Format parameters as tabs (#964)

estherk15 · web-flow · commit b057ba2d145a · 2025-07-08T09:23:35.000-04:00
* Format parameters as tabs

* Apply suggestions from code review
diff --git a/aws/logs_monitoring/README.md b/aws/logs_monitoring/README.md
@@ -341,11 +341,10 @@ Otherwise, if you are using Web Proxy:
 
 The Datadog Forwarder is signed by Datadog. To verify the integrity of the Forwarder, use the manual installation method. [Create a Code Signing Configuration][19] that includes Datadog’s Signing Profile ARN (`arn:aws:signer:us-east-1:464622532012:/signing-profiles/DatadogLambdaSigningProfile/9vMI9ZAGLc`) and associate it with the Forwarder Lambda function before uploading the Forwarder ZIP file.
 
-## CloudFormation parameters
+## Parameters
 
-<div class="alert alert-warning">
-The following parameters are used in CloudFormation and Terraform. If you are installing the Forwarder manually, convert these parameter names from Pascal case to screaming snake case. For example, <code>DdApiKey</code> becomes <code>DD_API_KEY</code>, and <code>ExcludeAtMatch</code> becomes <code>EXCLUDE_AT_MATCH</code>.
-</div>
+{{< tabs >}}
+{{% tab "CloudFormation and Terraform" %}}
 
 ### Required
 
@@ -487,6 +486,163 @@ To test different patterns against your logs, turn on [debug logs](#troubleshoot
 `LayerARN`
 : ARN for the layer containing the forwarder code. If empty, the script will use the version of the layer the forwarder was published with. Defaults to empty.
 
