---
title: Stream logs to an external monitoring tool
description: You can stream Advanced Identity Cloud logs to an external monitoring tool, a process sometimes known as push logging. This lets you monitor certain events in real time and troubleshoot issues using your preferred SIEM or event monitoring solution, such as Splunk or an OpenTelemetry-compatible SIEM like Grafana Cloud, Datadog, or New Relic.
component: pingoneaic
page_id: pingoneaic:tenants:audit-debug-logs-push
canonical_url: https://docs.pingidentity.com/pingoneaic/tenants/audit-debug-logs-push.html
keywords: ["Monitoring", "Tenants", "Troubleshooting"]
page_aliases: ["release-notes:rapid-channel/audit-debug-logs-push.adoc"]
section_ids:
  log-streaming-use-cases: Use cases
  log-streaming-supported-formats: Supported formats
  log-streaming-supported-tools: Supported monitoring tools
  set-up-log-streaming: Set up a log-streaming service
---

# Stream logs to an external monitoring tool

You can stream Advanced Identity Cloud logs to an external monitoring tool, a process sometimes known as push logging. This lets you monitor certain events in real time and troubleshoot issues using your preferred SIEM or event monitoring solution, such as Splunk or an OpenTelemetry-compatible SIEM like Grafana Cloud, Datadog, or New Relic.

Advanced Identity Cloud supports streaming log data in [OpenTelemetry Protocol (OTLP)](https://opentelemetry.io/docs/specs/otel/protocol/) and [Splunk](https://www.splunk.com/en_us/blog/it/monitoring-splunk-enterprise-deployments-with-opentelemetry.html) formats.

To configure a log-streaming service, use REST API calls to define the telemetry format, the log sources to stream, and the destination monitoring tool. Advanced Identity Cloud's log-streaming service then retrieves the logs and sends them to your chosen monitoring tool in real time.

![log events push](_images/log-events-push.png)

|   |                                                                                                                                                                                 |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | An Advanced Identity Cloud tenant environment can have only one log-streaming service configuration. This means you can only send logs to one external monitoring tool or SIEM. |

## Use cases

Streaming Advanced Identity Cloud logs to an external monitoring tool in real time has many use cases, including:

* Debug journeys while viewing real-time events and errors.

* Monitor the performance of authentications during journey creation.

* Collect events from Advanced Identity Cloud and enrich them with data from other sources.

* Detect and respond to critical events. For example, a sudden spike in registrations might mean an effective marketing program or suspicious activity.

* Set alerts on authentication and registration requests from particular regions.

* Monitor the improper use of APIs.

* Monitor user activity, success/failure rates, and password reset requests.

## Supported formats

The log-streaming service supports the following formats:

* [OpenTelemetry Protocol (OTLP)](https://github.com/open-telemetry/opentelemetry-collector/blob/main/exporter/README.md)

  * HTTP transport:

    * [Configuration format](https://github.com/open-telemetry/opentelemetry-collector/blob/main/exporter/otlphttpexporter/README.md)

  * gRPC over TLS:

    * [Configuration format](https://github.com/open-telemetry/opentelemetry-collector/blob/main/exporter/otlpexporter/README.md)

    * [TLS configuration](https://github.com/open-telemetry/opentelemetry-collector/blob/main/config/configtls/README.md)

* Splunk

  * HTTP transport:

    * [Configuration format](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/splunkhecexporter/README.md)

  * HTTP header with Splunk token required ([example](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#JSON_request_and_response))

## Supported monitoring tools

* OTLP-compatible solutions:

  * Any OTLP-compliant endpoint

  * [Grafana Cloud](https://grafana.com/products/cloud/)

  * [Datadog](https://www.datadoghq.com)

  * [New Relic](https://newrelic.com/)

* Splunk:

  * [Splunk Cloud Platform](https://www.splunk.com/en_us/products/splunk-cloud-platform.html)

  * [Splunk Enterprise](https://www.splunk.com/en_us/products/splunk-enterprise.html)

## Set up a log-streaming service

Follow these steps to set up a log-streaming service:

1. Determine the Advanced Identity Cloud [log sources](audit-debug-log-sources.html) to stream.

2. Configure your destination monitoring service to receive log events from Advanced Identity Cloud.

   Refer to your monitoring tool vendor documentation for configuration details.

   * Grafana

     1. Go to your [Grafana Cloud Stacks page](https://grafana.com/orgs/forgerock/stacks/251760).

     2. Under OpenTelemetry, click Configure.

     3. Copy the OTLP Endpoint, adding `/v1/logs` to the end. For example, `https://example.grafana.net/otlp/v1/logs`.

     4. Copy the `Instance ID` for the username.

     5. Under Password / API Token, click Generate Now to generate the password.

   * Datadog

     * Follow the [Datadog documentation](https://docs.datadoghq.com/opentelemetry/setup/agentless/logs/?tab=java) to get `DD_API_KEY` and `YOUR_ENDPOINT`. The value in `YOUR_ENDPOINT` must end in `/v1/logs`.

   * New Relic

     * Follow the [New relic documentation](https://docs.newrelic.com/docs/opentelemetry/best-practices/opentelemetry-otlp/) to get `OTEL_EXPORTER_OTLP_ENDPOINT` and your `api-key`. The endpoint must end in `/v1/logs`.

   * Splunk

     1. Configure [HTTP Event Collector (HEC)](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector).

     2. Make a note of the HEC token. You'll need this when you configure log streaming in Advanced Identity Cloud.

        |   |                                                                                                                                                  |
        | - | ------------------------------------------------------------------------------------------------------------------------------------------------ |
        |   | You must disable indexer acknowledgment for the HEC token. The Advanced Identity Cloud log-streaming service isn't compatible with this feature. |

3. Configure the log-streaming service in Advanced Identity Cloud using the REST API. Learn more in [Manage log streaming using the API](audit-debug-logs-push-api.html).

4. Verify that the log events are arriving at the external monitoring tool correctly.