Refer to the org concepts page.
Refer to the Create an Org guide.
A user can be a member of one or more Orgs.
Control Plane offers the ability to ship all Org logs to one of the following providers:
When shipping logs to an external provider, all logs will still be available using Control Plane.
For the logs stored at Control Plane, refer to this page for the current log retention policy.
Log shipping can only be configured to one of the external providers, but this setting can be modified at any time.
To configure log shipping to S3, an AWS Secret must be created.
Follow these steps to create the Secret and configure external logging:
Refer to these instruction to create a new AWS IAM user in your AWS account.
Programmatic access
when creating the user and take note of the Access and Secret Key.This user, at a minimum, must have an associated policy with the s3:PutObject
action.
Sample AWS Policy (substitute S3_BUCKET_NAME):
copy{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": "s3:PutObject","Resource": "arn:aws:s3:::S3_BUCKET_NAME/*"}]}
Secrets
from the left menu.New
button.Name
for the secret, and select AWS
from the Secret Type list.Access Key
and Secret Key
and click Save
.To configure log shipping to Coralogix, an Opaque Secret must be created that contains a Coralogix API Key.
Follow these steps to obtain the API Key, create the Secret, and configure external logging:
Data Flow
link (in the header), then click the API Keys
link.Send Your Data
API Key.Secrets
from the left menu.New
button.Name
for the secret, and select Opaque
from the Secret Type list.Save
.To configure log shipping to Datadog, an Opaque Secret must be created that contains a Datadog API Key.
Follow these steps to obtain the API Key, create the Secret, and configure external logging:
Organization Settings
.API Keys
.New Key
button in the upper right corner, enter a key name, and click Create Key
.Copy Key
button. This will copy the key to your clipboard. Click the X
to close the modal.Secrets
from the left menu.New
button.Name
for the secret, and select Opaque
from the Secret Type list.Save
.Org
in the left menu.External Logs
in the middle context menu.S3
, Coralogix
, or Datadog
and fill out the required fields.For Coralogix, the cluster name will be the same domain name that resolves when using the Coralogix dashboard.
For Datadog, the hostname will be similar to the domain name that resolves when using the Datadog dashboard.
(i.e., The host http-intake.logs.us3.datadoghq.com
maps to the dashboard domain us3.datadoghq.com
)
For S3, the prefix
will be the folder where the logs will be written.
The folder structure will follow the format:
`PREFIX/ORG_NAME/YEAR/MONTH/DAY/HOUR/MINUTE/LOG_FILE.jsonl
The .jsonl file will contain ~1-3k of single line log entries in JSON.
Each entry will contain the following keys:
Save
.The external logging configuration can be created / updated using the CLI's cpln org patch ORG_NAME -f FILE.yaml
command.
Below are example Org manifests (in YAML). Save the YAML as a file and it can be used as input to the CLI's cpln org patch ORG_NAME -f FILE.yaml
command.
Configure S3 Logging (substitute ORG_NAME, S3_BUCKET_NAME, AWS_SECRET, and AWS_REGION)
copykind: orgname: ORG_NAMEspec:logging:s3:bucket: S3_BUCKET_NAMEcredentials: //secret/AWS_SECRETprefix: /region: AWS_REGION
Configure Coralogix Logging (substitute ORG_NAME, OPAQUE_SECRET, and possibly the cluster)
Note: Use the cluster URL that matches your Coralogix account. The cluster will be the same domain name that resolves when using the Coralogix dashboard.
copykind: orgname: ORG_NAMEspec:logging:coralogix:cluster: coralogix.comcredentials: //secret/OPAQUE_SECRET
Configure Datadog Logging (substitute ORG_NAME, OPAQUE_SECRET, and possibly the host)
Note: Use the host URL that matches your Datadog account. The host will be a similar domain name that resolves when using the Datadog dashboard.
copykind: orgname: ORG_NAMEspec:logging:datadog:host: http-intake.logs.us3.datadoghq.comcredentials: //secret/OPAQUE_SECRET
The permissions below are used to define policies together with one or more of the four principal types:
Permission | Description | Implies |
---|---|---|
edit | Modify org | view |
grafanaAdmin | Grantees are made Admin in Grafana, otherwise the role 'Viewer' is assigned | |
manage | Full access | edit, grafanaAdmin, manage, readLogs, readMetrics, readUsage, view, viewAccessReport |
readLogs | Grantees can read logs from all workloads | view |
readMetrics | Grantees can access usage and performance metrics | |
readUsage | Grantees can access usage and billing metrics | |
view | Read-only view: every org member can view their org | |
viewAccessReport | Grantees can inspect the granted access report on all resources within the org |
Displays the permissions granted to principals for the Org.
To view the CLI documentation for an Org, click here