Logs Integration

DataDome bot detection is a real time synchronous process.

All our modules include a powerful feature that injects informational headers for each request. Our customers use it for deep integration between DataDome and their infrastructure and applications, such as in the following cases:

Enriching server logs to use DataDome bot information inside Log Analytics, SIEM or SOC
Reading and using these headers in applications, to support specific decisions
Reading these headers inside statistics tags

📘
This feature is available for Corporate and Enterprise plans. Please reach DataDome team for more information.

Headers values

🚧
X-DataDome-botfamily is deprecated (supported until 1st March 2022) and will be replaced by X-DataDome-ruletype

Header name	Header description	Header possible values
`X-DataDome-isbot`	Is it a bot ?	`0`: Human (normal user) `1`: Bot `NA`: Detection not activated on this segment
`X-DataDome-botname`	The bot name	String
`X-DataDome-captchapassed`	Has this client passed a Captcha?	`0`: This client has not passed the Captcha `1`: This client has passed the Captcha `NA`: This request has not been blocked
`X-DataDome-ruletype`	The traffic category	`Humans` `AI Threats Detection` `Verified Bots` `Custom Rules`
`X-DataDome-requestid`	An identifier for the current request	String
`X-DataDome-matchedmodels`	Bot models name triggered. This header is not enabled by default. DataDome support team can enable it if it is needed.	List of string separated by ";"

The information above can be used inside any application/SIEM/SOC by reading the HTTP request headers.

Logs integration

Each module can inject these headers inside web server logs.

This feature enables our users to integrate DataDome detection information inside their usual monitoring tools like Kibana, Splunk or AppDynamics.

The documentation for each module is available through the links below:

Apache
Nginx
Varnish
IIS
HAProxy18/HAPEE for module versions HAProxy18 1.8.0 and module HAPEE v1.5.1 (and over)

LogFormat "%h %l %u %t \"%r\" %{X-DataDome-isbot}i %{X-DataDome-botname}i %{X-DataDome-ruletype}i %{X-DataDome-captchapassed}i %{DATA_DOME_SPENT_TIME}e" datadome
CustomLog logs/datadome.log datadome

http {
    ....
    log_format datadome '$request $http_x_datadome_isbot "$http_x_datadome_botname" "$http_x_datadome_ruletype" $http_x_datadome_captchapassed $datadome_response_time';
    access_log /var/log/nginx/datadome.log datadome;
    ....
    server {
        ....
        data_dome_auth @datadome;
        data_dome_auth_set $http_x_datadome_isbot $upstream_http_x_datadome_isbot;
        data_dome_auth_set $http_x_datadome_botname $upstream_http_x_datadome_botname;
        data_dome_auth_set $http_x_datadome_ruletype $upstream_http_x_datadome_ruletype;
        data_dome_auth_set $http_x_datadome_captchapassed $upstream_http_x_datadome_captchapassed;
        data_dome_auth_set $datadome_response_time $upstream_response_time;
        ....
    }
}

sudo varnishncsa -a -w /var/log/varnish/datadome.log -D -P /var/run/varnishncsa_datadome.pid -F '%h %l %u %t "%r" "%{X-DataDome-isbot}i %{X-DataDome-botname}i %{X-DataDome-ruletype}i %{X-DataDome-captchapassed}i %{VCL_Log:DataDome_status}x %{VCL_Log:DataDome_spent_time}x"'

# frontend settings with DataDome integration
http-request lua.Datadome_request_hook
http-response lua.Datadome_response_hook

 # Custom log for DataDome Enrich headers 
log-format "X-DataDome-botname: %{+Q}[lua.ddHeaders(X-DataDome-botname)] | X-DataDome-isbot: %{+Q}[lua.ddHeaders(X-DataDome-isbot)] | X-DataDome-ruletype: %{+Q}[lua.ddHeaders(X-DataDome-ruletype)]"

use_backend failure_backend if { var(txn.dd.status) -i -m str blocked }