SourcesForwardersDatadog

Datadog Log Forwarder

This guide explains how to forward Datadog logs to RunReveal via an HTTP destination that points at a RunReveal Webhook (Generic) source. Use this when you want to stream selected Datadog logs into RunReveal for detections, analytics, and long-term retention.

Quick Start

Step 1: Create a Webhook Source in RunReveal

  1. In RunReveal, go to Sources → Add Source → Webhook (Generic).
  2. Name the source (for example, Datadog Logs).
  3. Copy both values for use in Datadog:
    • Webhook URL (for example: https://api.runreveal.com/sources/webhook/<WEBHOOK_ID>)
    • Bearer token (used in the Authorization header)

Example Webhook Source configuration:

RunReveal Webhook Source edit screen

The Webhook URL is the HTTP endpoint Datadog will call. The Bearer token authenticates Datadog to RunReveal.

Step 2: Create a Datadog HTTP Destination

  1. In Datadog, open Logs → Configuration → Destinations → New Destination.
  2. Select HTTP as the destination type and name it (for example, RunReveal).
  3. Configure the endpoint:
    • URL: https://api.runreveal.com/sources/webhook/<WEBHOOK_ID>
    • Authentication type: Request Header
    • Header name: Authorization
    • Header value: Bearer <YOUR_RUNREVEAL_BEARER_TOKEN>
  4. (Optional) Choose All Tags to forward everything that matches your routing, or select specific tags to minimize volume.

Example Datadog destination setup:

Datadog HTTP destination configuration for RunReveal

⚠️

Important: The value must include the literal prefix Bearer followed by a space and your token (for example, Bearer 31Hy6Y…).

Step 3: Verify Delivery in RunReveal

  • Return to Sources in RunReveal and open your Datadog Logs Webhook source card.
  • Confirm the Last Event timestamp and recent volume.

Example healthy source card:

RunReveal Source card showing healthy status and recent logs

Click Query to explore incoming logs. Start with the sourceID which corresponds to the source id found on each source card on the sources page:

SELECT *
FROM {table:Identifier}
WHERE ({tsColumn:Identifier} >= now() - INTERVAL 1 HOUR) 
 AND ({tsColumn:Identifier} < now()) 
 AND ((sourceID = '2yNH5zTW5USNLjRHWgbdVMjOsYY'))
LIMIT 10

Troubleshooting

No logs arriving

  • Verify the destination URL: https://api.runreveal.com/sources/webhook/<WEBHOOK_ID>.
  • Confirm the header value includes the Bearer prefix.
  • Use the curl test above to isolate Datadog vs. RunReveal issues.
  • Check the RunReveal source card for Last Error details and Last Event time.

HTTP 401/403 from RunReveal

  • The token is missing or malformed. Re-copy the Bearer token from the RunReveal source and update the Datadog destination.

Next Steps

  • Detections-as-Code — build SQL or Sigma detections and deploy via Git workflows.
  • Destinations & BYODB — stream findings to Slack/PagerDuty or to a customer-managed ClickHouse.
  • AI Chat — explore AI-driven triage and investigation (“why am I not receiving Datadog logs?”).
  • RunReveal Query Language — learn fields, filters, and examples for faster investigations.
  • Structured Webhooks — field mapping and payload guidance for best results.
Fluent BitLogstash