• Home
  • Observe and explore
  • Logs
  • Log Management and Analytics
  • Migration to Log powered by Grail

Migration to Log powered by Grail

powered by Grail

If you use Dynatrace SaaS on AWS, your environment will be enabled for Log Management and Analytics powered by Grail with a phased rollout.

For more information about the phased rollout, please reach out to one of your Dynatrace Account team members. You can also reach out directly to the Dynatrace ONE team by opening an in-product chat. It will get you in touch with your account team members and allow to get answers to any other questions you may have.

Once your environment is enabled for activation:

  1. Go to Dynatrace menu > Observe and Explore > Logs.
  2. In the banner message, select Go to activation page and select Activate Logs powered by Grail.
  • Only administrative users can activate Log Management and Analytics for the environment.
  • Activating Log Management and Analytics is not reversible.

What changes after activation

After activating Log Management and Analytics, the following changes take place:

Ingested log data

Existing log data

Your existing log data will not be available.

  • Ingested log data is saved in the Grail database.

  • Ingested log data can be routed to buckets with different retention periods.

  • Logs in the Dynatrace menu points to the new Logs and events, where two query modes are available:

    • Simple mode, where data can be searched and analyzed using attribute filters.
    • Advanced mode, where data can be searched and analyzed using DQL.

  • You start consuming DDUs in a new model with three dimensions: Ingest & Process, Retain, Query.

Log API data

The log export API

The log export API will not be available.

  • The Log GET search and Log GET aggregate APIs require OAuth2 token.

What does not change after activation

After activating Log Management and Analytics, the following will not change:

  • Ingestion configuration, including OneAgent configuration and generic API ingest.
  • Log processing, including processing rules with matchers based on the LQL syntax.
  • Log metrics, including metric queries based on the LQL syntax.
  • Log events, including event queries based on the LQL syntax.

User access

The user access granting process depends on whether you are a new or existing user.

  • Assign policy to existing users
    After activating Log Management and Analytics, all users who already had access to log data are assigned a new policy to access the log data in Grail.

  • Assign policy to new users

    There are two options for configuring access policies for Grail:

    Assign policy using Account Admin

    In Dynatrace SaaS, only admin users can manage policies (users with account permission Manage users).
    You need to have two policies, Storage Events Read and Storage Logs Read assigned, bound to a group. To check if your policies are assigned:

    1. In the user menu, select Account settings.
    2. Go to Identity management > Policy management.
    3. Check if Storage Events Read and Storage Logs Read are present on the policy list.

    If Storage Events Read and Storage Logs Read are not present on you policy list, you need to add them manually:

    • Storage Events Read:
      Policy name: Storage Events Read
      Policy description: Enables reading events from GRAIL
      Policy statements: ALLOW storage:events:read
    • Storage Logs Read:
      Policy name: Storage Logs Read
      Policy description: Enables reading logs from GRAIL
      Policy statements: ALLOW storage:logs:read
      For details, see Manage IAM policies.

    To make a policy effective, you need to bind it to a group.

    1. In the user menu, select Account settings.
    2. Go to Identity management > Group management.
      For details, see Manage group permissions with IAM policies.
    3. Edit the group to which you want to bind the policy (for example, Logs and events). Make sure the users who need to use the Logs and events have this group assigned to their names.
    4. Select the Policies tab.
    Assign policy via API

    1. Obtain an OAuth token Make a POST call with form parameters to SSO.

      • client_id = [client_id]
      • client_secret = [secret]
      • grant_type = client_credentials
      • scope = iam:policies:write iam:policies:read

      In response, you get an authorization token

      json
      {
  "scope": "iam:policies:read iam:policies:write",
  "token_type": "Bearer",
  "expires_in": 300,
  "access_token": "123(...)ABC"
}

    2. Create a storage events read policy Make a POST call to IAM

      Body payload for the policy is:

      json
      {
  "name": "Storage Events Read",
  "description": "Storage Events Read",
  "tags": [

  ],
  "statementQuery": "ALLOW storage:events:read;"

    3. Create a storage logs read policy Make a POST call to IAM

      Body payload for the policy is:

      json
      {
    "name": "Storage Logs Read",
    "description": "Storage Logs Read",
    "tags": [

  ]  ,
    "statementQuery": "ALLOW storage:logs:read;"
 }

    Your newly created policies will be visible on the account level. To check it, go to the user menu and select Account settings > Identity management > Policy management > Edit Storage Events Read.

Related topics
  • Dynatrace Grail

    Grail is the Dynatrace data lakehouse that's designed explicitly for observability data and acts as single unified storage for logs, metrics, traces, events, and more.

  • Conversion to DQL for Logs

    Convert your current log monitoring rules to DQL.