惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
P
Proofpoint News Feed
AI
AI
Help Net Security
Help Net Security
S
Securelist
T
Troy Hunt's Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cisco Blogs
Scott Helme
Scott Helme
Hacker News - Newest:
Hacker News - Newest: "LLM"
Vercel News
Vercel News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
S
Security Affairs
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
T
Tenable Blog
H
Help Net Security
NISL@THU
NISL@THU
F
Fortinet All Blogs
博客园_首页
G
GRAHAM CLULEY
L
LINUX DO - 最新话题
P
Privacy International News Feed
G
Google Developers Blog
博客园 - Franky
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
Forbes - Security
Forbes - Security
S
Secure Thoughts
Simon Willison's Weblog
Simon Willison's Weblog
D
Docker
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
L
Lohrmann on Cybersecurity
T
Tailwind CSS Blog

Datadog | The Monitor blog

Introducing our open source AI-native SAST Instrument and monitor Boomi integration flows with OpenTelemetry and Datadog Not all index scans are equal: How we cut query latency by over 99% Platform engineering metrics: What to measure and what to ignore Integrate Recorded Future threat intelligence with Datadog Cloud SIEM CI/CD security: threat modeling using a MITRE-style threat matrix CI/CD security: How to secure your GitHub ecosystem Ingress NGINX is EOL: A practical guide for migrating to Kubernetes Gateway API Operating agentic AI with Amazon Bedrock AgentCore and Datadog LLM Observability: Lessons from NTT DATA Introducing the Datadog Code Security MCP Capture and analyze custom heatmaps in Session Replay Understand session replays faster with AI summaries and smart chapters Monitor ClickHouse query performance with Datadog Database Monitoring How we designed empathetic alert sounds for on-call engineers Search and act across Datadog to resolve issues faster with Bits Assistant Measure the business impact of every product change with Datadog Experiments Analyzing round trip query latency Configuring JavaScript caches for better performance Introducing Bits AI Dev Agent for Code Security Datadog achieves ISO 42001 certification for responsible AI Monitor Nutanix clusters, hosts, and VMs with Datadog Monitor Juniper Mist in Datadog A new Host Map for modern infrastructure Annotate traces to improve LLM quality with Datadog LLM Observability What’s new in Cloud SIEM: AI-powered investigations, enhanced threat intelligence, and scalable security operations Explore Kubernetes with native OpenTelemetry data Monitor Oracle Fusion Cloud Applications with Datadog Announcing the Datadog Terraform provider v4.0.0 Scaling Kubernetes workloads on custom metrics How to design cloud environments for AI-powered threat analysis Monitor Aruba Central in Datadog How we centralize and remediate risks with Datadog Case Management Accelerate incident response with Datadog and ServiceNow Monitor your application and network load balancer logs Understanding Karpenter architecture for Kubernetes autoscaling Tools for collecting metrics and logs from Karpenter Monitor Karpenter with Datadog What your product data is actually saying Key metrics for monitoring Karpenter Securing Datadog’s platform in the AI age: The role of observability data Four ways engineering teams use the Datadog MCP Server to power AI agents Approaching your observability migration with the right mindset Meet the new Bits AI SRE: Deeper reasoning, twice as fast Key learnings from the 2026 State of DevSecOps study Use plain English to query your multi-cloud infrastructure in Resource Catalog Simplifying troubleshooting across the user journey with Datadog Synthetic Monitoring Protect your OCI resources with Datadog Cloud Security This Month in Datadog - February 2026 Amazon EC2 security: How misconfigured and public AMIs expand your cloud attack surface Enable end-to-end visibility into your Java apps with a single command Measure and improve mobile app startup performance with Datadog RUM Evaluating our AI Guard application to improve quality and control cost Identify untested code across every level of your codebase Make use of guardrail metrics and stop babysitting your releases Monitor Versa Networks SD-WAN performance in Datadog Improve performance and reliability with APM Recommendations Remediate transitive vulnerabilities faster with Datadog Software Composition Analysis Generate audit-ready vulnerability and compliance reports with Datadog Sheets Monitor Fortinet FortiManager performance in Datadog Improve test coverage across codebases with Datadog Code Coverage Move fast, don’t break things: Consistent testing standards at scale Enrich logs with ServiceNow CMDB context before routing to any SIEM or logging tool Monitor Lustre with Datadog Make faster, better product decisions with Datadog Product Analytics Surface and remediate runtime posture issues with Workload Protection Findings Protect agentic AI applications with Datadog AI Guard How to optimize JavaScript code with CSS Trace Google Pub/Sub workloads in Cloud Run with Datadog Detect human names in logs with ML in Sensitive Data Scanner How we cut our NLQ agent debugging time from hours to minutes with LLM Observability Debug PostgreSQL query latency faster with EXPLAIN ANALYZE in Datadog Database Monitoring Datadog acquires Propolis Unify and correlate frontend and backend data with retention filters Scale compliance across global frameworks with Datadog Cloud Security Monitor Arista VeloCloud SD-WAN performance with Datadog Building reliable dashboard agents with Datadog LLM Observability Simplify log collection and aggregation for MSSPs with Datadog Observability Pipelines Mitigation for Node.js denial-of-service vulnerability affecting Datadog APM Automate flaky test fixes with the Bits AI Dev Agent and Test Optimization How we built an AI SRE agent that investigates like a team of engineers Datadog integrations 2025 recap: Observability for AI, security, and hybrid cloud Design effective executive dashboards with Datadog Implement dbt data quality checks with dbt-expectations Bring faster visibility into AWS Lambda functions with remote instrumentation Troubleshoot faster with the GitLab Source Code integration in Datadog How Cambia Health Solutions saved $30,000 monthly with Cloud Cost Management and the Datadog Resource Catalog Normalize any logs for Cloud SIEM with Datadog's OCSF processor Optimizing Datadog at scale: Cost-efficient observability at Zendesk Detect, diagnose, and resolve network issues easily with CNM Network Health Connect engineering errors to user impact in early-stage products Cilium configuration for Kubernetes operations at scale Designing feedback loops for progressive delivery Ship features faster and safer with Datadog Feature Flags Choosing the right OpenTelemetry Collector distribution Route your monitor alerts with Datadog monitor notification rules Automate Cloud SIEM investigations with Bits AI Security Analyst Cloud threat detection: How to identify risky activity across control and data planes Collecting Kafka performance metrics Monitoring Kafka with Datadog Monitoring Kafka performance metrics
Reduce CDN log costs with searchable archives | Datadog
Rufina Mariam · 2026-06-26 · via Datadog | The Monitor blog

