Skip to main content

Logs

Control audit log retention and logging options.

What you can do

  • Set retention policies
  • Configure logging behavior to match compliance needs

Log providers (application logs)

You can forward application logs to an external provider for centralized observability. Supported providers:

  • Splunk (HTTP Event Collector)
  • Grafana Loki
  • Generic Webhook

Splunk (HEC)

Required fields:

  • Token: Your HEC token
  • Host: Splunk host (e.g., splunk.example.com)
  • Port: HEC port (commonly 8088)
  • Index: Target index (e.g., main)

Notes:

  • Ensure HEC is enabled and the token is active.
  • If your HEC uses TLS with a custom CA, configure your environment to trust it.

Grafana Loki

Required fields:

  • URL: Your Loki push endpoint (e.g., https://loki.example.com)
  • Basic auth: Username and password
  • Labels (optional): app, env, service

Notes:

  • Labels help you query logs efficiently in LogQL.
  • Make sure the credentials have permission to push logs to the target tenant.

Webhook

Required fields:

  • URL: Endpoint that accepts POST requests

Notes:

  • Use this for custom pipelines or when integrating with gateways/collectors.
  • Implement idempotency and authentication on your receiver.

Anonymous Mode

When enabled, only aggregated/statistical data is forwarded, excluding sensitive fields. Use this if you need basic operational telemetry without exposing PII.

Tip: Combine Anonymous Mode with provider‑side redaction where possible.

Best practices

  • Use least‑privilege credentials for any outbound log sink.
  • Add provider‑side retention and lifecycle rules to control storage costs.
  • Tag logs with env (e.g., production, staging) to separate flows.
  • Validate network egress/firewall rules from your deployment to the provider.

Troubleshooting

  • No logs appearing:
    • Verify provider credentials/URL, and that outbound egress is allowed.
    • For Splunk, check HEC status and token permissions.
    • For Loki, confirm tenant/auth and that labels are not over‑constraining queries.
  • Errors in UI when saving:
    • Ensure all required fields are filled for the selected provider.

See also: Monitor Logs (read‑only viewing and searches).