Logs Integration

DataDome bot detection is a real time synchronous process.

All our modules include a powerful feature that injects informational headers for each request. Our customers use it for deep integration between DataDome and their infrastructure and applications, such as in the following cases:

  • Enriching server logs to use DataDome bot information inside Log Analytics, SIEM or SOC
  • Reading and using these headers in applications, to support specific decisions
  • Reading these headers inside statistics tags

📘

This feature is available for Corporate and Enterprise plans. Please reach DataDome team for more information.

Headers values

🚧

X-DataDome-botfamily is deprecated (supported until 1st March 2022) and will be replaced by X-DataDome-ruletype

Header nameHeader descriptionHeader possible values
X-DataDome-isbotIs it a bot ?0: Human (normal user)
1: Bot
NA: Detection not activated on this segment
X-DataDome-botnameThe bot nameString
X-DataDome-captchapassedHas this client passed a Captcha?0: This client has not passed the Captcha
1: This client has passed the Captcha
NA: This request has not been blocked
X-DataDome-ruletypeThe traffic categoryHumans
AI Threats Detection
Verified Bots
Custom Rules
X-DataDome-requestidAn identifier for the current requestString
X-DataDome-matchedmodelsBot models name triggered.
This header is not enabled by default. DataDome support team can enable it if it is needed.
List of string separated by ";"

The information above can be used inside any application/SIEM/SOC by reading the HTTP request headers.

Logs integration

Each module can inject these headers inside web server logs.

This feature enables our users to integrate DataDome detection information inside their usual monitoring tools like Kibana, Splunk or AppDynamics.

The documentation for each module is available through the links below:

LogFormat "%h %l %u %t \"%r\" %{X-DataDome-isbot}i %{X-DataDome-botname}i %{X-DataDome-ruletype}i %{X-DataDome-captchapassed}i %{DATA_DOME_SPENT_TIME}e" datadome
CustomLog logs/datadome.log datadome
http {
    ....
    log_format datadome '$request $http_x_datadome_isbot "$http_x_datadome_botname" "$http_x_datadome_ruletype" $http_x_datadome_captchapassed $datadome_response_time';
    access_log /var/log/nginx/datadome.log datadome;
    ....
    server {
        ....
        data_dome_auth @datadome;
        data_dome_auth_set $http_x_datadome_isbot $upstream_http_x_datadome_isbot;
        data_dome_auth_set $http_x_datadome_botname $upstream_http_x_datadome_botname;
        data_dome_auth_set $http_x_datadome_ruletype $upstream_http_x_datadome_ruletype;
        data_dome_auth_set $http_x_datadome_captchapassed $upstream_http_x_datadome_captchapassed;
        data_dome_auth_set $datadome_response_time $upstream_response_time;
        ....
    }
}
sudo varnishncsa -a -w /var/log/varnish/datadome.log -D -P /var/run/varnishncsa_datadome.pid -F '%h %l %u %t "%r" "%{X-DataDome-isbot}i %{X-DataDome-botname}i %{X-DataDome-ruletype}i %{X-DataDome-captchapassed}i %{VCL_Log:DataDome_status}x %{VCL_Log:DataDome_spent_time}x"'
# frontend settings with DataDome integration
http-request lua.Datadome_request_hook
http-response lua.Datadome_response_hook

 # Custom log for DataDome Enrich headers 
log-format "X-DataDome-botname: %{+Q}[lua.ddHeaders(X-DataDome-botname)] | X-DataDome-isbot: %{+Q}[lua.ddHeaders(X-DataDome-isbot)] | X-DataDome-ruletype: %{+Q}[lua.ddHeaders(X-DataDome-ruletype)]"

use_backend failure_backend if { var(txn.dd.status) -i -m str blocked }