Engineering teams that manage high-volume log sources, such as content delivery network (CDN) edges, streaming platforms, and authentication systems, often have to make a difficult retention tradeoff. Indexing every event keeps logs searchable during investigations, audits, and postmortems, but it can make long-term retention expensive. Archiving those logs in object storage helps control costs, but it often moves historical investigations into a separate query environment, such as Amazon S3 with Athena, a secondary data lake, or a dedicated CDN analytics tool. This fragmentation forces teams to work with a secondary query language, access control model, and operational context. 

Datadog Observability Pipelines and Archive Search provide a cost-conscious pattern for retaining and investigating high-volume CDN logs. You can use Observability Pipelines to process and route raw edge logs to object storage while sending key metrics and high-signal events to Datadog for monitoring and alerting. When an investigation requires historical context, Archive Search lets you query archived logs from Datadog, helping teams keep CDN data accessible without indexing every event for long-term retention. 

In this post, we will show you how to:

  • Route high-volume logs to low-cost storage with Observability Pipelines

  • Analyze archived logs in Datadog during incidents

Route high-volume logs to low-cost storage with Observability Pipelines

CDN access logs record every request handled at the edge, including client IP, request path, response status, and cache behavior. At streaming scale, where each video chunk can generate a separate HTTP request, these logs can reach tens of terabytes per day. Teams need to retain this data for network forensics, performance investigations, audits, and postmortems, but indexing all of it for long retention periods is expensive.

