Audit Stream → Datadog Logs¶
Forward every Aegis audit event into Datadog Logs via the public Logs Intake API. No Datadog Agent required — events POST directly from Aegis cloud over HTTPS.
What you'll need¶
| Datadog Logs Intake URL | Pick the URL for your Datadog site (table below) |
| Datadog API Key | Datadog → Organization Settings → API Keys → New Key |
Datadog Logs Intake URLs by site¶
| Site | URL |
|---|---|
| US1 (default) | https://http-intake.logs.datadoghq.com/api/v2/logs |
| US3 | https://http-intake.logs.us3.datadoghq.com/api/v2/logs |
| US5 | https://http-intake.logs.us5.datadoghq.com/api/v2/logs |
| EU | https://http-intake.logs.datadoghq.eu/api/v2/logs |
| AP1 | https://http-intake.logs.ap1.datadoghq.com/api/v2/logs |
| US1-FED | https://http-intake.logs.ddog-gov.com/api/v2/logs |
Check your site at the top-right of your Datadog UI ("US3", "EU", etc.).
1. Create the API key in Datadog¶
- Datadog → Organization Settings → API Keys
- Click New Key, name it
aegis-audit-stream - Copy the key — you'll paste it into Aegis next.
2. Configure the Aegis destination¶
curl -X POST https://api.aegispreflight.com/api/orgs/${ORG_ID}/forwarding-destinations \
-H "Authorization: Bearer ${AEGIS_API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"url": "https://http-intake.logs.datadoghq.com/api/v2/logs",
"auth_header_name": "DD-API-KEY",
"auth_header_value": "YOUR-DATADOG-API-KEY"
}'
Header is DD-API-KEY, not Authorization
Datadog Logs Intake uses the DD-API-KEY header. Don't prefix the
value with Bearer or anything — just the raw API key.
3. Test the wiring¶
curl -X POST \
https://api.aegispreflight.com/api/orgs/${ORG_ID}/forwarding-destinations/${DEST_ID}/test \
-H "Authorization: Bearer ${AEGIS_API_KEY}"
Expected:
Then in Datadog Logs Explorer (filter by service or dataset):
The synthetic event should appear within ~5 seconds.
Recommended Datadog facets¶
To make Aegis events queryable as facets, add these in Logs → Configuration → Facets:
| Path | Type | Facet name |
|---|---|---|
@aegis.decision |
string | aegis.decision |
@aegis.destination |
string | aegis.destination |
@aegis.source_type |
string | aegis.source_type |
@aegis.actor_id |
string | aegis.actor_id |
@aegis.policy_id |
string | aegis.policy_id |
@event.dataset |
string | event.dataset |
@organization.id |
string | organization.id |
Datadog auto-extracts numeric fields like @aegis.input_size_bytes and
the finding count map — they appear in Logs Explorer's right-hand
Event Attributes panel.
Sample Datadog queries¶
# All preflight decisions in the last hour
@event.dataset:aegis.preflight
# Blocked events grouped by actor
@aegis.decision:BLOCKED | stats count by @aegis.actor_id
# High-PII events (>10 SSNs in a single check)
@aegis.finding_counts_by_type.SSN:>10
Monitors / alerts¶
A starting set of monitors worth defining:
| Monitor | Query | Threshold |
|---|---|---|
| Spike in BLOCKED decisions | @aegis.decision:BLOCKED |
>10 in 5 min |
| Suspicious exfil patterns | @aegis.destination:VENDOR @aegis.decision:BLOCKED |
>5 in 1 hr |
| Unfamiliar actor | @aegis.actor_id:* @event.dataset:aegis.preflight first-seen |
new actor |
| Aegis ingest stalled (no events) | @event.dataset:aegis.preflight |
0 in 30 min |
Troubleshooting¶
| Symptom | Cause | Fix |
|---|---|---|
test returns ok: false, 403 Forbidden |
API key wrong or revoked | Generate a new key; update the destination via PATCH |
test returns ok: false, 400 Bad Request |
Site URL doesn't match your DD-API-KEY region | Pick the right intake URL from the table above (EU keys can't post to US1) |
| Events appear but fields aren't facets | Facets not yet defined | Add facets in Logs → Configuration → Facets as per the table above |
last_error shows HTTP 413 |
Single event > 5 MB (Datadog's per-log limit) | Should never happen for audit metadata; check what's in aegis.summary |