• Home
  • Dynatrace API
  • Environment
  • Log Monitoring
  • POST ingest logs

Log Monitoring API - POST ingest logs

Pushes custom logs to Dynatrace.

This endpoint requires an ActiveGate with the Log analytics collector module enabled. This module is enabled by default on all of your ActiveGates.

The request consumes one of the following payload types:

  • text/plain—limited to a single log event.
  • application/json—supports multiple log events in a single payload.

Be sure to set the correct Content-Type header and encode payload with UTF-8: application/json; charset=utf-8.

POST

  • Dynatrace SaaS https://{your-environment-id}.live.dynatrace.com/api/v2/logs/ingest
  • Environment ActiveGate https://{your-activegate-domain}:9999/e/{your-environment-id}/api/v2/logs/ingest

Authentication

To execute this request, you need the Ingest logs (logs.ingest) permission assigned to your API token. To learn how to obtain and use it, see Tokens and authentication.

Parameters

ParameterTypeDescriptionInRequired
bodyLogMessageJson

The body of the request. Contains one or more log events to be ingested.

The endpoint accepts one of the following payload types, defined by the Accept header:

  • text/plain: supports only one log event.
  • application/json: supports multiple log events in a single payload.
bodyoptional

Request body objects

The LogMessageJson object

The log message in JSON format. Use one object representing a single event or an array of objects representing multiple events.

The object might contain the following types of case-insensitive keys (the possible key values are listed below):

  • Timestamp:
    • The earliest timestamp for a log event is the current time minus 24 hours. If the log event contains a timestamp earlier than the current time minus 24 hours, the event is dropped.
    • The timestamp for a log event is not limited to future time. If the log event contains a timestamp later than 10 minutes in the future, the timestamp of the event will be overridden by the current time on the server.
    • The following formats are supported: UTC milliseconds, RFC3339, and RFC3164. For the missing timestamp, the current timestamp is used. For the unsupported timestamp format, the current timestamp is used, and the value of the unsupported timestamp format is stored in the not indexed unparsed_timestamp attribute.
  • Severity. If not set, NONE is used.
  • Content. If the content key is not set, the whole JSON is parsed as the content.
  • Semantic attribute. Only values of the String type are supported. Semantic attributes are indexed and can be used in queries. These are also displayed in aggregations (facets). If an unsupported key occurs, it is not indexed and can't be used in indexing and aggregations.

The object value can be a single constant or, in case of semantic attribute, an array of constants. The length of the value is limited. Any content exceeding the limit is trimmed. Default limits:

  • Attributes: up to 50 attributes.
  • Content: 8,192 bytes.
  • Semantic attribute: 250 bytes per value, up to 32 attribute values

Supported timestamp keys:

  • @timestamp
  • _timestamp
  • date
  • eventtime
  • published_date
  • syslog.timestamp
  • timestamp

Supported content keys:

  • body
  • content
  • message
  • payload

Supported severity keys:

  • level
  • loglevel
  • severity
  • status
  • syslog.severity

Supported semantic attribute keys:

