--- title: "Log forwarding in Cloud Platform" date: "2024-02-14T06:18:38+00:00" summary: "Configure log forwarding in Cloud Platform to securely send application logs to centralized services like Splunk or Sumologic. Easily set up destinations, select log types, and manage forwarding for enhanced monitoring and analysis." image: type: "page" url: "/acquia-cloud-platform/log-forwarding-cloud-platform" id: "bd7fbb69-ec5a-4a16-aada-eab3cac3f106" --- Table of contents will be added Important * Log forwarding is available only to [specific subscription levels](#log-forwarding-eligibility) with [dedicated load balancers](/acquia-cloud-platform/manage-apps/infrastructure). For information about legacy log forwarding for Site Factory subscriptions, see [Legacy log forwarding service](/acquia-cloud-platform/monitor-apps/logs/forwarding/legacy). * The log forwarding certificates for Splunk, Sumologic, and other syslog destinations must have an expiry greater than 30 days. * Log forwarding is a paid service. To enable log forwarding for your subscription, contact your account manager. * New Relic is not supported as a log forwarding destination in Cloud Platform. Many websites must forward their log files to a central location (such as [Sumologic](https://www.sumologic.com/), [Splunk](https://www.splunk.com/), or [Loggly](https://www.loggly.com/)) for processing and alerting. Acquia uses TLS over TCP to forward the log files you select to a remote destination. Log forwarding eligibility -------------------------- Log forwarding requires [dedicated load balancers](/acquia-cloud-platform/manage-apps/infrastructure) with your subscription, and is available for the following subscription types: * Cloud Platform Elite * Cloud Platform Premium * Cloud Platform Plus with the Enterprise Security Package add-on * Cloud Platform Enterprise with the Log Forwarding add-on * Cloud Platform Enterprise with an Elite subscription, and an [Acquia Technical Account Manager](../../../guide/tam.html) (These users may have the [Legacy log forwarding service](#cloud-legacy-log-forwarding) enabled) Note All Cloud Platform subscribers can access Acquia-provided log files in the Cloud Platform interface. For more information, see [Streaming log entries in real time](/acquia-cloud-platform/monitor-apps/logstream). Configuring log forwarding -------------------------- After log forwarding is enabled for you, assign the _Administer log forwarding for non-production environments_ and _Administer log forwarding for your production environment_ [permissions](/acquia-cloud-platform/access/teams/permissions) to [roles](../../access/teams/roles.html) in your organization. By default, the _Team Lead_ and _Senior Developer_ roles can manage log forwarding on all environments, while the _Developer_ role can manage log forwarding on non-production environments only. To configure log forwarding for Cloud Platform, a user with one of the log forwarding permissions must complete the following steps depending on the log forwarding service you have selected: ### LOGGLY To configure log forwarding for [Loggly](https://www.loggly.com/), complete the following steps: 1. [Sign in to the Cloud Platform user interface](/node/55875) as a user with the _Administer log forwarding for non-production environments_ or _Administer log forwarding for your production environment_ [permission](../../access/teams/permissions.html). 2. Select your application and environment. 3. In the left menu, click **Logs**. 4. Click **Forward**. 5. Click **ADD DESTINATION**. 6. In the **Consumer** select box, select [Loggly](https://www.loggly.com/). 7. _(Optional)_ In the **Copy existing destination** section, click **Select Destination** to copy and use the values from an existing log forwarding configuration of another environment. 8. In the **Name of destination** field, enter a human-readable name for the destination of the forwarded logs. 9. In the **Token** field, enter a token for securely sending your logs to the consuming service. For more information about customer tokens, see [Loggly’s documentation.](https://www.loggly.com/docs/customer-token-authentication-token/). 10. Select one or more checkboxes for the log files you want to forward to this destination: * [Apache](/acquia-cloud-platform/apache-access-logs "Apache access logs") * [Apache error](/acquia-cloud-platform/apache-error-logs "Apache error logs") * [Drupal request](/acquia-cloud-platform/drupal-request-logs "Drupal request logs") * [Drupal watchdog](/acquia-cloud-platform/drupal-watchdog-logs "Drupal watchdog logs") * [FPM access](/acquia-cloud-platform/fpm-access-logs "Fpm access logs") * [FPM error](/acquia-cloud-platform/fpm-error-logs "Fpm error logs") * [PHP error](/acquia-cloud-platform/php-error-logs "PHP error logs") * [Varnish®](/acquia-cloud-platform/varnish-request-logs "Varnish request logs") (JSON format) 11. Click **Submit**. Cloud Platform will display the list of log forwarding destinations for this subscription. After you create a log forwarding destination, Cloud Platform-created logs should begin forwarding to your remote destination within five minutes. If logs do not appear at your remote destination based on this expectation, review [Common issues with log forwarding](/acquia-cloud-platform/common-issues-log-forwarding "Common issues with log forwarding"). If issues persist, [create a Support ticket](../../../support.html#contact-acquia-support). ### SPLUNK Note Although Acquia supports log forwarding to Splunk Enterprise accounts, Splunk Cloud is not supported due to limitations regarding direct TCP log forwarding. To configure log forwarding for [Splunk](https://www.splunk.com/): 1. [Sign in to the Cloud Platform user interface](/node/55875) as a user with the _Administer log forwarding for non-production environments_ or _Administer log forwarding for your production environment_ [permission](../../access/teams/permissions.html). 2. Select your application and environment. 3. In the left menu, click **Logs**. 4. Click **Forward**. 5. Click **ADD DESTINATION**. 6. In the **Consumer** select box, select [Splunk](https://www.splunk.com/). 7. _(Optional)_ In the **Copy existing destination** section, click **Select Destination** to copy and use the values from an existing log forwarding configuration of another environment. 8. In the **Name of destination** field, enter a human-readable name for the destination of the forwarded logs. 9. In the **Address** field, enter the IP address or domain name to which Cloud Platform will send the logs. 1. Note If you enter a domain name in this field, the domain name must match the entity for which the server certificate was issued. Be sure to include the port number (separated from the IP address or domain name with a colon) as indicated in the following examples: 10.0.0.1:1234 example.com:4567 1. In the **Certificate** field, paste one of the following SSL certificates in PEM format: * The CA certificate for the server * A certificate bundle, with the CA and a client certificate 2. In the **Private Key** field, enter the private key supplied by Splunk. This value may be the private key for your SSL certificate, if your certificate requires one. 3. Select one or more checkboxes for the log files you want to forward to this destination: * [Apache](/acquia-cloud-platform/apache-access-logs "Apache access logs") * [Apache error](/acquia-cloud-platform/apache-error-logs "Apache error logs") * [Drupal request](/acquia-cloud-platform/drupal-request-logs "Drupal request logs") * [Drupal watchdog](/acquia-cloud-platform/drupal-watchdog-logs "Drupal watchdog logs") * [FPM access](/acquia-cloud-platform/fpm-access-logs "Fpm access logs") * [FPM error](/acquia-cloud-platform/fpm-error-logs "Fpm error logs") * [PHP error](/acquia-cloud-platform/php-error-logs "PHP error logs") * [Varnish®](/acquia-cloud-platform/varnish-request-logs "Varnish request logs") (JSON format) 4. Click **Submit**. Cloud Platform will display the list of log forwarding destinations for this subscription. After you create a log forwarding destination, Cloud Platform-created logs should begin forwarding to your remote destination within five minutes. If logs do not appear at your remote destination based on this expectation, review [Common issues with log forwarding](/acquia-cloud-platform/common-issues-log-forwarding "Common issues with log forwarding"). If issues persist, [create a Support ticket](../../../support.html#contact-acquia-support). Note Subscribers using Splunk log forwarding destinations will receive empty structured data formatted as `-` instead of `[]` from the Splunk server. 1. ### SUMOLOGIC To configure log forwarding for [Sumologic](https://www.sumologic.com): 1. Review the [Cloud Syslog Source](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-syslog-source/) documentation from Sumologic. 2. [Sign in to the Cloud Platform user interface](/node/55875) as a user with the _Administer log forwarding for non-production environments_ or _Administer log forwarding for your production environment_ [permission](../../access/teams/permissions.html). 3. Select your application and environment. 4. In the left menu, click **Logs**. 5. Click **Forward**. 6. Click **ADD DESTINATION**. 7. In the **Consumer** select box, select [Sumologic](https://www.sumologic.com). 8. _(Optional)_ In the **Copy existing destination** section, click **Select Destination** to copy and use the values from an existing log forwarding configuration of another environment. 9. In the **Name of destination** field, enter a human-readable name for the destination of the forwarded logs. 10. In the **Address** field, enter the IP address or domain name to which Cloud Platform will send the logs. 2. Note If you enter a domain name in this field, the domain name must match the entity for which the server certificate was issued. 