Generic log ingestion

Dynatrace version 1.213+

Generic log ingestion allows you to stream log records to the system. It is available only via Log Monitoring API v2 - POST ingest logs.

The generic log ingestion endpoint is located on ActiveGate.

  • The endpoint is enabled by default on all of your ActiveGates.
  • ActiveGate is responsible for serving the endpoint, collecting the data, and forwarding it to Dynatrace in batches.
SaaS Environment ActiveGate only

The log ingest API is only available for Environment ActiveGates in Dynatrace SaaS:

ActiveGate will collect and attempt to automatically transform any log data containing the following elements:

  • Log content
  • Timestamp
  • Key-Values attributes

Log data transformation

Generic log ingestion automatically transforms status, severity, level, and syslog.severity severity keys to the loglevel attribute.

The input values for the status, severity, level, and syslog.severity severity keys are transformed (transformation is not case sensitive) into output values for the loglevel attribute based on the following mapping:

Input value Output value Example value
Begins with emerg or f EMERGENCY Emergency, fail, Failure
Begins with a ALERT alarm, Alert
Begins with c CRITICAL Critical, crucial
Begins with err ERROR Error, error
Begins with s SEVERE Severe, serious
Begins with w WARN warn, Warning
Begins with n NOTICE note, Notice
Begins with i INFO Info, information
Begins with d or trace or verbose DEBUG debug, TRACE, Verbose

Additionally, for each log event, a status attribute is created with a value that is a sum of loglevel values based on the following grouping:

Included loglevel values Combined status attribute value

For example: The level severity key in the generic log ingestion API request parameter contains the value serious.

  1. The level severity key is transformed into the loglevel attribute with the serious value mapped to SEVERE based on the above table.
  2. The loglevel attribute containing the SEVERE value is grouped into status attribute. Based on the grouping table above, the status attribute will contain the ERROR value.
  3. For the log event details, the log viewer will report the following:
  • status - ERROR
  • loglevel - SEVERE

Log data queue

You can customize the log data queue properties by editing the file (see Configuration properties and parameters of ActiveGate on your ActiveGate to set the following values:

#disk_queue_path=<custom_path> # defaults to temp folder
#disk_queue_max_size_mb=<limit> # defaults to 300 MB
503 Usable space limit reached

The log data ingestion API returns a 503 Usable space limit reached error when the ingested log data exceeds the configured queue size. Typically, this is a temporary situation that occurs only during spikes. If this error persists, increase the value of disk_queue_max_size_mb in to allow log ingestion spikes to be queued.


Log Monitoring v2 has the following limits.

Log events per minute
Log data ingestion is limited to 10,000 log events per minute. If your log data stream carries more than 10,000 log events per minute, all log events above that number will be ignored and the displayed log data will contain the information that too many log events were ingested. This applies to all event sources (OneAgent and generic log ingestion).

Payload size
The maximum payload size of a single request is 1 MB.

Log event minimum timestamp
The earliest timestamp for a log event is the current time minus 24 hours. This applies to all event sources (OneAgent and generic log ingestion). If the log event contains timestamp earlier than current time minus 24 hours, the event is dropped and the generic log ingestion API returns a 400 response code.

Log event maximum timestamp
The latest timestamp for a log event is the current time plus 12 hours. This applies to all event sources (OneAgent and generic log ingestion). If the log event contains timestamp later than current time plus 12 hours, the event is dropped and the generic log ingestion API returns a 400 response code.

Maximum attributes
A log event can have up to 50 attributes. Additional attributes (as they appear in the JSON stream) are ignored.

Log ingestion API request objects
In addition to generic Dynatrace API limitations (Dynatrace API - Access limit) the following log ingestion API specific limits apply:

  • LogMessagePlain plain text object.
    The length of the message is limited to 8,192 characters. Any content exceeding the limit is trimmed.

  • LogMessageJson JSON object.
    The object might contain the following types of keys (the possible key values are listed below):

    • Timestamp. The following formats are supported: UTC milliseconds, RFC3339, and RFC3164. If not set, the current timestamp is used.
    • Severity. If not set, NONE is used.
    • Content. If the content key is not set, the whole JSON is parsed as the content.
    • Semantic attribute. Only values of the String type are supported. Semantic attributes are indexed and can be used in queries. These are also displayed in aggregations (facets). If an unsupported key occurs it is not indexed and cannot be used in indexing and aggregations.

    The length of the value is limited. Any content exceeding the limit is trimmed. Default limits:

    • Content: 8,192 characters.
    • Semantic attribute value: 250 characters.


In this example, the API request ingests log data that will create a log event with defined log attributes content, status,, and service.namespace.

The API token is passed in the Authorization header.

The response contains response code 204.


curl -X POST \ \
  -H 'Content-Type: application/json; charset=utf-8' \
  -H 'Authorization: Api-Token dt0c01.abc123.abcdefjhij1234567890' \
  -d '[
    "content": "Exception: Custom error log sent via Generic Log Ingest",
    "status": "error",
    "": "log-monitoring-tenant",
    "service.namespace": "dev-stage-cluster"

Request URL

Response content


Response code