  • audit.action
  • audit.identity
  • audit.result
  • aws.account.id
  • aws.arn
  • aws.log_group
  • aws.log_stream
  • aws.region
  • aws.resource.id
  • aws.resource.type
  • aws.service
  • azure.location
  • azure.resource.group
  • azure.resource.id
  • azure.resource.name
  • azure.resource.type
  • azure.subscription
  • cloud.account.id
  • cloud.availability_zone
  • cloud.provider
  • cloud.region
  • container.image.name
  • container.image.tag
  • container.name
  • db.cassandra.keyspace
  • db.connection_string
  • db.hbase.namespace
  • db.jdbc.driver_classname
  • db.mongodb.collection
  • db.mssql.instance_name
  • db.name
  • db.operation
  • db.redis.database_index
  • db.statement
  • db.system
  • db.user
  • device.address
  • dt.active_gate.group.name
  • dt.active_gate.id
  • dt.code.filepath
  • dt.code.func
  • dt.code.lineno
  • dt.code.ns
  • dt.ctg.calltype
  • dt.ctg.extendmode
  • dt.ctg.gatewayurl
  • dt.ctg.program
  • dt.ctg.rc
  • dt.ctg.requesttype
  • dt.ctg.serverid
  • dt.ctg.termid
  • dt.ctg.transid
  • dt.ctg.userid
  • dt.entity.cloud_application
  • dt.entity.cloud_application_instance
  • dt.entity.cloud_application_namespace
  • dt.entity.container_group
  • dt.entity.container_group_instance
  • dt.entity.custom_device
  • dt.entity.host
  • dt.entity.kubernetes_cluster
  • dt.entity.kubernetes_node
  • dt.entity.process_group
  • dt.entity.process_group_instance
  • dt.event.group_label
  • dt.event.key
  • dt.events.root_cause_relevant
  • dt.exception.messages
  • dt.exception.serialized_stacktraces
  • dt.exception.types
  • dt.extension.config.id
  • dt.extension.ds
  • dt.extension.name
  • dt.extension.status
  • dt.host.ip
  • dt.host.smfid
  • dt.host.snaid
  • dt.host_group.id
  • dt.http.application_id
  • dt.http.context_root
  • dt.kubernetes.cluster.id
  • dt.kubernetes.cluster.name
  • dt.kubernetes.config.id
  • dt.kubernetes.event.involved_object.kind
  • dt.kubernetes.event.involved_object.name
  • dt.kubernetes.event.reason
  • dt.kubernetes.node.name
  • dt.kubernetes.node.system_uuid
  • dt.kubernetes.topmost_controller.kind
  • dt.kubernetes.workload.kind
  • dt.kubernetes.workload.name
  • dt.network_zone.id
  • dt.os.description
  • dt.os.type
  • dt.process.commandline
  • dt.process.executable
  • dt.process.name
  • dt.source_entity
  • dt.source_entity_name
  • dt.source_entity_type
  • faas.id
  • faas.instance
  • faas.name
  • faas.version
  • gcp.instance.id
  • gcp.instance.name
  • gcp.project.id
  • gcp.region
  • gcp.resource.type
  • geo.city_name
  • geo.country_name
  • geo.name
  • geo.region_name
  • host.hostname
  • host.id
  • host.image.id
  • host.image.name
  • host.image.version
  • host.name
  • host.type
  • http.client_ip
  • http.flavor
  • http.host
  • http.method
  • http.route
  • http.scheme
  • http.server_name
  • http.status_code
  • http.status_text
  • http.target
  • http.url
  • k8s.cluster.name
  • k8s.container.name
  • k8s.cronjob.name
  • k8s.cronjob.uid
  • k8s.daemonset.name
  • k8s.daemonset.uid
  • k8s.deployment.name
  • k8s.deployment.uid
  • k8s.job.name
  • k8s.job.uid
  • k8s.namespace.name
  • k8s.pod.name
  • k8s.pod.uid
  • k8s.replicaset.name
  • k8s.replicaset.uid
  • k8s.statefulset.name
  • k8s.statefulset.uid
  • log.source
  • net.host.ip
  • net.host.name
  • net.host.port
  • net.peer.ip
  • net.peer.name
  • net.peer.port
  • net.transport
  • process.technology
  • service.instance.id
  • service.name
  • service.namespace
  • service.version
  • snmp.trap_oid
  • span_id
  • trace_id
  • winlog.eventid
  • winlog.level
  • winlog.opcode
  • winlog.provider
  • winlog.task

The object doesn't provide any parameters.

Request body JSON model

This is a model of the request body, showing the possible elements. It has to be adjusted for usage in an actual request.

json
[ { "content": "Exception: Custom error log sent via Generic Log Ingest", "log.source": "/var/log/syslog", "timestamp": "2022-01-17T22:12:31.0000", "severity": "error", "custom.attribute": "attribute value" }, { "content": "Exception: Custom error log sent via Generic Log Ingest", "log.source": "/var/log/syslog", "timestamp": "2022-01-17T22:12:35.0000" }, { "content": "Exception: Custom error log sent via Generic Log Ingest", "log.source": "/var/log/syslog" }, { "content": "Exception: Custom error log sent via Generic Log Ingest" } ]

Response

Response codes

CodeTypeDescription
200SuccessEnvelope

Only a part of input events were ingested due to event invalidity. For details, check the response body.

204

Success. Response doesn't have a body.

400ErrorEnvelope

Failed. The input is invalid.

402ErrorEnvelope

Failed. You can't add more logs to the storage, because you are out of Davis Data Units (DDU). Purchase additional DDUs.

404ErrorEnvelope

Failed. The requested resource doesn't exist. This may happen when no ActiveGate is available with the Log Analytics Collector module enabled.

413ErrorEnvelope

Failed. Request payload size is too big. This may happen when the payload byte size exceeds the limit or when the ingested payload is a JSON array with the size exceeding the limit.

429ErrorEnvelope

Failed. Too Many Requests. This happens when log ingest is disabled.

501ErrorEnvelope

Failed. The server either does not recognize the request method, or it lacks the ability to fulfil the request. May happen when indexed log storage is not enabled.

Response body objects

The SuccessEnvelope object

ElementTypeDescription
detailsSuccess-

The Success object

ElementTypeDescription
messagestring

Detailed message

codeinteger

The HTTP status code

Response body JSON model

json
{ "details": { "message": "string", "code": 1 } }
Related topics
  • Log Monitoring Classic

    Learn how to enable Log Monitoring, the insights that Log Monitoring can provide, and more.

  • Generic log ingestion

    Stream log data to Dynatrace using API and have Dynatrace transform it into meaningful log messages.