3. Be sure to include the port number (separated from the IP address or domain name with a colon) as indicated in the following examples: 10.0.0.1:1234 example.com:4567 1. In the **Token** field, enter a token for securely sending your logs to Sumologic. For more information about tokens, see [Sumologic’s documentation](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-syslog-source/). 2. In the **Certificate** field, paste a SSL certificate in PEM format. 4. Note Sumologic provides certificates in CRT format. To convert a CRT certificate to PEM format, see the [SSL Converter](https://www.sslshopper.com/ssl-converter.html) form on SSLShopper.com. 5. 1. In the **Private Key** field, enter the private key supplied by Sumologic. This value may be the private key for your SSL certificate, if your certificate requires one. 2. Select one or more checkboxes for the log files you want to forward to this destination: * [Apache](/acquia-cloud-platform/apache-access-logs "Apache access logs") * [Apache error](/acquia-cloud-platform/apache-error-logs "Apache error logs") * [Drupal request](/acquia-cloud-platform/drupal-request-logs "Drupal request logs") * [Drupal watchdog](/acquia-cloud-platform/drupal-watchdog-logs "Drupal watchdog logs") * [FPM access](/acquia-cloud-platform/fpm-access-logs "Fpm access logs") * [FPM error](/acquia-cloud-platform/fpm-error-logs "Fpm error logs") * [PHP error](/acquia-cloud-platform/php-error-logs "PHP error logs") * [Varnish®](/acquia-cloud-platform/varnish-request-logs "Varnish request logs") (JSON format) 3. Click **Submit**. Cloud Platform displays the list of log forwarding destinations for this subscription. After you create a log forwarding destination, Cloud Platform-created logs should begin forwarding to your remote destination within five minutes. If logs do not appear at your remote destination based on this expectation, review [Common issues with log forwarding](/acquia-cloud-platform/common-issues-log-forwarding "Common issues with log forwarding"). If issues persist, [create a Support ticket](../../../support.html#contact-acquia-support).Use this area to write the content for the tab. ### OTHER SYSLOG DESTINATIONS Note Because log forwarding collectors can vary in their configuration requirements, the Cloud Platform log forwarding service may not be compatible with all third-party services. 1. To configure log forwarding for syslog-based destinations other than Loggly, Splunk, or Sumologic: 1. [Sign in to the Cloud Platform user interface](/node/55875) as a user with the _Administer log forwarding for non-production environments_ or _Administer log forwarding for your production environment_ [permission](../../access/teams/permissions.html). 2. Select your application and environment. 3. In the left menu, click **Logs**. 4. Click **Forward**. 5. Click **ADD DESTINATION**. 6. In the **Consumer** select box, select **Syslog**, which enables you to forward logs to destinations other than Loggly, Splunk, or Sumologic. 7. _(Optional)_ In the **Copy existing destination** section, click **Select Destination** to copy and use the values from an existing log forwarding configuration of another environment. 8. In the **Name of destination** field, enter a human-readable name for the destination of the forwarded logs. 9. In the **Address** field, enter the IP address or domain name to which Cloud Platform will send the logs. 2. Note If you enter a domain name in this field, the domain name must match the entity for which the server certificate was issued. 3. Be sure to include the port number (separated from the IP address or domain name with a colon) as indicated in the following examples: 10.0.0.1:1234 example.com:4567 1. In the **Token** field, enter a token for securely sending your logs to the consuming service. 2. In the **Certificate** field, paste a SSL certificate in a format your provider will accept, based on one of the following certificate types: * CA certificate for the server, in PEM format. * Certificate bundle, in PEM format (if you are using client authentication). The bundle is the client certificate in PEM format, followed by the intermediate CA certificates (if present on the server certificate) and root CA certificate in PEM format. A simple way to check what are the intermediate and root CA certificates is to use the openssl command. For example, if you had a log forwarding destination acquia.com on port 443: $ openssl s_client -showcerts -connect acquia.com:443 CONNECTED(00000005) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = US, ST = Massachusetts, L = Boston, O = Acquia Inc, OU = Operations, CN = \*.acquia.com ... Note: type QUIT to exit the SSL client. This shows that there is one root CA (CN = DigiCert High Assurance EV Root CA) and one intermediate CA (CN = DigiCert SHA2 High Assurance Server CA), so the certificate bundle for log forwarding would have to be: * content of the client certificate * content of DigiCert SHA2 High Assurance Server CA * content of DigiCert High Assurance EV Root CA 3. If you use client authentication, enter the private key in the **Private Key** field for the client certificate in PEM format. 