+
+[20]: https://app.datadoghq.com/organization-settings/api-keys
+[13]: https://docs.datadoghq.com/getting_started/site/
+[21]: https://docs.datadoghq.com/logs/processing/pipelines/
+[2]: https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/
+{{% /tab %}}
+{{% tab "Manual" %}}
+
+If you are installing the Forwarder manually, convert the parameter names from Pascal case to screaming snake case.
+
+### Required
+
+`DD_API_KEY`
+: Your [Datadog API key][20], which can be found under **Organization Settings** > **API Keys**. The API Key is stored in AWS Secrets Manager. If you already have a Datadog API Key stored in Secrets Manager, use `DD_API_KEY_SECRET_ARN` instead.
+
+`DD_API_KEY_SECRET_ARN`
+: The ARN of the secret storing the Datadog API key, if you already have it stored in Secrets Manager. You must store the secret as a plaintext, rather than a key-value pair.
+
+`DD_SITE`
+: The [Datadog site][13] that your metrics and logs will be sent to. Your Datadog site is {{< region-param key="dd_site" code="true" >}}.
+
+### Lambda function (optional)
+
+`FUNCTION_NAME`
+: The name of the Datadog Forwarder Lambda function. Do not change this when updating an existing CloudFormation stack, otherwise the current forwarder function will be replaced and all the triggers will be lost.
+
+`MEMORY_SIZE`
+: Memory size for the Datadog Forwarder Lambda function.
+
+`TIMEOUT`
+: Timeout for the Datadog Forwarder Lambda function.
+
+`RESERVED_CONCURRENCY`
+: Reserved concurrency for the Datadog Forwarder Lambda function. If empty, use unreserved account concurrency.
+Datadog recommends using at least 10 reserved concurrency, but this defaults to 0 as you may need to increase your limits. If using unreserved account concurrency, you may limit other Lambda functions in your environment.
+
+`LOG_RETENTION_IN_DAYS`
+: CloudWatch log retention for logs generated by the Datadog Forwarder Lambda function.
+
+### Log forwarding (optional)
+
+`DD_TAGS`
+: Add custom tags to forwarded logs, comma-delimited string, no trailing comma, such as `env:prod,stack:classic`.
+
+`DD_MULTILINE_LOG_REGEX_PATTERN`
+: Use the supplied regular expression to detect for a new log line for multiline logs from S3, such as `\d{2}\/\d{2}\/\d{4}` for multiline logs beginning with pattern "11/10/2014".
+
+`DD_USE_TCP`
+: By default, the forwarder sends logs using HTTPS through the port 443. To send logs over an
+SSL encrypted TCP connection, set this parameter to true.
+
+`DD_NO_SSL`
+: Disable SSL when forwarding logs, set to true when forwarding logs through a proxy.
+
+`DD_URL`
+: The endpoint URL to forward the logs to, useful for forwarding logs through a proxy.
+
+`DD_PORT`
+: The endpoint port to forward the logs to, useful for forwarding logs through a proxy.
+
+`DD_SKIP_SSL_VALIDATION`
+: Send logs over HTTPS, while not validating the certificate provided by the endpoint. This will still encrypt the traffic between the forwarder and the log intake endpoint, but will not verify if the destination SSL certificate is valid.
+
+`DD_USE_COMPRESSION`
+: Set to false to disable log compression. Only valid when sending logs over HTTP.
+
+`DD_COMPRESSION_LEVEL`
+: Set the compression level from 0 (no compression) to 9 (best compression). The default compression level is 6. You may see some benefit with regard to decreased outbound network traffic if you increase the compression level, at the expense of increased Forwarder execution duration.
+
+`DD_FORWARD_LOG`
+: Set to false to disable log forwarding, while continuing to forward other observability data, such as metrics and traces from Lambda functions.
+
+### Log scrubbing (optional)
+
+`REDACT_IP`
+: Replace text matching `\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}` with `xxx.xxx.xxx.xxx`.
+
+`REDACT_EMAIL`
+: Replace text matching `[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+` with `xxxxx@xxxxx.com`.
+
+`DD_SCRUBBING_RULE`
+: Replace text matching the supplied regular expression with `xxxxx` (default) or `DD_SCRUBBING_RULE_REPLACEMENT` (if supplied). Log scrubbing rule is applied to the full JSON-formatted log, including any metadata that is automatically added by the Lambda function. Each instance of a pattern match is replaced until no more matches are found in each log. Using inefficient regular expression, such as `.*`, may slow down the Lambda function.
+
+`DD_SCRUBBING_RULE_REPLACEMENT`
+: Replace text matching DD_SCRUBBING_RULE with the supplied text.
+
+### Log filtering (optional)
+
+`EXCLUDE_AT_MATCH`
+: Do not send logs matching the supplied regular expression. If a log matches both the `EXCLUDE_AT_MATCH` and `INCLUDE_AT_MATCH`, it is excluded.
+
+`INCLUDE_AT_MATCH`
+: Only send logs matching the supplied regular expression, and not excluded by `EXCLUDE_AT_MATCH`.
+
+Filtering rules are applied to the full JSON-formatted log, including any metadata that is automatically added by the Forwarder. However, transformations applied by [log pipelines][21], which occur after logs are sent to Datadog, cannot be used to filter logs in the Forwarder. Using an inefficient regular expression, such as `.*`, may slow down the Forwarder.
+
+Some examples of regular expressions that can be used for log filtering:
+
+- Include (or exclude) Lambda platform logs: `"(START|END) RequestId:\s`. The preceding `"` is needed to match the start of the log message, which is in a JSON blob (`{"message": "START RequestId...."}`). Datadog recommends keeping the `REPORT` logs, as they are used to populate the invocations list in the serverless function views.
+- Include CloudTrail error messages only: `errorMessage`.
+- Include only logs containing an HTTP 4XX or 5XX error code: `\b[4|5][0-9][0-9]\b`.
+- Include only CloudWatch logs where the `message` field contains a specific JSON key/value pair: `\"awsRegion\":\"us-east-1\"`.
+  - The message field of a CloudWatch log event is encoded as a string. For example,`{"awsRegion": "us-east-1"}` is encoded as `{\"awsRegion\":\"us-east-1\"}`. Therefore, the pattern you provide must include `\` escape characters, like this: `\"awsRegion\":\"us-east-1\"`.
+
+To test different patterns against your logs, turn on [debug logs](#troubleshooting).
+
+### Advanced (optional)
+
+`DD_FETCH_LAMBDA_TAGS`
+: Let the Forwarder fetch Lambda tags using GetResources API calls and apply them to logs, metrics, and traces. If set to true, permission `tag:GetResources` will be automatically added to the Lambda execution IAM role.
+
+`DD_FETCH_LOG_GROUP_TAGS`
+: Let the forwarder fetch Log Group tags using ListTagsLogGroup and apply them to logs, metrics, and traces. If set to true, permission `logs:ListTagsForResource` will be automatically added to the Lambda execution IAM role.
+
+`DD_FETCH_STEP_FUNCTIONS_TAGS`
+: Let the Forwarder fetch Step Functions tags using GetResources API calls and apply them to logs and traces (if Step Functions tracing is enabled). If set to true, permission `tag:GetResources` will be automatically added to the Lambda execution IAM role.
+
+`DD_STEP_FUNCTION_TRACE_ENABLED`
+: Set to true to enable tracing for all Step Functions.
+
+`SOURCE_ZIP_URL`
+: Do not change unless you know what you are doing. Override the default location of the function source code.
+
+`PERMISSIONS_BOUNDARY_ARN`
+: ARN for the Permissions Boundary Policy.
+
+`DD_USE_PRIVATE_LINK` (DEPRECATED)
+: Set to true to enable sending logs and metrics through AWS PrivateLink. See [Connect to Datadog over AWS PrivateLink][2].
+
+`DD_HTTP_PROXY_URL`
+: Sets the standard web proxy environment variables HTTP_PROXY and HTTPS_PROXY. These are the URL endpoints your proxy server exposes. Do not use this in combination with AWS Private Link. Make sure to also set `DD_SKIP_SSL_VALIDATION` to true.
+
+`DD_NO_PROXY`
+: Sets the standard web proxy environment variable `NO_PROXY`. It is a comma-separated list of domain names that should be excluded from the web proxy.
+
+`VPC_SECURITY_GROUP_IDS`
+: Comma separated list of VPC Security Group IDs. Used when AWS PrivateLink is enabled.
+
+`VPC_SUBNET_IDS`
+: Comma separated list of VPC Subnet IDs. Used when AWS PrivateLink is enabled.
+
+`ADDITIONAL_TARGET_LAMBDA_ARNS`
+: Comma separated list of Lambda ARNs that will get called asynchronously with the same `event` the Datadog Forwarder receives.
+
+`INSTALL_AS_LAYER`
+: Whether to use the layer-based installation flow. Set to false to use the legacy installation flow, which installs a second function that copies the forwarder code from GitHub to an S3 bucket. Defaults to true.
+
+`LAYER_ARN`
+: ARN for the layer containing the forwarder code. If empty, the script will use the version of the layer the forwarder was published with. Defaults to empty.
+
+[20]: https://app.datadoghq.com/organization-settings/api-keys
+[13]: https://docs.datadoghq.com/getting_started/site/
+[21]: https://docs.datadoghq.com/logs/processing/pipelines/
+[2]: https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Permissions
 
 To deploy the CloudFormation Stack with the default options, you need to have the permissions below to save your Datadog API key as a secret and create an S3 bucket to store the Forwarder's code (ZIP file), and create Lambda functions (including execution roles and log groups).
