 characters for a maximum of 10 million unique tags per day.
A log event converted to JSON format should contain less than 256 attributes. Each of those attribute’s keys should be less than 50 characters, nested in less than 20 successive levels, and their respective value should be less than 1024 characters if promoted as a facet.
Log events can be submitted with a timestamp that is up to 18h in the past.

Log events that do not comply with these limits might be transformed or truncated by the system or not indexed if outside the provided time range. However, Datadog tries to preserve as much user data as possible.

There is an additional truncation in fields that applies only to indexed logs: the value is truncated to 75 KiB for the message field and 25 KiB for non-message fields. Datadog still stores the full text, and it remains visible in regular list queries in the Logs Explorer. However, the truncated version will be displayed when performing a grouped query, such as when grouping logs by that truncated field or performing similar operations that display that specific field.

Attributes and tags

Attributes prescribe logs facets, which are used for filtering and searching in Log Explorer. See the dedicated attributes and aliasing documentation for a list of reserved and standard attributes and to learn how to support a naming convention with logs attributes and aliasing.

Attributes for stack traces

When logging stack traces, there are specific attributes that have a dedicated UI display within your Datadog application such as the logger name, the current thread, the error type, and the stack trace itself.

To enable these functionalities use the following attribute names:

Attribute	Description
`logger.name`	Name of the logger
`logger.thread_name`	Name of the current thread
`error.stack`	Actual stack trace
`error.message`	Error message contained in the stack trace
`error.kind`	The type or “kind” of an error (for example, “Exception”, or “OSError”)

Note: By default, integration Pipelines attempt to remap default logging library parameters to those specific attributes and parse stack traces or traceback to automatically extract the error.message and error.kind.

For more information, see the complete source code attributes documentation.

Next steps

Once logs are collected and ingested, they are available in Log Explorer. Log Explorer is where you can search, enrich, and view alerts on your logs. See the Log Explorer documentation to begin analyzing your log data, or see the additional log management documentation below.