4. Select one or more checkboxes for the log files you want to forward to this destination: * [Apache](/acquia-cloud-platform/apache-access-logs "Apache access logs") * [Apache error](/acquia-cloud-platform/apache-error-logs "Apache error logs") * [Drupal request](/acquia-cloud-platform/drupal-request-logs "Drupal request logs") * [Drupal watchdog](/acquia-cloud-platform/drupal-watchdog-logs "Drupal watchdog logs") * [PHP error](/acquia-cloud-platform/php-error-logs "PHP error logs") * [Varnish®](/acquia-cloud-platform/varnish-request-logs "Varnish request logs") (JSON format) 5. Click **Submit**. Cloud Platform will display the list of log forwarding destinations for this subscription. After you create a log forwarding destination, Cloud Platform-created logs should begin forwarding to your remote destination within five minutes. If logs do not appear at your remote destination based on this expectation, review [Common issues with log forwarding](/acquia-cloud-platform/common-issues-log-forwarding "Common issues with log forwarding"). If issues persist, [create a Support ticket](../../../support.html#contact-acquia-support). Note Subscribers using Syslog log forwarding destinations will receive empty structured data formatted as `-` instead of `[]` from the Syslog server. 1. All logs forwarded to your remote destination have additional fields added to the beginning of each line. For more information about this data and its format, see [File formats in forwarded log files](/acquia-cloud-platform/monitor-apps/logs/forwarding/files). Determining the log forwarding status ------------------------------------- The Cloud Platform user interface allows you to determine the status of the log forwarding process for each of your logs. A log forwarding destination may have one of the following statuses: * **Active**: Cloud Platform is actively forwarding your logs to the log forwarding destination. The Cloud Platform user interface will display the active text along with an **Active** icon in the **Status** column of the **Logs > Forward** page. * **Inactive**: Cloud Platform is not actively forwarding your logs to the log forwarding destination. The Cloud Platform user interface will display the inactive text along with an **Inactive** icon in the **Status** column of the **Logs > Forward** page. * **Pending**: The Cloud Platform log forwarding process is in the pending state during the time it takes a user to complete the following actions: * Create a log forwarding destination * Edit a log forwarding destination * Enable a log forwarding destination * Disable a log forwarding destination The Cloud Platform user interface will display the pending text along with the **Pending** icon in the **Status** column of the **Logs > Forward** page. Legacy log forwarding service ----------------------------- If your application is currently using Acquia’s legacy log forwarding service, contact your Technical Account Manager (TAM) or [Acquia Support](/service-offerings/support#contact-acquia-support) to learn more about upgrading to the current version of the service. Note Acquia Support can only assist with troubleshooting issues related to the new log forwarding infrastructure or customer interface, and cannot assist with troubleshooting issues related to third-party services. 1. Cloud Platform API endpoints for log forwarding ----------------------------------------------- The [Cloud Platform API](/acquia-cloud-platform/develop-apps/api) provides endpoints for log forwarding, including: * [Create](https://cloudapi-docs.acquia.com/#operation/postEnvironmentsLogForwardingDestinations), [enable](https://cloudapi-docs.acquia.com/#operation/postEnvironmentsEnableLogForwardingDestination), or [update](https://cloudapi-docs.acquia.com/#operation/putEnvironmentsLogForwardingDestination) a log forwarding destination * [Disable](https://cloudapi-docs.acquia.com/#operation/postEnvironmentsDisableLogForwardingDestination) or [delete](https://cloudapi-docs.acquia.com/#operation/deleteEnvironmentsLogForwardingDestination) a log forwarding destination * [List log forwarding destinations for an environment](https://cloudapi-docs.acquia.com/#operation/getEnvironmentsLogForwardingDestinations) * [Return a specified log forwarding destination](https://cloudapi-docs.acquia.com/#operation/getEnvironmentsLogForwardingDestination) * Display available log forwarding [sources](https://cloudapi-docs.acquia.com/#operation/getLogForwardingSources) or [consumers](https://cloudapi-docs.acquia.com/#operation/getLogForwardingConsumers)