Setting up remote log streaming

Fastly's Real-Time Log Streaming feature allows you to automatically save logs to a third-party service for storage and analysis. Logs provide an important resource for troubleshooting connectivity problems, pinpointing configuration areas that could use performance tuning, and identifying the causes of service disruptions. We recommend setting up remote log streaming when you start using Fastly services.

NOTE

Fastly does not provide direct support for third-party services. Read Fastly's Terms of Service for more information.

Before you begin

Before setting up remote log streaming, keep the following in mind:

  • Be sure to double-check the delivery formats required by your logging provider and what you're delivering to them. Some providers have strict formatting requirements for the formats they allow (e.g., JSON).
  • If you configure multiple logging endpoints for your service, logs will be sent to all of the logging endpoints.
IMPORTANT

Be sure to take into account security, privacy, and compliance requirements when making configuration and endpoint decisions for the data you intend to include in streamed logs.

Configuring logging endpoints

You can configure one or more logging endpoints for Fastly services. Follow these instructions to access the logging settings:

  1. Log in to the Fastly web interface.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain. You can also click Compute services or CDN services to access a list of services by type.
  3. Click Edit configuration and then select the option to clone the active version.
  4. Click Logging. The logging endpoints page appears. If you've already added a logging endpoint, click Create Endpoint.

    the logging endpoints page

  5. Follow the instructions in one of our logging endpoint guides to complete the set up process and deploy your changes.

Once you've clicked Activate to deploy your changes, events will begin being logged immediately. The logs may take a few moments to appear on your log server.

How, when, and where logs are streamed

To control log streaming, Fastly provides two versions of custom log formats, each of which uses Apache-style logging directives. The logging format strings in each of these versions are based on the Common Log Format (CLF).

Logs are streamed over TCP, not UDP, optionally using TLS for security with supported endpoints. Additionally, if you are using custom VCL be sure to include the #FASTLY log macro in your vcl_log handler.

By default, logs are placed in your root directory every hour using the file naming format YYYY-mm-ddThh:mm:ss-<uid>. You can change both the frequency and path of these files. Our guide on changing where log files are written provides more information.

If you've configured multiple logging endpoints for your service, the logs will be sent to all of the logging endpoints.

Fastly uses several different log-server aggregation points and each will send logs files, none of which contain duplicate entries. These log files are created as soon as streaming starts and they're written to over the entire time period you specify (or the default). Once that time has passed, the files aren't touched any more and the logging process creates a new batch of files.

The number of log-server aggregation points may change over time in line with our capacity requirements. If you're sending logs to a storage endpoint and are concerned about the number of log files that will be created on your disk, consider choosing a logging endpoint that supports real-time ingestion, which will eliminate a need for pre-processing log files.

Escaping characters in logs

Logs respond to VCL like any other object. For example, the following code can escape quotes from User-Agent your log stream:

log {"syslog serviceid endpointname :: "} {"""} cstr_escape(req.http.user-agent);

Preventing duplicate log entries when using custom VCL

If you use custom VCL commands for logging, you may notice duplicate entries in your logs. This happens because logs are being generated by both Fastly and the custom VCL logging commands. You can eliminate the duplicate entries by following these steps:

  1. On the Logging endpoints page, click the name of the logging endpoint you want to edit.

  2. From the Placement menu, select None.

    Logging compression options

  3. Click Update.

  4. Click Activate to deploy your configuration changes.

Fastly will stop generating log entries, and your logs will only contain entries generated by the custom VCL logging commands.

Troubleshooting common logging errors

The Fastly web interface displays errors with your logging configuration. You can also use the logging_status API endpoint to troubleshoot problems with your service's logging configuration:

$ curl -sg -H "Fastly-Key:$token" \
"https://api.fastly.com/service/:SERVICE_ID/logging_status"

The output will indicate whether Fastly has detected an error. If BrokenNow is set to false, Fastly hasn't detected a problem with your logging configuration:

{"1234567890ABCDEF/my-service":{"LastErrorTime":null,"LastError":null,"BrokenNow":false}}

If an error in the Fastly web interface suggests that your logging configuration appears to be broken for the currently activated service version but you're still receiving some logs, not all of Fastly's log aggregators may be able to connect to your endpoint's server. It's likely the maximum number of concurrent connections has been reached. Try configuring your logging endpoint's server to allow a higher maximum number of inbound connections and then see if the error clears up after a couple of hours.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.