Log streaming: HTTPS

      Last updated May 15, 2020

    Fastly's Real-Time Log Streaming feature can send log files to an HTTPS endpoint.

    Prerequisites

    When sending logs to a HTTPS endpoint, Fastly requires proof that you control the domain name specified in the URL field by using a HTTP challenge on a well-known path. If, for example, your URL field is foo.example.com/some/log/path, then the following challenge path must send a 200 response:

    foo.example.com/.well-known/fastly/logging/challenge

    Responses must include the hex representation of the SHA-256 of your Fastly service ID and it must appear on its own line in the response. For example:

    1
    2
    3
    
    $ sha256sum <SERVICEID>
    
    ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
    

    If multiple service IDs are used, multiple hex(sha256) lines can be added to that challenge body. In addition, an asterisk (*) can be used on a line to allow any service to post to the HTTP endpoint. For example:

    1
    2
    3
    
    ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
    06ae6402e02a9dad74edc71aa69c77c5747e553b0840bfc56feb7e65b23f0f61
    *
    

    Adding HTTPS as a logging endpoint

    Follow these instructions to add HTTPS as a logging endpoint:

    1. Review the information in our Setting Up Remote Log Streaming guide.
    2. Click the HTTPS Create endpoint button. The Create an HTTPS endpoint page appears.

      the create an HTTPS endpoint page

    3. Fill out the Create an HTTPS endpoint fields as follows:
      • In the Name field, type a human-readable name for the endpoint.
      • In the Log format field, enter the data to send to the HTTPS endpoint. Data sent to the HTTPS endpoint can be formatted as appropriate for your endpoint.
      • In the URL field, type the URL to which log data will be sent (e.g., https://logs.example.com/).
      • In the Maximum logs field, optionally enter the maximum number of logs to send as a batch.
      • In the Maximum bytes field, optionally enter the maximum size of a log batch.
    4. Click the Advanced options link of the Create an HTTPS endpoint page. The Advanced options appear.

      the advanced options on the create an HTTPS endpoint page

    5. Fill out the Advanced options of the Create an HTTPS endpoint page as follows:
      • In the Content type field, optionally enter the content type to use when sending logs (e.g., application/json).
      • In the Custom header name field, optionally enter a custom header to use when sending logs (e.g., Authorization).
      • In the Custom header value field, optionally enter a custom header value to use when sending logs (e.g., Bearer <token>).
      • In the Method area, optionally select the appropriate HTTP method to use.
      • In the JSON log entry format area, select the appropriate log entry format to use. The JSON log entry format enforces valid JSON formatting. Selecting Array of JSON wraps JSON log batches in an array. Selecting Newline delimited places each JSON log entry onto a new line in a batch.
      • In the Select a log line format area, select the log line format for your log messages. Our guide on changing log line formats provides more information.
      • In the Placement area, select where the logging call should be placed in the generated VCL. Valid values are Format Version Default, None, and waf_debug (waf_debug_log). Selecting None creates a logging object that can only be used in custom VCL. See our guide on WAF logging for more information about waf_debug_log.
    6. Fill out the Using your own certificate authority (CA) section of the Advanced options area as follows:
      • In the TLS Hostname field, optionally type the hostname used to verify the server's certificate. This can be either the Common Name (CN) or Subject Alternate Name (SAN). If the hostname is not specified, the hostname of the first broker in the Brokers field will be used. This field only appears when you select Yes from the Use TLS menu.
      • In the TLS CA certificate field, optionally copy and paste the certification authority (CA) certificate used to verify that the origin server's certificate is valid. The certificate you upload must be in PEM format. Consider uploading the certificate if it's not signed by a well-known certification authority. This value is not required if your TLS certificate is signed by a well-known authority. This field only appears when you select Yes from the Use TLS menu.
      • In the TLS client certificate field, optionally copy and paste the TLS client certificate used to authenticate to the origin server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client certificate. A TLS client certificate allows your server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
      • In the TLS client key field, optionally copy and paste the TLS client key used to authenticate to the backend server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
    7. Click the Create button to create the new logging endpoint.
    8. Click the Activate button to deploy your configuration changes.

    Firewall considerations

    Your HTTPS endpoint may have limited security features. For this reason, it's best to create a firewall for your HTTP endpoint server and only accept TCP traffic on your configured port from our address blocks. Our list of address blocks is dynamic, so we recommend programmatically obtaining the list from our JSON feed whenever possible.

    Back to Top