Video platforms and other high-volume streaming services typically run multiple CDNs in every region and shift traffic between them as conditions change—sometimes mid-event. When an incident spans multiple providers, no single portal contains the full edge context an investigation requires. Teams often archive CDN logs to object storage to retain that data without indexing every event.

Raw CDN logs can be difficult to operationalize quickly. Providers such as Cloudflare and Akamai use different formats, field names, and structures. To make those logs usable across providers, teams often need to build parsing rules, map provider-specific fields to a common schema, and configure routing logic before teams can query or monitor the data consistently during an incident.

Observability Pipelines Packs reduce that setup work. For common CDN sources like Cloudflare and Akamai, Observability Pipelines Packs include prebuilt parsing and processing logic that normalizes log formats, extracts useful attributes, and prepares events for routing or metric generation. Instead of building each processor from scratch, an SRE can start from a working pipeline, customize it for their environment, and route noisy raw events to object storage while sending high-signal metrics and alerts to Datadog.

With Observability Pipelines, you can process, filter, and route logs before sending them to downstream systems, helping you control volume and reduce indexing costs. For example, you can configure CDN providers like Cloudflare to stream logs directly into Observability Pipelines by using Logpush. From there, Observability Pipelines can process and route logs in real time, sending high-volume edge logs to low-cost storage while forwarding key signals to Datadog for monitoring and alerting.

Observability Pipelines configuration routing Cloudflare CDN logs to Amazon S3 archive and Datadog indexing via separate processing groups.

You can split log traffic based on status, source, or custom attributes like env:production or team:platform. High-volume CDN access logs that are essential for network forensics—such as reconstructing traffic during a DDoS event or tracing geographic attack patterns—can route directly to object storage. Higher-signal logs, such as application errors and security alerts, can route to Datadog for indexing. 

Generate metrics from CDN logs in transit

For many CDN log use cases, teams care about aggregated signals such as request rates, error counts, top source IPs, BotScore buckets, WAFAttackScore rates, and cache-miss rates by region. Observability Pipelines can generate metrics from these logs in transit and route those metrics to Datadog, while raw events land in cloud storage. 

By choosing bounded dimensions such as status code classes, action types, and region groupings, teams can keep metric cardinality predictable as traffic scales. The raw archive still preserves unbounded questions, such as per-IP, per-user, and per-session investigations, for Archive Search when a metric signals a problem.

Observability Pipelines live event routing with 15.7 events per second split between Amazon S3 archive and Datadog indexing destinations.

Normalize and enrich CDN logs before routing

Beyond routing, Observability Pipelines can normalize and enrich logs in transit by parsing unstructured formats, standardizing field names, and enriching events with host or environment metadata. You can also pull in external context. For example, ServiceNow CMDB enrichment adds owning team, service tier, and dependency information to every event at the time it was emitted.

The same pipeline can also apply to player-side telemetry data. CDN access logs record what was served but do not show how the player handled that content, such as whether playback buffered, dropped bitrate, or failed. Common Media Client Data (CMCD) helps close that gap by enabling streaming clients to attach player state, such as buffer length, requested bitrate, and session ID, to segment requests. 

Routed through Observability Pipelines, CMCD events follow the same path as the rest of the CDN data: Bucketed metrics like rebuffer rate and bitrate distribution route to Datadog for dashboards and alerts, raw events stay in object storage, and Archive Search reaches into them when a metric needs to be tied back to specific sessions or edge points of presence (POPs)

Redact PII before logs leave your environment

Because Observability Pipelines runs on-premises, you can detect and redact personally identifiable information (PII) before logs leave your environment. Observability Pipelines writes to your object storage in Datadog’s native archive format, which makes it compatible with Archive Search without a separate reprocessing step.

Analyze archived logs in Datadog during incidents

During an investigation, teams often need to determine whether a similar issue has occurred before. A buffering spike during a live event, a surge of failed logins from a new region, or an anomalous error rate on a specific edge POP can all require moving from a real-time signal into months of historical context. The speed of that pivot determines how quickly an incident can be diagnosed—and how often historical analysis gets used at all.

Most CDN investigations are not catastrophic outages. They are often slower regional degradations, a single Autonomous System Number (ASN) spiking overnight, or a cache-hit ratio that drifts a few points and quietly inflates origin egress. These are the cases where teams skip the investigation altogether if the data lives in a separate tool. Bringing Archive Search into the same observability workflow makes that historical context practical to use.

Query archived CDN logs without leaving Datadog

Consider a high-profile live streaming event that attracts both legitimate traffic and bad actors. The on-call engineer runs service:cdn-edge AND @WAFAction:block over the event window, to check for credential stuffing, scraping, or password-spray attempts that occurred during the traffic surge. With Archive Search, the engineer can query logs stored in object storage directly from Datadog without switching to a separate analytics tool.

Before the scan begins, Archive Search includes a Query Preview feature that returns log samples before committing to a full archive scan. The engineer can use the Query Preview to confirm query syntax, time range, and filters before incurring scan compute costs. This is especially useful when working with archives that contain large compliance or security events spanning weeks or months.

Archive Search can also use partitions and lookup attributes to reduce scan scope. Partitions group logs by attributes such as date and service. When you configure partition attributes, Archive Search can skip blocks of data outside the query’s scope. Lookup attributes work similarly to database indexes, pre-filtering results before a full scan. Together, these options reduce scan time across large datasets in object storage.

Archive Search Query Preview returning log samples from a Cloudflare CDN archive before a full scan is committed.

After the engineer runs the search, results stream back into a familiar Datadog view with client IP, country, ASN, and request-path context. Because Archive Search operates inside the same observability workflow, teams can investigate historical CDN logs by using the same identities, access controls, and operational context already used for dashboards, monitors, and incident response.

Act on Archive Search results

If the engineer is also investigating indexed application logs, they can pivot from any blocked edge event to the application response that followed—all in the same UI, using the same search syntax. Archive Search makes long-tail patterns visible by using the same query surface. A regional cache-hit ratio that has quietly drifted from 99% to the high 80s, for example, can mean hundreds of gigabytes of unnecessary origin egress every day before anyone notices. This is exactly the kind of slow drift that goes unseen until someone pulls the underlying logs.

Archive Search uses the same search syntax and log facets that teams already use in Log Explorer. After a query runs, results are retained for 24 hours at no additional cost. From there, teams can re-index a targeted subset back into Datadog for deeper analysis or export results to CSV for offline investigation and stakeholder review.

In this example, Archive Search scanned 751 GB of archived data and isolated 242 relevant logs by targeting service:cdn-edge and an event type such as @WAFAction:block. With that narrowed result set, an engineer can reconstruct the timeline of a potential attack and review the specific source IPs, regions, ASNs, and request paths involved. The value goes beyond lower indexing volume—Archive Search lets teams move from a real-time signal to historical evidence without changing tools or query languages.

Archive Search results with 242 logs retrieved from 751 GB of Cloudflare CDN data filtered by service:cdn-edge and WAFAction:block.
Archive Search log detail showing Cloudflare CDN event attributes including BotScore, client IP, request path, and edge response status for a blocked authentication request.

Investigate archived CDN logs in Datadog

High-volume CDN logs are too important to discard, but they are often too expensive to index in full for long retention periods. By using Observability Pipelines with Archive Search, teams can route raw CDN logs to low-cost object storage, generate metrics from those logs in transit, and search archived events in Datadog when investigations require historical context.

To get started, read the Observability Pipelines documentation and the Log Archives documentation.

If you’re new to Datadog, you can sign up for a 14-day free trial.