Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.formal.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Formal can forward all activity logs to your SIEM, data lake, or observability platform. This enables centralized log management, long-term retention, compliance reporting, and integration with your existing security tools.

Supported Platforms

Supported log destinations
  • AWS S3
  • Datadog
  • Splunk
By default, Formal forwards all logs to your configured destination.

Setup

AWS S3

The AWS S3 log integration requires an AWS Cloud Integration with S3 access enabled.
1

Set Up AWS Integration

First, configure an AWS Cloud Integration with:
  • AllowS3Access: true
  • S3BucketARN: Your S3 bucket ARN
2

Navigate to Log Integrations

Go to Log Integrations
3

Create Integration

Click Create Log Integration
4

Select AWS S3

Choose AWS S3 as your provider
5

Configure

  • S3 Bucket Name: Your bucket name
  • Cloud Integration: Select your AWS Cloud Integration

Terraform

# First, create S3 bucket
resource "aws_s3_bucket" "formal_logs" {
  bucket = "formal-connector-logs"
}

# Create AWS Cloud Integration
resource "formal_integration_cloud" "aws" {
  name         = "aws-integration"
  cloud_region = "us-east-1"

  aws {
    template_version    = "1.2.0"
    allow_s3_access     = true
    s3_bucket_arn       = "${aws_s3_bucket.formal_logs.arn}/*"
  }
}

# Deploy CloudFormation stack (see AWS Integration guide)
resource "aws_cloudformation_stack" "formal" {
  # ... (see AWS Integration docs)
}

# Create log integration
resource "formal_integration_log" "s3" {
  name = "s3-log-drain"

  s3 {
    s3_bucket_name       = aws_s3_bucket.formal_logs.bucket
    cloud_integration_id = formal_integration_cloud.aws.id
  }
}

Datadog

1

Get Datadog Credentials

From your Datadog account, retrieve:
  • Application Key
  • API Key
  • Site (e.g., datadoghq.com, datadoghq.eu)
2

Navigate to Log Integrations

Go to Log Integrations
3

Create Integration

Click Create Log Integration
4

Select Datadog

Choose Datadog as your provider
5

Enter Credentials

  • Application Key: Your Datadog Application Key
  • API Key: Your Datadog API key
  • Site: Your Datadog site

Terraform

resource "formal_integration_log" "datadog" {
  name = "datadog-log-drain"

  datadog {
    account_id = var.datadog_application_key
    api_key    = var.datadog_api_key
    site       = "datadoghq.com"  # or datadoghq.eu, etc.
  }
}

Datadog Dashboard

Import this template JSON for a sample of some of the analyses you can do with the Datadog log integration.

Splunk

1

Create Splunk HEC Token

In Splunk, create a new HTTP Event Collector (HEC) token
2

Navigate to Log Integrations

Go to Log Integrations
3

Create Integration

Click Create Log Integration
4

Select Splunk

Choose Splunk as your provider
5

Enter Configuration

  • Access Token: Your HEC token
  • Host: Your Splunk instance hostname
  • Port: HEC port (usually 8088)

Terraform

resource "formal_integration_log" "splunk" {
  name = "splunk-log-drain"

  splunk {
    access_token = var.splunk_hec_token
    host         = "splunk.example.com"
    port         = 8088
  }
}

Use Cases

Compliance and Auditing

Forward logs to long-term storage for compliance requirements: 
# Archive to S3 for 7 years (SOC 2, HIPAA, etc.)
resource "formal_integration_log" "compliance_archive" {
  name = "compliance-s3-archive"

  s3 {
    s3_bucket_name       = aws_s3_bucket.compliance_logs.bucket
    cloud_integration_id = formal_integration_cloud.aws.id
  }
}

# Configure S3 lifecycle policy
resource "aws_s3_bucket_lifecycle_configuration" "compliance" {
  bucket = aws_s3_bucket.compliance_logs.id

  rule {
    id     = "archive-old-logs"
    status = "Enabled"

    transition {
      days          = 90
      storage_class = "GLACIER"
    }

    expiration {
      days = 2555  # 7 years
    }
  }
}

Real-Time Security Monitoring

Send logs to your SIEM for real-time threat detection: 
# Send to Datadog for real-time monitoring
resource "formal_integration_log" "security_monitoring" {
  name = "datadog-security"

  datadog {
    account_id = var.datadog_application_key
    api_key    = var.datadog_api_key
    site       = "datadoghq.com"
  }
}
Create alerts in Datadog for:
  • Failed authentication attempts
  • Policy violations
  • Unusual query patterns
  • Off-hours access

Data Lake Integration

Forward logs to your data lake for analytics: 
# Send to S3 data lake
resource "formal_integration_log" "data_lake" {
  name = "data-lake-integration"

  s3 {
    s3_bucket_name       = "my-data-lake-formal-logs"
    cloud_integration_id = formal_integration_cloud.aws.id
  }
}
Then use Athena, Redshift Spectrum, or Databricks to analyze:
  • User access patterns
  • Query performance
  • Policy effectiveness
  • Resource utilization

Multi-Destination Forwarding

Send logs to multiple destinations: 
# Real-time monitoring
resource "formal_integration_log" "splunk_realtime" {
  name = "splunk-realtime"
  splunk {
    access_token = var.splunk_hec_token
    host         = "splunk.example.com"
    port         = 8088
  }
}

# Long-term archive
resource "formal_integration_log" "s3_archive" {
  name = "s3-archive"
  s3 {
    s3_bucket_name       = "formal-logs-archive"
    cloud_integration_id = formal_integration_cloud.aws.id
  }
}

# Security analytics
resource "formal_integration_log" "datadog_security" {
  name = "datadog-security"
  datadog {
    account_id = var.datadog_application_key
    api_key    = var.datadog_api_key
    site       = "datadoghq.com"
  }
}

Next Steps

AWS Integration

Set up AWS Cloud Integration for S3 logs

View Logs

Monitor logs in the Formal console