VOOZH about

URL: https://docs.datadoghq.com/security/events_forwarding/

⇱ Events Forwarding

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/events_forwarding.md. A documentation index is available at /llms.txt.

Events Forwarding

Overview

Events Forwarding sends logs, audit logs, security spans, security signals, and cloud workload security events from Datadog to custom destinations such as Splunk, Elasticsearch, and HTTP endpoints. Use Events Forwarding to route security and observability data to third-party SIEMs, data lakes, or internal tools.

Events Forwarding supports the following data types:

Data TypeDescription
LogsApplication and infrastructure logs
Audit LogsDatadog platform audit events
Security SpansTraces from App and API Protection
Security SignalsSignals generated by Detection Rules
Cloud Workload Security EventsRuntime security events from Workload Protection

Note: For logs, additional destination types are available (Microsoft Sentinel, Google Chronicle). See Forwarding Logs to Custom Destinations for details.

Prerequisites

Permissions

Forwarding rules require data-type-specific permissions. The following table lists the required permission for each data type.

Data TypePermission
Logslogs_write_forwarding_rules
Audit Logsaudit_logs_write
Security Spansapm_pipelines_write
Security Signalssecurity_monitoring_signals_write
Cloud Workload Security Eventssecurity_monitoring_cws_agent_rules_write

Set up Events Forwarding

Events Forwarding uses the same destination types and configuration as log forwarding. For detailed instructions on setting up destinations, see Forwarding Logs to Custom Destinations.

  • Sending events to a custom destination is outside of the Datadog GovCloud environment, which is outside the control of Datadog. Datadog shall not be responsible for any events that have left the Datadog GovCloud environment, including without limitation, any obligations or requirements that the user may have related to FedRAMP, DoD Impact Levels, ITAR, export compliance, data residency, or similar regulations applicable to such events.
  • Due to security protocols for the GovCloud site, only ports 443 and 8088 are available for Events Forwarding. If your custom destination uses a different port, contact Datadog Support to explore opening your port for outbound communications.

To set up a forwarding rule:

  1. Navigate to Security Settings > Events Forwarding.
  2. Click New Destination.
  3. Select the data type you want to forward.
  4. Enter a query to filter events. Only matching events are forwarded.
  5. Select and configure the destination type.
  6. Click Save.

Supported destination types

The following destination types are available for all data types:

  • HTTP - Send events to any HTTPS endpoint with basic authentication or custom headers.
  • Splunk - Forward events using Splunk’s HTTP Event Collector (HEC).
  • Elasticsearch - Send events to an Elasticsearch cluster with configurable index rotation.

For logs, these destinations are also supported: Microsoft Sentinel and Google Chronicle. See Forwarding Logs to Custom Destinations for setup details.

Monitoring

The following metrics report on events that have been forwarded successfully, including events that were sent successfully after retries, as well as events that were dropped:

  • datadog.forwarding.<data_type>.bytes
  • datadog.forwarding.<data_type>.count

Where <data_type> corresponds to the forwarded data type (for example, logs, trace, signal, secruntime).

Further reading