Skip to main content

An official website of the United States government

Here’s how you know

Log drains

You can export your Cloud.gov application logs to your own storage or analysis systems using a log drain.

A log drain sends real-time log data from your Cloud.gov application to a remote endpoint over syslog-TLS or HTTPS.

Important: Log drains forward only application logs. They do not include audit events or brokered service logs.

When to use a log drain

Agencies typically create log drains when they:

  • Need to feed logs into an agency-managed SIEM or Protective DNS/analytics system
  • Require longer retention or additional analytics beyond the Cloud.gov baseline
  • Must comply with agency-specific event logging or records schedules

This fulfills the M-21-31 requirement that agencies “retain logs in a manner that supports centralized visibility and incident response.” (Source: OMB M-21-31 § III B.)

Customer Responsibility: Configuring and securing drains is the agency’s obligation. Cloud.gov provides connection capability but does not manage or validate the destination system.

Create a log drain

Create a user-provided service and point it to your endpoint:

cf create-user-provided-service my-log-drain \
  -l syslog-tls://logs.agency.example.gov:6514

Then bind the service to the application whose logs you want to export:

cf bind-service my-app my-log-drain

Push an update to apply bindings:

cf restage my-app

Your app’s STDOUT and STDERR streams will now be forwarded in real time.

HTTPS drain example

If your destination only supports HTTPS:

cf create-user-provided-service my-https-drain \
  -l https://logs.agency.example.gov/ingest
cf bind-service my-app my-https-drain

Tip: The receiving endpoint must support TLS 1.2 or higher using FIPS 140-3-validated ciphers.

Avoiding feedback loops

Do not bind a log drain to the same app that receives its output. This creates a recursive “log loop,” generating infinite log traffic and potentially degrading your app’s performance.

Example manifest for a separate log-forwarding app:

---
applications:
  - name: log-forwarder
    route: ((forwarder-route))
    memory: 256M
    stack: cflinuxfs4
    buildpacks:
      - binary_buildpack

Deploy and bind properly:

cf push --var forwarder-route=logs.agency.example.gov
cf create-user-provided-service main-log-drain \
  -l https://logs.agency.example.gov
cf bind-service my-main-app main-log-drain

Reference implementations

Troubleshooting

CauseFix
Non-TLS endpointMust use syslog-tls:// or https:// (TLS 1.2+)
Invalid or expired certificateReplace with a valid FIPS 140-3 certificate
Firewall block on port 6514 (for syslog-tls drains)Ensure the receiving system allows inbound traffic on port 6514

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov